mediawiki/extensions/FacetedCategory (main)

From 569e9b0ff0787eb2772384d0f5d175c7a1acb2f8 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 16 Apr 2026 07:44:10 +0000
Subject: [PATCH] build: Updating npm dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* basic-ftp: 5.2.0 → 5.3.0
  * https://github.com/advisories/GHSA-6v7q-wjvx-w8wg
  * https://github.com/advisories/GHSA-chqc-8p9q-pq6q
* brace-expansion: 1.1.12, 2.0.2, 5.0.4 → 1.1.14, 2.1.0, 5.0.5
  * https://github.com/advisories/GHSA-f886-m6hf-6m8v
* fast-xml-parser: 5.4.2 → 5.6.0
  * https://github.com/advisories/GHSA-8gc5-j5rx-235r
  * https://github.com/advisories/GHSA-jp2q-39xq-3w4g
* flatted: 3.3.1 → 3.4.2
  * https://github.com/advisories/GHSA-25h7-pfq9-p65f
  * https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
* grunt: 1.6.1 → 1.6.2
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* grunt-legacy-log: 3.0.0 → 3.0.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-log-utils: 2.1.0 → 2.1.3
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-util: 2.0.1 → 2.0.2
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* lodash: 4.17.23 → 4.18.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* minimatch: 10.2.4, 3.0.8, 3.1.5, 5.1.9, 9.0.9 → 10.2.4, 3.1.5, 5.1.9, 9.0.9
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* picomatch: 2.3.1, 4.0.3 → 2.3.2, 4.0.4
  * https://github.com/advisories/GHSA-3v7f-55p6-f55p
  * https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
* undici: 6.23.0, 7.22.0 → 6.25.0, 7.25.0
  * https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
  * https://github.com/advisories/GHSA-4992-7rv2-5pvq
  * https://github.com/advisories/GHSA-f269-vfmq-vjvj
  * https://github.com/advisories/GHSA-phc3-fgpg-7m6h
  * https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
  * https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
* yaml: 2.8.2 → 2.8.3
  * https://github.com/advisories/GHSA-48c2-rrv3-qjmp

Change-Id: I54c80d2255527f97e6ea3cc7dd0bbb7a617ebd82
---
 package-lock.json | 249 ++++++++++++++++++++++++++--------------------
 1 file changed, 140 insertions(+), 109 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a595f66..419975c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1187,6 +1187,18 @@
 			"integrity": "sha512-PzdZZzRhcXvKB0begee28n5lvwAcinGKYuLZOVxHAZm+n7y01ddEGfdS1ZXRuVcV+ndG6mSEAE8vgudom5UjYg==",
 			"dev": true
 		},
+		"node_modules/@nodable/entities": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-1.1.0.tgz",
+			"integrity": "sha512-bidpxmTBP0pOsxULw6XlxzQpTgrAGLDHGBK/JuWhPDL6ZV0GZ/PmN9CA9do6e+A9lYI6qx6ikJUtJYRxup141g==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/nodable"
+				}
+			]
+		},
 		"node_modules/@nodelib/fs.scandir": {
 			"version": "2.1.5",
 			"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -1357,9 +1369,9 @@
 			}
 		},
 		"node_modules/@stylistic/eslint-plugin/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -1757,9 +1769,9 @@
 			}
 		},
 		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -1924,9 +1936,9 @@
 			}
 		},
 		"node_modules/@typescript-eslint/utils/node_modules/brace-expansion": {
-			"version": "5.0.4",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-			"integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+			"version": "5.0.5",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+			"integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^4.0.2"
@@ -2167,9 +2179,9 @@
 			}
 		},
 		"node_modules/@wdio/cli/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -2649,9 +2661,9 @@
 			}
 		},
 		"node_modules/@wdio/config/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -3580,9 +3592,9 @@
 			}
 		},
 		"node_modules/archiver-utils/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -3945,9 +3957,9 @@
 			}
 		},
 		"node_modules/basic-ftp": {
-			"version": "5.2.0",
-			"resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
-			"integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+			"version": "5.3.0",
+			"resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
+			"integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
 			"dev": true,
 			"engines": {
 				"node": ">=10.0.0"
@@ -3984,9 +3996,9 @@
 			"dev": true
 		},
 		"node_modules/brace-expansion": {
-			"version": "1.1.12",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+			"version": "1.1.14",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+			"integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0",
@@ -4250,9 +4262,9 @@
 			}
 		},
 		"node_modules/cheerio/node_modules/undici": {
-			"version": "7.22.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
-			"integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+			"version": "7.25.0",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
+			"integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
 			"dev": true,
 			"engines": {
 				"node": ">=20.18.1"
@@ -6248,6 +6260,16 @@
 				"url": "https://github.com/sponsors/sindresorhus"
 			}
 		},
+		"node_modules/exit-x": {
+			"version": "0.2.2",
+			"resolved": "https://registry.npmjs.org/exit-x/-/exit-x-0.2.2.tgz",
+			"integrity": "sha512-+I6B/IkJc1o/2tiURyz/ivu/O0nKNEArIUB5O7zBrlDVJr22SCLH3xTeEry428LvFhRzIA1g8izguxJ/gbNcVQ==",
+			"dev": true,
+			"peer": true,
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
 		"node_modules/expand-tilde": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/expand-tilde/-/expand-tilde-2.0.2.tgz",
@@ -6457,21 +6479,24 @@
 			]
 		},
 		"node_modules/fast-xml-builder": {
-			"version": "1.0.0",
-			"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
-			"integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
+			"version": "1.1.4",
+			"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
+			"integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
 			"dev": true,
 			"funding": [
 				{
 					"type": "github",
 					"url": "https://github.com/sponsors/NaturalIntelligence"
 				}
-			]
+			],
+			"dependencies": {
+				"path-expression-matcher": "^1.1.3"
+			}
 		},
 		"node_modules/fast-xml-parser": {
-			"version": "5.4.2",
-			"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.2.tgz",
-			"integrity": "sha512-pw/6pIl4k0CSpElPEJhDppLzaixDEuWui2CUQQBH/ECDf7+y6YwA4Gf7Tyb0Rfe4DIMuZipYj4AEL0nACKglvQ==",
+			"version": "5.6.0",
+			"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.6.0.tgz",
+			"integrity": "sha512-5G+uaEBbOm9M4dgMOV3K/rBzfUNGqGqoUTaYJM3hBwM8t71w07gxLQZoTsjkY8FtfjabqgQHEkeIySBDYeBmJw==",
 			"dev": true,
 			"funding": [
 				{
@@ -6480,8 +6505,10 @@
 				}
 			],
 			"dependencies": {
-				"fast-xml-builder": "^1.0.0",
-				"strnum": "^2.1.2"
+				"@nodable/entities": "^1.1.0",
+				"fast-xml-builder": "^1.1.4",
+				"path-expression-matcher": "^1.5.0",
+				"strnum": "^2.2.3"
 			},
 			"bin": {
 				"fxparser": "src/cli/cli.js"
@@ -6586,9 +6613,9 @@
 			}
 		},
 		"node_modules/filelist/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -6701,9 +6728,9 @@
 			}
 		},
 		"node_modules/flatted": {
-			"version": "3.3.1",
-			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
-			"integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
+			"version": "3.4.2",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+			"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
 			"dev": true
 		},
 		"node_modules/for-in": {
@@ -7102,9 +7129,9 @@
 			"dev": true
 		},
 		"node_modules/grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
@@ -7113,14 +7140,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"bin": {
 				"grunt": "bin/grunt"
@@ -7208,47 +7235,46 @@
 			}
 		},
 		"node_modules/grunt-legacy-log": {
-			"version": "3.0.0",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-log/-/grunt-legacy-log-3.0.0.tgz",
-			"integrity": "sha512-GHZQzZmhyq0u3hr7aHW4qUH0xDzwp2YXldLPZTCjlOeGscAOWWPftZG3XioW8MasGp+OBRIu39LFx14SLjXRcA==",
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-log/-/grunt-legacy-log-3.0.1.tgz",
+			"integrity": "sha512-vytI3IUC8qUK9TcvvpHpGJzDojua/sfJV4TdLB4FtCFzospqduzBuL3+dEfpvO+tGECv7/273+33hjjMXSa92g==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
 				"colors": "~1.1.2",
-				"grunt-legacy-log-utils": "~2.1.0",
+				"grunt-legacy-log-utils": "^2.1.3",
 				"hooker": "~0.2.3",
-				"lodash": "~4.17.19"
+				"lodash": "^4.18.0"
 			},
 			"engines": {
 				"node": ">= 0.10.0"
 			}
 		},
 		"node_modules/grunt-legacy-log-utils": {
-			"version": "2.1.0",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
-			"integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+			"version": "2.1.3",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+			"integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
-				"chalk": "~4.1.0",
-				"lodash": "~4.17.19"
+				"chalk": "^4.1.0"
 			},
 			"engines": {
 				"node": ">=10"
 			}
 		},
 		"node_modules/grunt-legacy-util": {
-			"version": "2.0.1",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-util/-/grunt-legacy-util-2.0.1.tgz",
-			"integrity": "sha512-2bQiD4fzXqX8rhNdXkAywCadeqiPiay0oQny77wA2F3WF4grPJXCvAcyoWUJV+po/b15glGkxuSiQCK299UC2w==",
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-util/-/grunt-legacy-util-2.0.2.tgz",
+			"integrity": "sha512-0xoDILyR4BVJel5uJwnhjdWN9evOQ8A0uXbQUIJ0hgVthIA6kloXHSoqATQPj6BRrHrHkcQtCeGVb0ixFoHyEQ==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
 				"async": "~3.2.0",
-				"exit": "~0.1.2",
+				"exit-x": "~0.2.2",
 				"getobject": "~1.0.0",
 				"hooker": "~0.2.3",
-				"lodash": "~4.17.21",
+				"lodash": "^4.18.0",
 				"underscore.string": "~3.3.5",
 				"which": "~2.0.2"
 			},
@@ -7316,19 +7342,6 @@
 				"js-yaml": "bin/js-yaml.js"
 			}
 		},
-		"node_modules/grunt/node_modules/minimatch": {
-			"version": "3.0.8",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-			"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-			"dev": true,
-			"peer": true,
-			"dependencies": {
-				"brace-expansion": "^1.1.7"
-			},
-			"engines": {
-				"node": "*"
-			}
-		},
 		"node_modules/grunt/node_modules/sprintf-js": {
 			"version": "1.0.3",
 			"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -8053,9 +8066,9 @@
 			}
 		},
 		"node_modules/jest-util/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -8404,9 +8417,9 @@
 			}
 		},
 		"node_modules/lodash": {
-			"version": "4.17.23",
-			"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-			"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+			"version": "4.18.1",
+			"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+			"integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
 			"dev": true
 		},
 		"node_modules/lodash.clonedeep": {
@@ -8709,9 +8722,9 @@
 			}
 		},
 		"node_modules/mocha/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -8914,9 +8927,9 @@
 			"dev": true
 		},
 		"node_modules/nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
@@ -8924,6 +8937,9 @@
 			},
 			"bin": {
 				"nopt": "bin/nopt.js"
+			},
+			"engines": {
+				"node": ">=6"
 			}
 		},
 		"node_modules/normalize-package-data": {
@@ -9346,6 +9362,21 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/path-expression-matcher": {
+			"version": "1.5.0",
+			"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
+			"integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/NaturalIntelligence"
+				}
+			],
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
 		"node_modules/path-is-absolute": {
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@@ -9449,9 +9480,9 @@
 			"dev": true
 		},
 		"node_modules/picomatch": {
-			"version": "2.3.1",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-			"integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+			"version": "2.3.2",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+			"integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
 			"dev": true,
 			"engines": {
 				"node": ">=8.6"
@@ -9899,9 +9930,9 @@
 			}
 		},
 		"node_modules/readdir-glob/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -10745,9 +10776,9 @@
 			}
 		},
 		"node_modules/strnum": {
-			"version": "2.2.0",
-			"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
-			"integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+			"version": "2.2.3",
+			"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
+			"integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
 			"dev": true,
 			"funding": [
 				{
@@ -11247,9 +11278,9 @@
 			}
 		},
 		"node_modules/tinyglobby/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -11343,9 +11374,9 @@
 			}
 		},
 		"node_modules/ts-declaration-location/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -11460,9 +11491,9 @@
 			}
 		},
 		"node_modules/undici": {
-			"version": "6.23.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-			"integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+			"version": "6.25.0",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+			"integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
 			"dev": true,
 			"engines": {
 				"node": ">=18.17"
@@ -12145,9 +12176,9 @@
 			}
 		},
 		"node_modules/yaml": {
-			"version": "2.8.2",
-			"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-			"integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+			"version": "2.8.3",
+			"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+			"integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
 			"dev": true,
 			"bin": {
 				"yaml": "bin.mjs"
-- 
2.47.3

$ date
--- stdout ---
Thu Apr 16 07:43:17 UTC 2026

--- end ---
$ git clone file:///srv/git/mediawiki-extensions-FacetedCategory.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
284cb9babe23e6020aa2b9ce8971b56fd8812a50 refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@wdio/mocha-framework": {
      "name": "@wdio/mocha-framework",
      "severity": "high",
      "isDirect": true,
      "via": [
        "mocha"
      ],
      "effects": [],
      "range": ">=6.1.19",
      "nodes": [
        "node_modules/@wdio/mocha-framework"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "basic-ftp": {
      "name": "basic-ftp",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1116454,
          "name": "basic-ftp",
          "dependency": "basic-ftp",
          "title": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
          "url": "https://github.com/advisories/GHSA-6v7q-wjvx-w8wg",
          "severity": "high",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 8.2,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
          },
          "range": "<=5.2.1"
        },
        {
          "source": 1116478,
          "name": "basic-ftp",
          "dependency": "basic-ftp",
          "title": "basic-ftp has FTP Command Injection via CRLF",
          "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
          "severity": "high",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 8.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
          },
          "range": "=5.2.0"
        }
      ],
      "effects": [],
      "range": "<=5.2.1",
      "nodes": [
        "node_modules/basic-ftp"
      ],
      "fixAvailable": true
    },
    "brace-expansion": {
      "name": "brace-expansion",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1115540,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": "<1.1.13"
        },
        {
          "source": 1115541,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": ">=2.0.0 <2.0.3"
        },
        {
          "source": 1115543,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": ">=4.0.0 <5.0.5"
        }
      ],
      "effects": [],
      "range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
      "nodes": [
        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
        "node_modules/@typescript-eslint/utils/node_modules/brace-expansion",
        "node_modules/@wdio/cli/node_modules/brace-expansion",
        "node_modules/@wdio/config/node_modules/brace-expansion",
        "node_modules/archiver-utils/node_modules/brace-expansion",
        "node_modules/brace-expansion",
        "node_modules/filelist/node_modules/brace-expansion",
        "node_modules/mocha/node_modules/brace-expansion",
        "node_modules/readdir-glob/node_modules/brace-expansion"
      ],
      "fixAvailable": true
    },
    "fast-xml-parser": {
      "name": "fast-xml-parser",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115339,
          "name": "fast-xml-parser",
          "dependency": "fast-xml-parser",
          "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)",
          "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r",
          "severity": "high",
          "cwe": [
            "CWE-776"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=5.0.0 <5.5.6"
        },
        {
          "source": 1116307,
          "name": "fast-xml-parser",
          "dependency": "fast-xml-parser",
          "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser",
          "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g",
          "severity": "moderate",
          "cwe": [
            "CWE-1284"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=5.0.0 <5.5.7"
        }
      ],
      "effects": [],
      "range": "5.0.0 - 5.5.6",
      "nodes": [
        "node_modules/fast-xml-parser"
      ],
      "fixAvailable": true
    },
    "flatted": {
      "name": "flatted",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1114526,
          "name": "flatted",
          "dependency": "flatted",
          "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
          "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
          "severity": "high",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.4.0"
        },
        {
          "source": 1115357,
          "name": "flatted",
          "dependency": "flatted",
          "title": "Prototype Pollution via parse() in NodeJS flatted",
          "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
          "severity": "high",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=3.4.1"
        }
      ],
      "effects": [],
      "range": "<=3.4.1",
      "nodes": [
        "node_modules/flatted"
      ],
      "fixAvailable": true
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1109540,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<2.5.4"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<2.5.4",
      "nodes": [
        "node_modules/form-data"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "grunt": {
      "name": "grunt",
      "severity": "high",
      "isDirect": false,
      "via": [
        "minimatch"
      ],
      "effects": [],
      "range": "0.4.0-a - 1.6.1",
      "nodes": [
        "node_modules/grunt"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-log": {
      "name": "grunt-legacy-log",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.1 - 3.0.0",
      "nodes": [
        "node_modules/grunt-legacy-log"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-log-utils": {
      "name": "grunt-legacy-log-utils",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.0 - 2.1.0",
      "nodes": [
        "node_modules/grunt-legacy-log-utils"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-util": {
      "name": "grunt-legacy-util",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.0-rc1 - 2.0.1",
      "nodes": [
        "node_modules/grunt-legacy-util"
      ],
      "fixAvailable": true
    },
    "lodash": {
      "name": "lodash",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115806,
          "name": "lodash",
          "dependency": "lodash",
          "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
          "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
          "severity": "high",
          "cwe": [
            "CWE-94"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": ">=4.0.0 <=4.17.23"
        },
        {
          "source": 1115810,
          "name": "lodash",
          "dependency": "lodash",
          "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
          "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": "<=4.17.23"
        }
      ],
      "effects": [
        "grunt-legacy-log",
        "grunt-legacy-log-utils",
        "grunt-legacy-util"
      ],
      "range": "<=4.17.23",
      "nodes": [
        "node_modules/lodash"
      ],
      "fixAvailable": true
    },
    "minimatch": {
      "name": "minimatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113459,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
          "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113538,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
          "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
          "severity": "high",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113546,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
          "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.4"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<=3.1.3",
      "nodes": [
        "node_modules/grunt/node_modules/minimatch"
      ],
      "fixAvailable": true
    },
    "mocha": {
      "name": "mocha",
      "severity": "high",
      "isDirect": false,
      "via": [
        "serialize-javascript"
      ],
      "effects": [
        "@wdio/mocha-framework"
      ],
      "range": "8.0.0 - 12.0.0-beta-2",
      "nodes": [
        "node_modules/mocha"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "mwbot": {
      "name": "mwbot",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "request"
      ],
      "effects": [
        "wdio-mediawiki"
      ],
      "range": ">=0.1.6",
      "nodes": [
        "node_modules/mwbot"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "picomatch": {
      "name": "picomatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115549,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
          "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<2.3.2"
        },
        {
          "source": 1115551,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
          "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": ">=4.0.0 <4.0.4"
        },
        {
          "source": 1115552,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
          "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<2.3.2"
        },
        {
          "source": 1115554,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
          "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=4.0.0 <4.0.4"
        }
      ],
      "effects": [],
      "range": "<=2.3.1 || 4.0.0 - 4.0.3",
      "nodes": [
        "node_modules/@stylistic/eslint-plugin/node_modules/picomatch",
        "node_modules/jest-util/node_modules/picomatch",
        "node_modules/picomatch",
        "node_modules/tinyglobby/node_modules/picomatch",
        "node_modules/ts-declaration-location/node_modules/picomatch"
      ],
      "fixAvailable": true
    },
    "qs": {
      "name": "qs",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1113719,
          "name": "qs",
          "dependency": "qs",
          "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
          "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
          "severity": "moderate",
          "cwe": [
            "CWE-20"
          ],
          "cvss": {
            "score": 3.7,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<6.14.1"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<6.14.1",
      "nodes": [
        "node_modules/qs"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "request": {
      "name": "request",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096727,
          "name": "request",
          "dependency": "request",
          "title": "Server-Side Request Forgery in Request",
          "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
          "severity": "moderate",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<=2.88.2"
        },
        "form-data",
        "qs",
        "tough-cookie"
      ],
      "effects": [
        "mwbot"
      ],
      "range": "*",
      "nodes": [
        "node_modules/request"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "serialize-javascript": {
      "name": "serialize-javascript",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113686,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
          "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
          "severity": "high",
          "cwe": [
            "CWE-96"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<=7.0.2"
        },
        {
          "source": 1115723,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
          "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
          "severity": "moderate",
          "cwe": [
            "CWE-400",
            "CWE-834"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<7.0.5"
        }
      ],
      "effects": [
        "mocha"
      ],
      "range": "<=7.0.4",
      "nodes": [
        "node_modules/serialize-javascript"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "tough-cookie": {
      "name": "tough-cookie",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1097682,
          "name": "tough-cookie",
          "dependency": "tough-cookie",
          "title": "tough-cookie Prototype Pollution vulnerability",
          "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<4.1.3"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<4.1.3",
      "nodes": [
        "node_modules/tough-cookie"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "undici": {
      "name": "undici",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1114591,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
          "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
          "severity": "high",
          "cwe": [
            "CWE-248",
            "CWE-1284"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114592,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
          "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
          "severity": "high",
          "cwe": [
            "CWE-248",
            "CWE-1284"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=6.0.0 <6.24.0"
        },
        {
          "source": 1114593,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has an HTTP Request/Response Smuggling issue",
          "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
          "severity": "moderate",
          "cwe": [
            "CWE-444"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114594,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has an HTTP Request/Response Smuggling issue",
          "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
          "severity": "moderate",
          "cwe": [
            "CWE-444"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114637,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
          "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
          "severity": "high",
          "cwe": [
            "CWE-409"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114638,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
          "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
          "severity": "high",
          "cwe": [
            "CWE-409"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114639,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
          "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
          "severity": "high",
          "cwe": [
            "CWE-248"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114640,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
          "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
          "severity": "high",
          "cwe": [
            "CWE-248"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114641,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has CRLF Injection in undici via `upgrade` option",
          "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
          "severity": "moderate",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 4.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114642,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has CRLF Injection in undici via `upgrade` option",
          "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
          "severity": "moderate",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 4.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114643,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
          "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h",
          "severity": "moderate",
          "cwe": [
            "CWE-770"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.17.0 <7.24.0"
        }
      ],
      "effects": [],
      "range": "<=6.23.0 || 7.0.0 - 7.23.0",
      "nodes": [
        "node_modules/cheerio/node_modules/undici",
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "wdio-mediawiki": {
      "name": "wdio-mediawiki",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "mwbot"
      ],
      "effects": [],
      "range": "<=5.1.0",
      "nodes": [
        "node_modules/wdio-mediawiki"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "yaml": {
      "name": "yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1115556,
          "name": "yaml",
          "dependency": "yaml",
          "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
          "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
          "severity": "moderate",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 4.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0 <2.8.3"
        }
      ],
      "effects": [],
      "range": "2.0.0 - 2.8.2",
      "nodes": [
        "node_modules/yaml"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 6,
      "high": 14,
      "critical": 2,
      "total": 22
    },
    "dependencies": {
      "prod": 1,
      "dev": 952,
      "optional": 37,
      "peer": 60,
      "peerOptional": 0,
      "total": 952
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 37 installs, 0 updates, 0 removals
  - Locking composer/pcre (3.3.2)
  - Locking composer/semver (3.4.4)
  - Locking composer/spdx-licenses (1.5.10)
  - Locking composer/xdebug-handler (3.0.5)
  - Locking danog/advanced-json-rpc (v3.2.3)
  - Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.0)
  - Locking doctrine/deprecations (1.1.6)
  - Locking mediawiki/mediawiki-codesniffer (v50.0.0)
  - Locking mediawiki/mediawiki-phan-config (0.20.0)
  - Locking mediawiki/minus-x (2.0.1)
  - Locking mediawiki/phan-taint-check-plugin (9.1.0)
  - Locking netresearch/jsonmapper (v5.0.1)
  - Locking phan/phan (6.0.2)
  - Locking phan/tolerant-php-parser (v0.2.0)
  - Locking phan/var_representation_polyfill (0.1.4)
  - Locking php-parallel-lint/php-console-color (v1.0.1)
  - Locking php-parallel-lint/php-console-highlighter (v1.0.0)
  - Locking php-parallel-lint/php-parallel-lint (v1.4.0)
  - Locking phpcsstandards/phpcsextra (1.4.0)
  - Locking phpcsstandards/phpcsutils (1.2.2)
  - Locking phpdocumentor/reflection-common (2.2.0)
  - Locking phpdocumentor/reflection-docblock (6.0.3)
  - Locking phpdocumentor/type-resolver (2.0.0)
  - Locking phpstan/phpdoc-parser (2.3.2)
  - Locking psr/container (2.0.2)
  - Locking psr/log (3.0.2)
  - Locking sabre/event (6.0.1)
  - Locking squizlabs/php_codesniffer (3.13.5)
  - Locking symfony/console (v8.0.8)
  - Locking symfony/deprecation-contracts (v3.6.0)
  - Locking symfony/polyfill-ctype (v1.36.0)
  - Locking symfony/polyfill-intl-grapheme (v1.36.0)
  - Locking symfony/polyfill-intl-normalizer (v1.36.0)
  - Locking symfony/polyfill-mbstring (v1.36.0)
  - Locking symfony/service-contracts (v3.6.1)
  - Locking symfony/string (v8.0.8)
  - Locking webmozart/assert (2.3.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 37 installs, 0 updates, 0 removals
    0 [>---------------------------]    0 [->--------------------------]
  - Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
  - Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.0): Extracting archive
  - Installing composer/pcre (3.3.2): Extracting archive
  - Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
  - Installing phpcsstandards/phpcsextra (1.4.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.36.0): Extracting archive
  - Installing composer/spdx-licenses (1.5.10): Extracting archive
  - Installing composer/semver (3.4.4): Extracting archive
  - Installing mediawiki/mediawiki-codesniffer (v50.0.0): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.36.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.36.0): Extracting archive
  - Installing symfony/polyfill-ctype (v1.36.0): Extracting archive
  - Installing symfony/string (v8.0.8): Extracting archive
  - Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
  - Installing psr/container (2.0.2): Extracting archive
  - Installing symfony/service-contracts (v3.6.1): Extracting archive
  - Installing symfony/console (v8.0.8): Extracting archive
  - Installing sabre/event (6.0.1): Extracting archive
  - Installing phan/var_representation_polyfill (0.1.4): Extracting archive
  - Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
  - Installing netresearch/jsonmapper (v5.0.1): Extracting archive
  - Installing webmozart/assert (2.3.0): Extracting archive
  - Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
  - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
  - Installing doctrine/deprecations (1.1.6): Extracting archive
  - Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
  - Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
  - Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
  - Installing psr/log (3.0.2): Extracting archive
  - Installing composer/xdebug-handler (3.0.5): Extracting archive
  - Installing phan/phan (6.0.2): Extracting archive
  - Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
  - Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
  - Installing mediawiki/minus-x (2.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
  - Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
  0/35 [>---------------------------]   0%
 28/35 [======================>-----]  80%
 34/35 [===========================>]  97%
 35/35 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@wdio/mocha-framework": {
      "name": "@wdio/mocha-framework",
      "severity": "high",
      "isDirect": true,
      "via": [
        "mocha"
      ],
      "effects": [],
      "range": ">=6.1.19",
      "nodes": [
        "node_modules/@wdio/mocha-framework"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "basic-ftp": {
      "name": "basic-ftp",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1116454,
          "name": "basic-ftp",
          "dependency": "basic-ftp",
          "title": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
          "url": "https://github.com/advisories/GHSA-6v7q-wjvx-w8wg",
          "severity": "high",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 8.2,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
          },
          "range": "<=5.2.1"
        },
        {
          "source": 1116478,
          "name": "basic-ftp",
          "dependency": "basic-ftp",
          "title": "basic-ftp has FTP Command Injection via CRLF",
          "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
          "severity": "high",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 8.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
          },
          "range": "=5.2.0"
        }
      ],
      "effects": [],
      "range": "<=5.2.1",
      "nodes": [
        "node_modules/basic-ftp"
      ],
      "fixAvailable": true
    },
    "brace-expansion": {
      "name": "brace-expansion",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1115540,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": "<1.1.13"
        },
        {
          "source": 1115541,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": ">=2.0.0 <2.0.3"
        },
        {
          "source": 1115543,
          "name": "brace-expansion",
          "dependency": "brace-expansion",
          "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
          "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
          "severity": "moderate",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
          },
          "range": ">=4.0.0 <5.0.5"
        }
      ],
      "effects": [],
      "range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
      "nodes": [
        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion",
        "node_modules/@typescript-eslint/utils/node_modules/brace-expansion",
        "node_modules/@wdio/cli/node_modules/brace-expansion",
        "node_modules/@wdio/config/node_modules/brace-expansion",
        "node_modules/archiver-utils/node_modules/brace-expansion",
        "node_modules/brace-expansion",
        "node_modules/filelist/node_modules/brace-expansion",
        "node_modules/mocha/node_modules/brace-expansion",
        "node_modules/readdir-glob/node_modules/brace-expansion"
      ],
      "fixAvailable": true
    },
    "fast-xml-parser": {
      "name": "fast-xml-parser",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115339,
          "name": "fast-xml-parser",
          "dependency": "fast-xml-parser",
          "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)",
          "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r",
          "severity": "high",
          "cwe": [
            "CWE-776"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=5.0.0 <5.5.6"
        },
        {
          "source": 1116307,
          "name": "fast-xml-parser",
          "dependency": "fast-xml-parser",
          "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser",
          "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g",
          "severity": "moderate",
          "cwe": [
            "CWE-1284"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=5.0.0 <5.5.7"
        }
      ],
      "effects": [],
      "range": "5.0.0 - 5.5.6",
      "nodes": [
        "node_modules/fast-xml-parser"
      ],
      "fixAvailable": true
    },
    "flatted": {
      "name": "flatted",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1114526,
          "name": "flatted",
          "dependency": "flatted",
          "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
          "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
          "severity": "high",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.4.0"
        },
        {
          "source": 1115357,
          "name": "flatted",
          "dependency": "flatted",
          "title": "Prototype Pollution via parse() in NodeJS flatted",
          "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
          "severity": "high",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=3.4.1"
        }
      ],
      "effects": [],
      "range": "<=3.4.1",
      "nodes": [
        "node_modules/flatted"
      ],
      "fixAvailable": true
    },
    "form-data": {
      "name": "form-data",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1109540,
          "name": "form-data",
          "dependency": "form-data",
          "title": "form-data uses unsafe random function in form-data for choosing boundary",
          "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
          "severity": "critical",
          "cwe": [
            "CWE-330"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<2.5.4"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<2.5.4",
      "nodes": [
        "node_modules/form-data"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "grunt": {
      "name": "grunt",
      "severity": "high",
      "isDirect": false,
      "via": [
        "minimatch"
      ],
      "effects": [],
      "range": "0.4.0-a - 1.6.1",
      "nodes": [
        "node_modules/grunt"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-log": {
      "name": "grunt-legacy-log",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.1 - 3.0.0",
      "nodes": [
        "node_modules/grunt-legacy-log"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-log-utils": {
      "name": "grunt-legacy-log-utils",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.0 - 2.1.0",
      "nodes": [
        "node_modules/grunt-legacy-log-utils"
      ],
      "fixAvailable": true
    },
    "grunt-legacy-util": {
      "name": "grunt-legacy-util",
      "severity": "high",
      "isDirect": false,
      "via": [
        "lodash"
      ],
      "effects": [],
      "range": "1.0.0-rc1 - 2.0.1",
      "nodes": [
        "node_modules/grunt-legacy-util"
      ],
      "fixAvailable": true
    },
    "lodash": {
      "name": "lodash",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115806,
          "name": "lodash",
          "dependency": "lodash",
          "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
          "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
          "severity": "high",
          "cwe": [
            "CWE-94"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": ">=4.0.0 <=4.17.23"
        },
        {
          "source": 1115810,
          "name": "lodash",
          "dependency": "lodash",
          "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
          "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": "<=4.17.23"
        }
      ],
      "effects": [
        "grunt-legacy-log",
        "grunt-legacy-log-utils",
        "grunt-legacy-util"
      ],
      "range": "<=4.17.23",
      "nodes": [
        "node_modules/lodash"
      ],
      "fixAvailable": true
    },
    "minimatch": {
      "name": "minimatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113459,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
          "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113538,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
          "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
          "severity": "high",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.3"
        },
        {
          "source": 1113546,
          "name": "minimatch",
          "dependency": "minimatch",
          "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
          "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<3.1.4"
        }
      ],
      "effects": [
        "grunt"
      ],
      "range": "<=3.1.3",
      "nodes": [
        "node_modules/grunt/node_modules/minimatch"
      ],
      "fixAvailable": true
    },
    "mocha": {
      "name": "mocha",
      "severity": "high",
      "isDirect": false,
      "via": [
        "serialize-javascript"
      ],
      "effects": [
        "@wdio/mocha-framework"
      ],
      "range": "8.0.0 - 12.0.0-beta-2",
      "nodes": [
        "node_modules/mocha"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "mwbot": {
      "name": "mwbot",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "request"
      ],
      "effects": [
        "wdio-mediawiki"
      ],
      "range": ">=0.1.6",
      "nodes": [
        "node_modules/mwbot"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "picomatch": {
      "name": "picomatch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1115549,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
          "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<2.3.2"
        },
        {
          "source": 1115551,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
          "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": ">=4.0.0 <4.0.4"
        },
        {
          "source": 1115552,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
          "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<2.3.2"
        },
        {
          "source": 1115554,
          "name": "picomatch",
          "dependency": "picomatch",
          "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
          "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
          "severity": "high",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=4.0.0 <4.0.4"
        }
      ],
      "effects": [],
      "range": "<=2.3.1 || 4.0.0 - 4.0.3",
      "nodes": [
        "node_modules/@stylistic/eslint-plugin/node_modules/picomatch",
        "node_modules/jest-util/node_modules/picomatch",
        "node_modules/picomatch",
        "node_modules/tinyglobby/node_modules/picomatch",
        "node_modules/ts-declaration-location/node_modules/picomatch"
      ],
      "fixAvailable": true
    },
    "qs": {
      "name": "qs",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1113719,
          "name": "qs",
          "dependency": "qs",
          "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
          "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
          "severity": "moderate",
          "cwe": [
            "CWE-20"
          ],
          "cvss": {
            "score": 3.7,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<6.14.1"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<6.14.1",
      "nodes": [
        "node_modules/qs"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "request": {
      "name": "request",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096727,
          "name": "request",
          "dependency": "request",
          "title": "Server-Side Request Forgery in Request",
          "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
          "severity": "moderate",
          "cwe": [
            "CWE-918"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<=2.88.2"
        },
        "form-data",
        "qs",
        "tough-cookie"
      ],
      "effects": [
        "mwbot"
      ],
      "range": "*",
      "nodes": [
        "node_modules/request"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "serialize-javascript": {
      "name": "serialize-javascript",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1113686,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
          "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
          "severity": "high",
          "cwe": [
            "CWE-96"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<=7.0.2"
        },
        {
          "source": 1115723,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
          "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
          "severity": "moderate",
          "cwe": [
            "CWE-400",
            "CWE-834"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<7.0.5"
        }
      ],
      "effects": [
        "mocha"
      ],
      "range": "<=7.0.4",
      "nodes": [
        "node_modules/serialize-javascript"
      ],
      "fixAvailable": {
        "name": "@wdio/mocha-framework",
        "version": "6.1.17",
        "isSemVerMajor": true
      }
    },
    "tough-cookie": {
      "name": "tough-cookie",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1097682,
          "name": "tough-cookie",
          "dependency": "tough-cookie",
          "title": "tough-cookie Prototype Pollution vulnerability",
          "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
          "severity": "moderate",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
          },
          "range": "<4.1.3"
        }
      ],
      "effects": [
        "request"
      ],
      "range": "<4.1.3",
      "nodes": [
        "node_modules/tough-cookie"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "undici": {
      "name": "undici",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1114591,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
          "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
          "severity": "high",
          "cwe": [
            "CWE-248",
            "CWE-1284"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114592,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
          "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
          "severity": "high",
          "cwe": [
            "CWE-248",
            "CWE-1284"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=6.0.0 <6.24.0"
        },
        {
          "source": 1114593,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has an HTTP Request/Response Smuggling issue",
          "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
          "severity": "moderate",
          "cwe": [
            "CWE-444"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114594,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has an HTTP Request/Response Smuggling issue",
          "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
          "severity": "moderate",
          "cwe": [
            "CWE-444"
          ],
          "cvss": {
            "score": 6.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114637,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
          "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
          "severity": "high",
          "cwe": [
            "CWE-409"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114638,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
          "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
          "severity": "high",
          "cwe": [
            "CWE-409"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114639,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
          "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
          "severity": "high",
          "cwe": [
            "CWE-248"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114640,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
          "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
          "severity": "high",
          "cwe": [
            "CWE-248"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114641,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has CRLF Injection in undici via `upgrade` option",
          "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
          "severity": "moderate",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 4.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
          },
          "range": ">=7.0.0 <7.24.0"
        },
        {
          "source": 1114642,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has CRLF Injection in undici via `upgrade` option",
          "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
          "severity": "moderate",
          "cwe": [
            "CWE-93"
          ],
          "cvss": {
            "score": 4.6,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
          },
          "range": "<6.24.0"
        },
        {
          "source": 1114643,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
          "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h",
          "severity": "moderate",
          "cwe": [
            "CWE-770"
          ],
          "cvss": {
            "score": 5.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": ">=7.17.0 <7.24.0"
        }
      ],
      "effects": [],
      "range": "<=6.23.0 || 7.0.0 - 7.23.0",
      "nodes": [
        "node_modules/cheerio/node_modules/undici",
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "wdio-mediawiki": {
      "name": "wdio-mediawiki",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "mwbot"
      ],
      "effects": [],
      "range": "<=5.1.0",
      "nodes": [
        "node_modules/wdio-mediawiki"
      ],
      "fixAvailable": {
        "name": "wdio-mediawiki",
        "version": "6.5.1",
        "isSemVerMajor": true
      }
    },
    "yaml": {
      "name": "yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1115556,
          "name": "yaml",
          "dependency": "yaml",
          "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
          "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
          "severity": "moderate",
          "cwe": [
            "CWE-674"
          ],
          "cvss": {
            "score": 4.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=2.0.0 <2.8.3"
        }
      ],
      "effects": [],
      "range": "2.0.0 - 2.8.2",
      "nodes": [
        "node_modules/yaml"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 6,
      "high": 14,
      "critical": 2,
      "total": 22
    },
    "dependencies": {
      "prod": 1,
      "dev": 952,
      "optional": 37,
      "peer": 60,
      "peerOptional": 0,
      "total": 952
    }
  }
}

--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
  "added": 954,
  "removed": 0,
  "changed": 0,
  "audited": 955,
  "funding": 210,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "@wdio/mocha-framework": {
        "name": "@wdio/mocha-framework",
        "severity": "high",
        "isDirect": true,
        "via": [
          "mocha"
        ],
        "effects": [],
        "range": ">=6.1.19",
        "nodes": [
          "node_modules/@wdio/mocha-framework"
        ],
        "fixAvailable": {
          "name": "@wdio/mocha-framework",
          "version": "6.1.17",
          "isSemVerMajor": true
        }
      },
      "basic-ftp": {
        "name": "basic-ftp",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1116454,
            "name": "basic-ftp",
            "dependency": "basic-ftp",
            "title": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
            "url": "https://github.com/advisories/GHSA-6v7q-wjvx-w8wg",
            "severity": "high",
            "cwe": [
              "CWE-93"
            ],
            "cvss": {
              "score": 8.2,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
            },
            "range": "<=5.2.1"
          },
          {
            "source": 1116478,
            "name": "basic-ftp",
            "dependency": "basic-ftp",
            "title": "basic-ftp has FTP Command Injection via CRLF",
            "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q",
            "severity": "high",
            "cwe": [
              "CWE-93"
            ],
            "cvss": {
              "score": 8.6,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"
            },
            "range": "=5.2.0"
          }
        ],
        "effects": [],
        "range": "<=5.2.1",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "brace-expansion": {
        "name": "brace-expansion",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1115540,
            "name": "brace-expansion",
            "dependency": "brace-expansion",
            "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
            "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
            "severity": "moderate",
            "cwe": [
              "CWE-400"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
            },
            "range": "<1.1.13"
          },
          {
            "source": 1115541,
            "name": "brace-expansion",
            "dependency": "brace-expansion",
            "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
            "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
            "severity": "moderate",
            "cwe": [
              "CWE-400"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
            },
            "range": ">=2.0.0 <2.0.3"
          },
          {
            "source": 1115543,
            "name": "brace-expansion",
            "dependency": "brace-expansion",
            "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
            "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v",
            "severity": "moderate",
            "cwe": [
              "CWE-400"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
            },
            "range": ">=4.0.0 <5.0.5"
          }
        ],
        "effects": [],
        "range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4",
        "nodes": [
          "",
          "",
          "",
          "",
          "",
          "",
          "",
          "",
          ""
        ],
        "fixAvailable": true
      },
      "fast-xml-parser": {
        "name": "fast-xml-parser",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1115339,
            "name": "fast-xml-parser",
            "dependency": "fast-xml-parser",
            "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)",
            "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r",
            "severity": "high",
            "cwe": [
              "CWE-776"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=5.0.0 <5.5.6"
          },
          {
            "source": 1116307,
            "name": "fast-xml-parser",
            "dependency": "fast-xml-parser",
            "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser",
            "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g",
            "severity": "moderate",
            "cwe": [
              "CWE-1284"
            ],
            "cvss": {
              "score": 5.9,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=5.0.0 <5.5.7"
          }
        ],
        "effects": [],
        "range": "5.0.0 - 5.5.6",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "flatted": {
        "name": "flatted",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1114526,
            "name": "flatted",
            "dependency": "flatted",
            "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
            "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f",
            "severity": "high",
            "cwe": [
              "CWE-674"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<3.4.0"
          },
          {
            "source": 1115357,
            "name": "flatted",
            "dependency": "flatted",
            "title": "Prototype Pollution via parse() in NodeJS flatted",
            "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh",
            "severity": "high",
            "cwe": [
              "CWE-1321"
            ],
            "cvss": {
              "score": 0,
              "vectorString": null
            },
            "range": "<=3.4.1"
          }
        ],
        "effects": [],
        "range": "<=3.4.1",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "form-data": {
        "name": "form-data",
        "severity": "critical",
        "isDirect": false,
        "via": [
          {
            "source": 1109540,
            "name": "form-data",
            "dependency": "form-data",
            "title": "form-data uses unsafe random function in form-data for choosing boundary",
            "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4",
            "severity": "critical",
            "cwe": [
              "CWE-330"
            ],
            "cvss": {
              "score": 0,
              "vectorString": null
            },
            "range": "<2.5.4"
          }
        ],
        "effects": [
          "request"
        ],
        "range": "<2.5.4",
        "nodes": [
          "node_modules/form-data"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "grunt": {
        "name": "grunt",
        "severity": "high",
        "isDirect": false,
        "via": [
          "minimatch"
        ],
        "effects": [],
        "range": "0.4.0-a - 1.6.1",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "grunt-legacy-log": {
        "name": "grunt-legacy-log",
        "severity": "high",
        "isDirect": false,
        "via": [
          "lodash"
        ],
        "effects": [],
        "range": "1.0.1 - 3.0.0",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "grunt-legacy-log-utils": {
        "name": "grunt-legacy-log-utils",
        "severity": "high",
        "isDirect": false,
        "via": [
          "lodash"
        ],
        "effects": [],
        "range": "1.0.0 - 2.1.0",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "grunt-legacy-util": {
        "name": "grunt-legacy-util",
        "severity": "high",
        "isDirect": false,
        "via": [
          "lodash"
        ],
        "effects": [],
        "range": "1.0.0-rc1 - 2.0.1",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "lodash": {
        "name": "lodash",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1115806,
            "name": "lodash",
            "dependency": "lodash",
            "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
            "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
            "severity": "high",
            "cwe": [
              "CWE-94"
            ],
            "cvss": {
              "score": 8.1,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "range": ">=4.0.0 <=4.17.23"
          },
          {
            "source": 1115810,
            "name": "lodash",
            "dependency": "lodash",
            "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
            "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
            "severity": "moderate",
            "cwe": [
              "CWE-1321"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
            },
            "range": "<=4.17.23"
          }
        ],
        "effects": [
          "grunt-legacy-log",
          "grunt-legacy-log-utils",
          "grunt-legacy-util"
        ],
        "range": "<=4.17.23",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "minimatch": {
        "name": "minimatch",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1113459,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
            "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 0,
              "vectorString": null
            },
            "range": "<3.1.3"
          },
          {
            "source": 1113538,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments",
            "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj",
            "severity": "high",
            "cwe": [
              "CWE-407"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<3.1.3"
          },
          {
            "source": 1113546,
            "name": "minimatch",
            "dependency": "minimatch",
            "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions",
            "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<3.1.4"
          }
        ],
        "effects": [
          "grunt"
        ],
        "range": "<=3.1.3",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "mocha": {
        "name": "mocha",
        "severity": "high",
        "isDirect": false,
        "via": [
          "serialize-javascript"
        ],
        "effects": [
          "@wdio/mocha-framework"
        ],
        "range": "8.0.0 - 12.0.0-beta-2",
        "nodes": [
          "node_modules/mocha"
        ],
        "fixAvailable": {
          "name": "@wdio/mocha-framework",
          "version": "6.1.17",
          "isSemVerMajor": true
        }
      },
      "mwbot": {
        "name": "mwbot",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          "request"
        ],
        "effects": [
          "wdio-mediawiki"
        ],
        "range": ">=0.1.6",
        "nodes": [
          "node_modules/mwbot"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "picomatch": {
        "name": "picomatch",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1115549,
            "name": "picomatch",
            "dependency": "picomatch",
            "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
            "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
            "severity": "moderate",
            "cwe": [
              "CWE-1321"
            ],
            "cvss": {
              "score": 5.3,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
            },
            "range": "<2.3.2"
          },
          {
            "source": 1115551,
            "name": "picomatch",
            "dependency": "picomatch",
            "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
            "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p",
            "severity": "moderate",
            "cwe": [
              "CWE-1321"
            ],
            "cvss": {
              "score": 5.3,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
            },
            "range": ">=4.0.0 <4.0.4"
          },
          {
            "source": 1115552,
            "name": "picomatch",
            "dependency": "picomatch",
            "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
            "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<2.3.2"
          },
          {
            "source": 1115554,
            "name": "picomatch",
            "dependency": "picomatch",
            "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
            "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj",
            "severity": "high",
            "cwe": [
              "CWE-1333"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=4.0.0 <4.0.4"
          }
        ],
        "effects": [],
        "range": "<=2.3.1 || 4.0.0 - 4.0.3",
        "nodes": [
          "",
          "",
          "",
          "",
          ""
        ],
        "fixAvailable": true
      },
      "qs": {
        "name": "qs",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1113719,
            "name": "qs",
            "dependency": "qs",
            "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",
            "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p",
            "severity": "moderate",
            "cwe": [
              "CWE-20"
            ],
            "cvss": {
              "score": 3.7,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": "<6.14.1"
          }
        ],
        "effects": [
          "request"
        ],
        "range": "<6.14.1",
        "nodes": [
          "node_modules/qs"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "request": {
        "name": "request",
        "severity": "critical",
        "isDirect": false,
        "via": [
          {
            "source": 1096727,
            "name": "request",
            "dependency": "request",
            "title": "Server-Side Request Forgery in Request",
            "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
            "severity": "moderate",
            "cwe": [
              "CWE-918"
            ],
            "cvss": {
              "score": 6.1,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
            },
            "range": "<=2.88.2"
          },
          "form-data",
          "qs",
          "tough-cookie"
        ],
        "effects": [
          "mwbot"
        ],
        "range": "*",
        "nodes": [
          "node_modules/request"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "serialize-javascript": {
        "name": "serialize-javascript",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1113686,
            "name": "serialize-javascript",
            "dependency": "serialize-javascript",
            "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
            "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq",
            "severity": "high",
            "cwe": [
              "CWE-96"
            ],
            "cvss": {
              "score": 8.1,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "range": "<=7.0.2"
          },
          {
            "source": 1115723,
            "name": "serialize-javascript",
            "dependency": "serialize-javascript",
            "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects",
            "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v",
            "severity": "moderate",
            "cwe": [
              "CWE-400",
              "CWE-834"
            ],
            "cvss": {
              "score": 5.9,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<7.0.5"
          }
        ],
        "effects": [
          "mocha"
        ],
        "range": "<=7.0.4",
        "nodes": [
          "node_modules/serialize-javascript"
        ],
        "fixAvailable": {
          "name": "@wdio/mocha-framework",
          "version": "6.1.17",
          "isSemVerMajor": true
        }
      },
      "tough-cookie": {
        "name": "tough-cookie",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1097682,
            "name": "tough-cookie",
            "dependency": "tough-cookie",
            "title": "tough-cookie Prototype Pollution vulnerability",
            "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
            "severity": "moderate",
            "cwe": [
              "CWE-1321"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
            },
            "range": "<4.1.3"
          }
        ],
        "effects": [
          "request"
        ],
        "range": "<4.1.3",
        "nodes": [
          "node_modules/tough-cookie"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "undici": {
        "name": "undici",
        "severity": "high",
        "isDirect": false,
        "via": [
          {
            "source": 1114591,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
            "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
            "severity": "high",
            "cwe": [
              "CWE-248",
              "CWE-1284"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=7.0.0 <7.24.0"
          },
          {
            "source": 1114592,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
            "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj",
            "severity": "high",
            "cwe": [
              "CWE-248",
              "CWE-1284"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=6.0.0 <6.24.0"
          },
          {
            "source": 1114593,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has an HTTP Request/Response Smuggling issue",
            "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
            "severity": "moderate",
            "cwe": [
              "CWE-444"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
            },
            "range": ">=7.0.0 <7.24.0"
          },
          {
            "source": 1114594,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has an HTTP Request/Response Smuggling issue",
            "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm",
            "severity": "moderate",
            "cwe": [
              "CWE-444"
            ],
            "cvss": {
              "score": 6.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
            },
            "range": "<6.24.0"
          },
          {
            "source": 1114637,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
            "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
            "severity": "high",
            "cwe": [
              "CWE-409"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=7.0.0 <7.24.0"
          },
          {
            "source": 1114638,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
            "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q",
            "severity": "high",
            "cwe": [
              "CWE-409"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<6.24.0"
          },
          {
            "source": 1114639,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
            "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
            "severity": "high",
            "cwe": [
              "CWE-248"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=7.0.0 <7.24.0"
          },
          {
            "source": 1114640,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
            "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8",
            "severity": "high",
            "cwe": [
              "CWE-248"
            ],
            "cvss": {
              "score": 7.5,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": "<6.24.0"
          },
          {
            "source": 1114641,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has CRLF Injection in undici via `upgrade` option",
            "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
            "severity": "moderate",
            "cwe": [
              "CWE-93"
            ],
            "cvss": {
              "score": 4.6,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
            },
            "range": ">=7.0.0 <7.24.0"
          },
          {
            "source": 1114642,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has CRLF Injection in undici via `upgrade` option",
            "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq",
            "severity": "moderate",
            "cwe": [
              "CWE-93"
            ],
            "cvss": {
              "score": 4.6,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
            },
            "range": "<6.24.0"
          },
          {
            "source": 1114643,
            "name": "undici",
            "dependency": "undici",
            "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
            "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h",
            "severity": "moderate",
            "cwe": [
              "CWE-770"
            ],
            "cvss": {
              "score": 5.9,
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "range": ">=7.17.0 <7.24.0"
          }
        ],
        "effects": [],
        "range": "<=6.23.0 || 7.0.0 - 7.23.0",
        "nodes": [
          "",
          ""
        ],
        "fixAvailable": true
      },
      "wdio-mediawiki": {
        "name": "wdio-mediawiki",
        "severity": "moderate",
        "isDirect": true,
        "via": [
          "mwbot"
        ],
        "effects": [],
        "range": "<=5.1.0",
        "nodes": [
          "node_modules/wdio-mediawiki"
        ],
        "fixAvailable": {
          "name": "wdio-mediawiki",
          "version": "6.5.1",
          "isSemVerMajor": true
        }
      },
      "yaml": {
        "name": "yaml",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1115556,
            "name": "yaml",
            "dependency": "yaml",
            "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
            "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp",
            "severity": "moderate",
            "cwe": [
              "CWE-674"
            ],
            "cvss": {
              "score": 4.3,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": ">=2.0.0 <2.8.3"
          }
        ],
        "effects": [],
        "range": "2.0.0 - 2.8.2",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 0,
        "moderate": 6,
        "high": 14,
        "critical": 2,
        "total": 22
      },
      "dependencies": {
        "prod": 1,
        "dev": 954,
        "optional": 37,
        "peer": 60,
        "peerOptional": 0,
        "total": 954
      }
    }
  }
}

--- end ---
{"added": 954, "removed": 0, "changed": 0, "audited": 955, "funding": 210, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@wdio/mocha-framework": {"name": "@wdio/mocha-framework", "severity": "high", "isDirect": true, "via": ["mocha"], "effects": [], "range": ">=6.1.19", "nodes": ["node_modules/@wdio/mocha-framework"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "basic-ftp": {"name": "basic-ftp", "severity": "high", "isDirect": false, "via": [{"source": 1116454, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands", "url": "https://github.com/advisories/GHSA-6v7q-wjvx-w8wg", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}, "range": "<=5.2.1"}, {"source": 1116478, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp has FTP Command Injection via CRLF", "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "=5.2.0"}], "effects": [], "range": "<=5.2.1", "nodes": [""], "fixAvailable": true}, "brace-expansion": {"name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [{"source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<1.1.13"}, {"source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.3"}, {"source": 1115543, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <5.0.5"}], "effects": [], "range": "<=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4", "nodes": ["", "", "", "", "", "", "", "", ""], "fixAvailable": true}, "fast-xml-parser": {"name": "fast-xml-parser", "severity": "high", "isDirect": false, "via": [{"source": 1115339, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r", "severity": "high", "cwe": ["CWE-776"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=5.0.0 <5.5.6"}, {"source": 1116307, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser", "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g", "severity": "moderate", "cwe": ["CWE-1284"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=5.0.0 <5.5.7"}], "effects": [], "range": "5.0.0 - 5.5.6", "nodes": [""], "fixAvailable": true}, "flatted": {"name": "flatted", "severity": "high", "isDirect": false, "via": [{"source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": ["CWE-674"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.4.0"}, {"source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.4.1"}], "effects": [], "range": "<=3.4.1", "nodes": [""], "fixAvailable": true}, "form-data": {"name": "form-data", "severity": "critical", "isDirect": false, "via": [{"source": 1109540, "name": "form-data", "dependency": "form-data", "title": "form-data uses unsafe random function in form-data for choosing boundary", "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", "severity": "critical", "cwe": ["CWE-330"], "cvss": {"score": 0, "vectorString": null}, "range": "<2.5.4"}], "effects": ["request"], "range": "<2.5.4", "nodes": ["node_modules/form-data"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "grunt": {"name": "grunt", "severity": "high", "isDirect": false, "via": ["minimatch"], "effects": [], "range": "0.4.0-a - 1.6.1", "nodes": [""], "fixAvailable": true}, "grunt-legacy-log": {"name": "grunt-legacy-log", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.1 - 3.0.0", "nodes": [""], "fixAvailable": true}, "grunt-legacy-log-utils": {"name": "grunt-legacy-log-utils", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.0 - 2.1.0", "nodes": [""], "fixAvailable": true}, "grunt-legacy-util": {"name": "grunt-legacy-util", "severity": "high", "isDirect": false, "via": ["lodash"], "effects": [], "range": "1.0.0-rc1 - 2.0.1", "nodes": [""], "fixAvailable": true}, "lodash": {"name": "lodash", "severity": "high", "isDirect": false, "via": [{"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}], "effects": ["grunt-legacy-log", "grunt-legacy-log-utils", "grunt-legacy-util"], "range": "<=4.17.23", "nodes": [""], "fixAvailable": true}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}], "effects": ["grunt"], "range": "<=3.1.3", "nodes": [""], "fixAvailable": true}, "mocha": {"name": "mocha", "severity": "high", "isDirect": false, "via": ["serialize-javascript"], "effects": ["@wdio/mocha-framework"], "range": "8.0.0 - 12.0.0-beta-2", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "mwbot": {"name": "mwbot", "severity": "moderate", "isDirect": false, "via": ["request"], "effects": ["wdio-mediawiki"], "range": ">=0.1.6", "nodes": ["node_modules/mwbot"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "picomatch": {"name": "picomatch", "severity": "high", "isDirect": false, "via": [{"source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}, {"source": 1115551, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": ">=4.0.0 <4.0.4"}, {"source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}, {"source": 1115554, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.0.4"}], "effects": [], "range": "<=2.3.1 || 4.0.0 - 4.0.3", "nodes": ["", "", "", "", ""], "fixAvailable": true}, "qs": {"name": "qs", "severity": "moderate", "isDirect": false, "via": [{"source": 1113719, "name": "qs", "dependency": "qs", "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", "severity": "moderate", "cwe": ["CWE-20"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<6.14.1"}], "effects": ["request"], "range": "<6.14.1", "nodes": ["node_modules/qs"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "request": {"name": "request", "severity": "critical", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "form-data", "qs", "tough-cookie"], "effects": ["mwbot"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "serialize-javascript": {"name": "serialize-javascript", "severity": "high", "isDirect": false, "via": [{"source": 1113686, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()", "url": "https://github.com/advisories/GHSA-5c6j-r48x-rmvq", "severity": "high", "cwe": ["CWE-96"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<=7.0.2"}, {"source": 1115723, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects", "url": "https://github.com/advisories/GHSA-qj8w-gfj5-8c6v", "severity": "moderate", "cwe": ["CWE-400", "CWE-834"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.0.5"}], "effects": ["mocha"], "range": "<=7.0.4", "nodes": ["node_modules/serialize-javascript"], "fixAvailable": {"name": "@wdio/mocha-framework", "version": "6.1.17", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/tough-cookie"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "undici": {"name": "undici", "severity": "high", "isDirect": false, "via": [{"source": 1114591, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": ["CWE-248", "CWE-1284"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, {"source": 1114592, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": ["CWE-248", "CWE-1284"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.0.0 <6.24.0"}, {"source": 1114593, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": ["CWE-444"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": ">=7.0.0 <7.24.0"}, {"source": 1114594, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": ["CWE-444"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<6.24.0"}, {"source": 1114637, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": ["CWE-409"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, {"source": 1114638, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": ["CWE-409"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.24.0"}, {"source": 1114639, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": ["CWE-248"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, {"source": 1114640, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": ["CWE-248"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.24.0"}, {"source": 1114641, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": ["CWE-93"], "cvss": {"score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=7.0.0 <7.24.0"}, {"source": 1114642, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": ["CWE-93"], "cvss": {"score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": "<6.24.0"}, {"source": 1114643, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS", "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.17.0 <7.24.0"}], "effects": [], "range": "<=6.23.0 || 7.0.0 - 7.23.0", "nodes": ["", ""], "fixAvailable": true}, "wdio-mediawiki": {"name": "wdio-mediawiki", "severity": "moderate", "isDirect": true, "via": ["mwbot"], "effects": [], "range": "<=5.1.0", "nodes": ["node_modules/wdio-mediawiki"], "fixAvailable": {"name": "wdio-mediawiki", "version": "6.5.1", "isSemVerMajor": true}}, "yaml": {"name": "yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1115556, "name": "yaml", "dependency": "yaml", "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections", "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=2.0.0 <2.8.3"}], "effects": [], "range": "2.0.0 - 2.8.2", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 6, "high": 14, "critical": 2, "total": 22}, "dependencies": {"prod": 1, "dev": 954, "optional": 37, "peer": 60, "peerOptional": 0, "total": 954}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
--- stdout ---

added 929 packages, and audited 930 packages in 13s

210 packages are looking for funding
  run `npm fund` for details

# npm audit report

form-data  <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix --force`
Will install wdio-mediawiki@6.5.1, which is a breaking change
node_modules/form-data
  request  *
  Depends on vulnerable versions of form-data
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of tough-cookie
  node_modules/request
    mwbot  >=0.1.6
    Depends on vulnerable versions of request
    node_modules/mwbot
      wdio-mediawiki  <=5.1.0
      Depends on vulnerable versions of mwbot
      node_modules/wdio-mediawiki

qs  <6.14.1
Severity: moderate
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix --force`
Will install wdio-mediawiki@6.5.1, which is a breaking change
node_modules/qs


serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install @wdio/mocha-framework@6.1.17, which is a breaking change
node_modules/serialize-javascript
  mocha  8.0.0 - 12.0.0-beta-2
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha
    @wdio/mocha-framework  >=6.1.19
    Depends on vulnerable versions of mocha
    node_modules/@wdio/mocha-framework

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install wdio-mediawiki@6.5.1, which is a breaking change
node_modules/tough-cookie

9 vulnerabilities (4 moderate, 3 high, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
npm WARN deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
--- stdout ---

added 929 packages, and audited 930 packages in 20s

210 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (4 moderate, 3 high, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

--- end ---
$ /usr/bin/npm test
--- stdout ---

> test
> grunt test

Running "eslint:all" (eslint) task

Running "stylelint:all" (stylelint) task
>> Linted 1 files without errors

Running "banana:FacetedCategory" (banana) task
>> 1 message directory checked.

Done.

--- end ---
{"1116454": {"source": 1116454, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands", "url": "https://github.com/advisories/GHSA-6v7q-wjvx-w8wg", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}, "range": "<=5.2.1"}, "1116478": {"source": 1116478, "name": "basic-ftp", "dependency": "basic-ftp", "title": "basic-ftp has FTP Command Injection via CRLF", "url": "https://github.com/advisories/GHSA-chqc-8p9q-pq6q", "severity": "high", "cwe": ["CWE-93"], "cvss": {"score": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}, "range": "=5.2.0"}}
Upgrading n:basic-ftp from 5.2.0 -> 5.3.0
{"1115540": {"source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<1.1.13"}, "1115541": {"source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=2.0.0 <2.0.3"}, "1115543": {"source": 1115543, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <5.0.5"}}
Upgrading n:brace-expansion from 1.1.12, 2.0.2, 5.0.4 -> 1.1.14, 2.1.0, 5.0.5
{"1115339": {"source": 1115339, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)", "url": "https://github.com/advisories/GHSA-8gc5-j5rx-235r", "severity": "high", "cwe": ["CWE-776"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=5.0.0 <5.5.6"}, "1116307": {"source": 1116307, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser", "url": "https://github.com/advisories/GHSA-jp2q-39xq-3w4g", "severity": "moderate", "cwe": ["CWE-1284"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=5.0.0 <5.5.7"}}
Upgrading n:fast-xml-parser from 5.4.2 -> 5.6.0
{"1114526": {"source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": ["CWE-674"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.4.0"}, "1115357": {"source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 0, "vectorString": null}, "range": "<=3.4.1"}}
Upgrading n:flatted from 3.3.1 -> 3.4.2
{"1113459": {"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, "1113538": {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, "1113546": {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}}
Upgrading n:grunt from 1.6.1 -> 1.6.2
{"1115806": {"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, "1115810": {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}}
Upgrading n:grunt-legacy-log from 3.0.0 -> 3.0.1
{"1115806": {"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, "1115810": {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}}
Upgrading n:grunt-legacy-log-utils from 2.1.0 -> 2.1.3
{"1115806": {"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, "1115810": {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}}
Upgrading n:grunt-legacy-util from 2.0.1 -> 2.0.2
{"1115806": {"source": 1115806, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", "severity": "high", "cwe": ["CWE-94"], "cvss": {"score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=4.0.0 <=4.17.23"}, "1115810": {"source": 1115810, "name": "lodash", "dependency": "lodash", "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<=4.17.23"}}
Upgrading n:lodash from 4.17.23 -> 4.18.1
{"1113459": {"source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.1.3"}, "1113538": {"source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": ["CWE-407"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.3"}, "1113546": {"source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.1.4"}}
Upgrading n:minimatch from 10.2.4, 3.0.8, 3.1.5, 5.1.9, 9.0.9 -> 10.2.4, 3.1.5, 5.1.9, 9.0.9
{"1115549": {"source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": "<2.3.2"}, "1115551": {"source": 1115551, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "range": ">=4.0.0 <4.0.4"}, "1115552": {"source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<2.3.2"}, "1115554": {"source": 1115554, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.0.4"}}
Upgrading n:picomatch from 2.3.1, 4.0.3 -> 2.3.2, 4.0.4
{"1114591": {"source": 1114591, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": ["CWE-248", "CWE-1284"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, "1114592": {"source": 1114592, "name": "undici", "dependency": "undici", "title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client", "url": "https://github.com/advisories/GHSA-f269-vfmq-vjvj", "severity": "high", "cwe": ["CWE-248", "CWE-1284"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.0.0 <6.24.0"}, "1114593": {"source": 1114593, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": ["CWE-444"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": ">=7.0.0 <7.24.0"}, "1114594": {"source": 1114594, "name": "undici", "dependency": "undici", "title": "Undici has an HTTP Request/Response Smuggling issue", "url": "https://github.com/advisories/GHSA-2mjp-6q6p-2qxm", "severity": "moderate", "cwe": ["CWE-444"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "range": "<6.24.0"}, "1114637": {"source": 1114637, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": ["CWE-409"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, "1114638": {"source": 1114638, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression", "url": "https://github.com/advisories/GHSA-vrm6-8vpv-qv8q", "severity": "high", "cwe": ["CWE-409"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.24.0"}, "1114639": {"source": 1114639, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": ["CWE-248"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.0.0 <7.24.0"}, "1114640": {"source": 1114640, "name": "undici", "dependency": "undici", "title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation", "url": "https://github.com/advisories/GHSA-v9p9-hfj2-hcw8", "severity": "high", "cwe": ["CWE-248"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<6.24.0"}, "1114641": {"source": 1114641, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": ["CWE-93"], "cvss": {"score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": ">=7.0.0 <7.24.0"}, "1114642": {"source": 1114642, "name": "undici", "dependency": "undici", "title": "Undici has CRLF Injection in undici via `upgrade` option", "url": "https://github.com/advisories/GHSA-4992-7rv2-5pvq", "severity": "moderate", "cwe": ["CWE-93"], "cvss": {"score": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}, "range": "<6.24.0"}, "1114643": {"source": 1114643, "name": "undici", "dependency": "undici", "title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS", "url": "https://github.com/advisories/GHSA-phc3-fgpg-7m6h", "severity": "moderate", "cwe": ["CWE-770"], "cvss": {"score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=7.17.0 <7.24.0"}}
Upgrading n:undici from 6.23.0, 7.22.0 -> 6.25.0, 7.25.0
{"1115556": {"source": 1115556, "name": "yaml", "dependency": "yaml", "title": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections", "url": "https://github.com/advisories/GHSA-48c2-rrv3-qjmp", "severity": "moderate", "cwe": ["CWE-674"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=2.0.0 <2.8.3"}}
Upgrading n:yaml from 2.8.2 -> 2.8.3
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
build: Updating npm dependencies

* basic-ftp: 5.2.0 → 5.3.0
  * https://github.com/advisories/GHSA-6v7q-wjvx-w8wg
  * https://github.com/advisories/GHSA-chqc-8p9q-pq6q
* brace-expansion: 1.1.12, 2.0.2, 5.0.4 → 1.1.14, 2.1.0, 5.0.5
  * https://github.com/advisories/GHSA-f886-m6hf-6m8v
* fast-xml-parser: 5.4.2 → 5.6.0
  * https://github.com/advisories/GHSA-8gc5-j5rx-235r
  * https://github.com/advisories/GHSA-jp2q-39xq-3w4g
* flatted: 3.3.1 → 3.4.2
  * https://github.com/advisories/GHSA-25h7-pfq9-p65f
  * https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
* grunt: 1.6.1 → 1.6.2
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* grunt-legacy-log: 3.0.0 → 3.0.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-log-utils: 2.1.0 → 2.1.3
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-util: 2.0.1 → 2.0.2
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* lodash: 4.17.23 → 4.18.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* minimatch: 10.2.4, 3.0.8, 3.1.5, 5.1.9, 9.0.9 → 10.2.4, 3.1.5, 5.1.9, 9.0.9
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* picomatch: 2.3.1, 4.0.3 → 2.3.2, 4.0.4
  * https://github.com/advisories/GHSA-3v7f-55p6-f55p
  * https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
* undici: 6.23.0, 7.22.0 → 6.25.0, 7.25.0
  * https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
  * https://github.com/advisories/GHSA-4992-7rv2-5pvq
  * https://github.com/advisories/GHSA-f269-vfmq-vjvj
  * https://github.com/advisories/GHSA-phc3-fgpg-7m6h
  * https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
  * https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
* yaml: 2.8.2 → 2.8.3
  * https://github.com/advisories/GHSA-48c2-rrv3-qjmp

$ git add .
--- stdout ---

--- end ---
$ git commit -F /tmp/tmp461jltpp
--- stdout ---
[master 569e9b0] build: Updating npm dependencies
 1 file changed, 140 insertions(+), 109 deletions(-)

--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 569e9b0ff0787eb2772384d0f5d175c7a1acb2f8 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Thu, 16 Apr 2026 07:44:10 +0000
Subject: [PATCH] build: Updating npm dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* basic-ftp: 5.2.0 → 5.3.0
  * https://github.com/advisories/GHSA-6v7q-wjvx-w8wg
  * https://github.com/advisories/GHSA-chqc-8p9q-pq6q
* brace-expansion: 1.1.12, 2.0.2, 5.0.4 → 1.1.14, 2.1.0, 5.0.5
  * https://github.com/advisories/GHSA-f886-m6hf-6m8v
* fast-xml-parser: 5.4.2 → 5.6.0
  * https://github.com/advisories/GHSA-8gc5-j5rx-235r
  * https://github.com/advisories/GHSA-jp2q-39xq-3w4g
* flatted: 3.3.1 → 3.4.2
  * https://github.com/advisories/GHSA-25h7-pfq9-p65f
  * https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
* grunt: 1.6.1 → 1.6.2
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* grunt-legacy-log: 3.0.0 → 3.0.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-log-utils: 2.1.0 → 2.1.3
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* grunt-legacy-util: 2.0.1 → 2.0.2
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* lodash: 4.17.23 → 4.18.1
  * https://github.com/advisories/GHSA-f23m-r3pf-42rh
  * https://github.com/advisories/GHSA-r5fr-rjxr-66jc
* minimatch: 10.2.4, 3.0.8, 3.1.5, 5.1.9, 9.0.9 → 10.2.4, 3.1.5, 5.1.9, 9.0.9
  * https://github.com/advisories/GHSA-23c5-xmqv-rm74
  * https://github.com/advisories/GHSA-3ppc-4f35-3m26
  * https://github.com/advisories/GHSA-7r86-cg39-jmmj
* picomatch: 2.3.1, 4.0.3 → 2.3.2, 4.0.4
  * https://github.com/advisories/GHSA-3v7f-55p6-f55p
  * https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
* undici: 6.23.0, 7.22.0 → 6.25.0, 7.25.0
  * https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
  * https://github.com/advisories/GHSA-4992-7rv2-5pvq
  * https://github.com/advisories/GHSA-f269-vfmq-vjvj
  * https://github.com/advisories/GHSA-phc3-fgpg-7m6h
  * https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
  * https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
* yaml: 2.8.2 → 2.8.3
  * https://github.com/advisories/GHSA-48c2-rrv3-qjmp

Change-Id: I54c80d2255527f97e6ea3cc7dd0bbb7a617ebd82
---
 package-lock.json | 249 ++++++++++++++++++++++++++--------------------
 1 file changed, 140 insertions(+), 109 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a595f66..419975c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1187,6 +1187,18 @@
 			"integrity": "sha512-PzdZZzRhcXvKB0begee28n5lvwAcinGKYuLZOVxHAZm+n7y01ddEGfdS1ZXRuVcV+ndG6mSEAE8vgudom5UjYg==",
 			"dev": true
 		},
+		"node_modules/@nodable/entities": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-1.1.0.tgz",
+			"integrity": "sha512-bidpxmTBP0pOsxULw6XlxzQpTgrAGLDHGBK/JuWhPDL6ZV0GZ/PmN9CA9do6e+A9lYI6qx6ikJUtJYRxup141g==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/nodable"
+				}
+			]
+		},
 		"node_modules/@nodelib/fs.scandir": {
 			"version": "2.1.5",
 			"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -1357,9 +1369,9 @@
 			}
 		},
 		"node_modules/@stylistic/eslint-plugin/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -1757,9 +1769,9 @@
 			}
 		},
 		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -1924,9 +1936,9 @@
 			}
 		},
 		"node_modules/@typescript-eslint/utils/node_modules/brace-expansion": {
-			"version": "5.0.4",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-			"integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+			"version": "5.0.5",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+			"integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^4.0.2"
@@ -2167,9 +2179,9 @@
 			}
 		},
 		"node_modules/@wdio/cli/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -2649,9 +2661,9 @@
 			}
 		},
 		"node_modules/@wdio/config/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -3580,9 +3592,9 @@
 			}
 		},
 		"node_modules/archiver-utils/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -3945,9 +3957,9 @@
 			}
 		},
 		"node_modules/basic-ftp": {
-			"version": "5.2.0",
-			"resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
-			"integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+			"version": "5.3.0",
+			"resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
+			"integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
 			"dev": true,
 			"engines": {
 				"node": ">=10.0.0"
@@ -3984,9 +3996,9 @@
 			"dev": true
 		},
 		"node_modules/brace-expansion": {
-			"version": "1.1.12",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+			"version": "1.1.14",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+			"integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0",
@@ -4250,9 +4262,9 @@
 			}
 		},
 		"node_modules/cheerio/node_modules/undici": {
-			"version": "7.22.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
-			"integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+			"version": "7.25.0",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
+			"integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
 			"dev": true,
 			"engines": {
 				"node": ">=20.18.1"
@@ -6248,6 +6260,16 @@
 				"url": "https://github.com/sponsors/sindresorhus"
 			}
 		},
+		"node_modules/exit-x": {
+			"version": "0.2.2",
+			"resolved": "https://registry.npmjs.org/exit-x/-/exit-x-0.2.2.tgz",
+			"integrity": "sha512-+I6B/IkJc1o/2tiURyz/ivu/O0nKNEArIUB5O7zBrlDVJr22SCLH3xTeEry428LvFhRzIA1g8izguxJ/gbNcVQ==",
+			"dev": true,
+			"peer": true,
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
 		"node_modules/expand-tilde": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/expand-tilde/-/expand-tilde-2.0.2.tgz",
@@ -6457,21 +6479,24 @@
 			]
 		},
 		"node_modules/fast-xml-builder": {
-			"version": "1.0.0",
-			"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
-			"integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
+			"version": "1.1.4",
+			"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
+			"integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
 			"dev": true,
 			"funding": [
 				{
 					"type": "github",
 					"url": "https://github.com/sponsors/NaturalIntelligence"
 				}
-			]
+			],
+			"dependencies": {
+				"path-expression-matcher": "^1.1.3"
+			}
 		},
 		"node_modules/fast-xml-parser": {
-			"version": "5.4.2",
-			"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.2.tgz",
-			"integrity": "sha512-pw/6pIl4k0CSpElPEJhDppLzaixDEuWui2CUQQBH/ECDf7+y6YwA4Gf7Tyb0Rfe4DIMuZipYj4AEL0nACKglvQ==",
+			"version": "5.6.0",
+			"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.6.0.tgz",
+			"integrity": "sha512-5G+uaEBbOm9M4dgMOV3K/rBzfUNGqGqoUTaYJM3hBwM8t71w07gxLQZoTsjkY8FtfjabqgQHEkeIySBDYeBmJw==",
 			"dev": true,
 			"funding": [
 				{
@@ -6480,8 +6505,10 @@
 				}
 			],
 			"dependencies": {
-				"fast-xml-builder": "^1.0.0",
-				"strnum": "^2.1.2"
+				"@nodable/entities": "^1.1.0",
+				"fast-xml-builder": "^1.1.4",
+				"path-expression-matcher": "^1.5.0",
+				"strnum": "^2.2.3"
 			},
 			"bin": {
 				"fxparser": "src/cli/cli.js"
@@ -6586,9 +6613,9 @@
 			}
 		},
 		"node_modules/filelist/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -6701,9 +6728,9 @@
 			}
 		},
 		"node_modules/flatted": {
-			"version": "3.3.1",
-			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
-			"integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
+			"version": "3.4.2",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+			"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
 			"dev": true
 		},
 		"node_modules/for-in": {
@@ -7102,9 +7129,9 @@
 			"dev": true
 		},
 		"node_modules/grunt": {
-			"version": "1.6.1",
-			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.1.tgz",
-			"integrity": "sha512-/ABUy3gYWu5iBmrUSRBP97JLpQUm0GgVveDCp6t3yRNIoltIYw7rEj3g5y1o2PGPR2vfTRGa7WC/LZHLTXnEzA==",
+			"version": "1.6.2",
+			"resolved": "https://registry.npmjs.org/grunt/-/grunt-1.6.2.tgz",
+			"integrity": "sha512-bUzh5nA/P5L66ihXTDP6J5BGnMB/8lXJXejYWSbH4Y4TvWM9t2S39sggQDYYQlx06cYcCsmu63HMYHGCIzUVfg==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
@@ -7113,14 +7140,14 @@
 				"exit": "~0.1.2",
 				"findup-sync": "~5.0.0",
 				"glob": "~7.1.6",
-				"grunt-cli": "~1.4.3",
+				"grunt-cli": "^1.4.3",
 				"grunt-known-options": "~2.0.0",
 				"grunt-legacy-log": "~3.0.0",
 				"grunt-legacy-util": "~2.0.1",
 				"iconv-lite": "~0.6.3",
 				"js-yaml": "~3.14.0",
-				"minimatch": "~3.0.4",
-				"nopt": "~3.0.6"
+				"minimatch": "^3.1.5",
+				"nopt": "^5.0.0"
 			},
 			"bin": {
 				"grunt": "bin/grunt"
@@ -7208,47 +7235,46 @@
 			}
 		},
 		"node_modules/grunt-legacy-log": {
-			"version": "3.0.0",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-log/-/grunt-legacy-log-3.0.0.tgz",
-			"integrity": "sha512-GHZQzZmhyq0u3hr7aHW4qUH0xDzwp2YXldLPZTCjlOeGscAOWWPftZG3XioW8MasGp+OBRIu39LFx14SLjXRcA==",
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-log/-/grunt-legacy-log-3.0.1.tgz",
+			"integrity": "sha512-vytI3IUC8qUK9TcvvpHpGJzDojua/sfJV4TdLB4FtCFzospqduzBuL3+dEfpvO+tGECv7/273+33hjjMXSa92g==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
 				"colors": "~1.1.2",
-				"grunt-legacy-log-utils": "~2.1.0",
+				"grunt-legacy-log-utils": "^2.1.3",
 				"hooker": "~0.2.3",
-				"lodash": "~4.17.19"
+				"lodash": "^4.18.0"
 			},
 			"engines": {
 				"node": ">= 0.10.0"
 			}
 		},
 		"node_modules/grunt-legacy-log-utils": {
-			"version": "2.1.0",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.0.tgz",
-			"integrity": "sha512-lwquaPXJtKQk0rUM1IQAop5noEpwFqOXasVoedLeNzaibf/OPWjKYvvdqnEHNmU+0T0CaReAXIbGo747ZD+Aaw==",
+			"version": "2.1.3",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-log-utils/-/grunt-legacy-log-utils-2.1.3.tgz",
+			"integrity": "sha512-sgG+QvKmdb44wZyzJP+ejDsy3jYxG2wzohpol+JTMlXqMUBDoZb01JPQ5jKAedtZBFwhmABAc88T9hEBLy3U+Q==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
-				"chalk": "~4.1.0",
-				"lodash": "~4.17.19"
+				"chalk": "^4.1.0"
 			},
 			"engines": {
 				"node": ">=10"
 			}
 		},
 		"node_modules/grunt-legacy-util": {
-			"version": "2.0.1",
-			"resolved": "https://registry.npmjs.org/grunt-legacy-util/-/grunt-legacy-util-2.0.1.tgz",
-			"integrity": "sha512-2bQiD4fzXqX8rhNdXkAywCadeqiPiay0oQny77wA2F3WF4grPJXCvAcyoWUJV+po/b15glGkxuSiQCK299UC2w==",
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/grunt-legacy-util/-/grunt-legacy-util-2.0.2.tgz",
+			"integrity": "sha512-0xoDILyR4BVJel5uJwnhjdWN9evOQ8A0uXbQUIJ0hgVthIA6kloXHSoqATQPj6BRrHrHkcQtCeGVb0ixFoHyEQ==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
 				"async": "~3.2.0",
-				"exit": "~0.1.2",
+				"exit-x": "~0.2.2",
 				"getobject": "~1.0.0",
 				"hooker": "~0.2.3",
-				"lodash": "~4.17.21",
+				"lodash": "^4.18.0",
 				"underscore.string": "~3.3.5",
 				"which": "~2.0.2"
 			},
@@ -7316,19 +7342,6 @@
 				"js-yaml": "bin/js-yaml.js"
 			}
 		},
-		"node_modules/grunt/node_modules/minimatch": {
-			"version": "3.0.8",
-			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-			"integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-			"dev": true,
-			"peer": true,
-			"dependencies": {
-				"brace-expansion": "^1.1.7"
-			},
-			"engines": {
-				"node": "*"
-			}
-		},
 		"node_modules/grunt/node_modules/sprintf-js": {
 			"version": "1.0.3",
 			"resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
@@ -8053,9 +8066,9 @@
 			}
 		},
 		"node_modules/jest-util/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -8404,9 +8417,9 @@
 			}
 		},
 		"node_modules/lodash": {
-			"version": "4.17.23",
-			"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-			"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+			"version": "4.18.1",
+			"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+			"integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
 			"dev": true
 		},
 		"node_modules/lodash.clonedeep": {
@@ -8709,9 +8722,9 @@
 			}
 		},
 		"node_modules/mocha/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -8914,9 +8927,9 @@
 			"dev": true
 		},
 		"node_modules/nopt": {
-			"version": "3.0.6",
-			"resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
-			"integrity": "sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==",
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz",
+			"integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==",
 			"dev": true,
 			"peer": true,
 			"dependencies": {
@@ -8924,6 +8937,9 @@
 			},
 			"bin": {
 				"nopt": "bin/nopt.js"
+			},
+			"engines": {
+				"node": ">=6"
 			}
 		},
 		"node_modules/normalize-package-data": {
@@ -9346,6 +9362,21 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/path-expression-matcher": {
+			"version": "1.5.0",
+			"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
+			"integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/NaturalIntelligence"
+				}
+			],
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
 		"node_modules/path-is-absolute": {
 			"version": "1.0.1",
 			"resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
@@ -9449,9 +9480,9 @@
 			"dev": true
 		},
 		"node_modules/picomatch": {
-			"version": "2.3.1",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-			"integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+			"version": "2.3.2",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+			"integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
 			"dev": true,
 			"engines": {
 				"node": ">=8.6"
@@ -9899,9 +9930,9 @@
 			}
 		},
 		"node_modules/readdir-glob/node_modules/brace-expansion": {
-			"version": "2.0.2",
-			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+			"integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
 			"dev": true,
 			"dependencies": {
 				"balanced-match": "^1.0.0"
@@ -10745,9 +10776,9 @@
 			}
 		},
 		"node_modules/strnum": {
-			"version": "2.2.0",
-			"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
-			"integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+			"version": "2.2.3",
+			"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz",
+			"integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==",
 			"dev": true,
 			"funding": [
 				{
@@ -11247,9 +11278,9 @@
 			}
 		},
 		"node_modules/tinyglobby/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -11343,9 +11374,9 @@
 			}
 		},
 		"node_modules/ts-declaration-location/node_modules/picomatch": {
-			"version": "4.0.3",
-			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"version": "4.0.4",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"engines": {
 				"node": ">=12"
@@ -11460,9 +11491,9 @@
 			}
 		},
 		"node_modules/undici": {
-			"version": "6.23.0",
-			"resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-			"integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+			"version": "6.25.0",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+			"integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
 			"dev": true,
 			"engines": {
 				"node": ">=18.17"
@@ -12145,9 +12176,9 @@
 			}
 		},
 		"node_modules/yaml": {
-			"version": "2.8.2",
-			"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-			"integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+			"version": "2.8.3",
+			"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+			"integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
 			"dev": true,
 			"bin": {
 				"yaml": "bin.mjs"
-- 
2.47.3


--- end ---