$ date
--- stdout ---
Thu Apr 3 17:04:54 UTC 2025
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-WikibaseLexeme.git repo --depth=1 -b REL1_43
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stderr ---
Submodule 'resources/special/new-lexeme' (https://phabricator.wikimedia.org/diffusion/NLSP/new-lexeme-special-page.git) registered for path 'resources/special/new-lexeme'
Cloning into '/src/repo/resources/special/new-lexeme'...
--- stdout ---
Submodule path 'resources/special/new-lexeme': checked out '0a9293702bb5993f1d02f51c3424947fbd7470e8'
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_43
--- stdout ---
e99e94113f9301226185436572ae637ea5a7b70b refs/heads/REL1_43
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.1.9 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "moderate",
"isDirect": false,
"via": [
"nanoid",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": "8.2.0 - 10.5.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101163,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"request": {
"name": "request",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102832,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
}
],
"effects": [
"mocha"
],
"range": "6.0.0 - 6.0.1",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 6,
"high": 0,
"critical": 0,
"total": 6
},
"dependencies": {
"prod": 1,
"dev": 848,
"optional": 5,
"peer": 19,
"peerOptional": 0,
"total": 848
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 44 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.3)
- Locking composer/spdx-licenses (1.5.8)
- Locking composer/xdebug-handler (3.0.5)
- Locking davidrjonas/composer-lock-diff (1.7.1)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.0.0)
- Locking doctrine/deprecations (1.1.4)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking giorgiosironi/eris (0.14.1)
- Locking hamcrest/hamcrest-php (v2.0.1)
- Locking mediawiki/mediawiki-codesniffer (v45.0.0)
- Locking mediawiki/mediawiki-phan-config (0.14.0)
- Locking mediawiki/minus-x (1.1.3)
- Locking mediawiki/phan-taint-check-plugin (6.0.0)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking phan/phan (5.4.3)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.2.1)
- Locking phpcsstandards/phpcsutils (1.0.12)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.6.1)
- Locking phpdocumentor/type-resolver (1.10.0)
- Locking phpstan/phpdoc-parser (2.1.0)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (5.1.7)
- Locking serialization/serialization (4.1.0)
- Locking squizlabs/php_codesniffer (3.10.3)
- Locking symfony/console (v7.2.5)
- Locking symfony/deprecation-contracts (v3.5.1)
- Locking symfony/polyfill-ctype (v1.31.0)
- Locking symfony/polyfill-intl-grapheme (v1.31.0)
- Locking symfony/polyfill-intl-normalizer (v1.31.0)
- Locking symfony/polyfill-mbstring (v1.31.0)
- Locking symfony/polyfill-php80 (v1.31.0)
- Locking symfony/service-contracts (v3.5.1)
- Locking symfony/string (v7.2.0)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (1.11.0)
- Locking wikimedia/assert (v0.5.1)
- Locking wmde/php-vuejs-templating (2.0.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 44 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.10.3): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.0.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing davidrjonas/composer-lock-diff (1.7.1): Extracting archive
- Installing giorgiosironi/eris (0.14.1): Extracting archive
- Installing hamcrest/hamcrest-php (v2.0.1): Extracting archive
- Installing symfony/polyfill-php80 (v1.31.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.0.12): Extracting archive
- Installing phpcsstandards/phpcsextra (1.2.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive
- Installing composer/spdx-licenses (1.5.8): Extracting archive
- Installing composer/semver (3.4.3): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v45.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.31.0): Extracting archive
- Installing symfony/string (v7.2.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.5.1): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.5.1): Extracting archive
- Installing symfony/console (v7.2.5): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (1.11.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.1.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.4): Extracting archive
- Installing phpdocumentor/type-resolver (1.10.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.1): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (5.4.3): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (6.0.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.14.0): Extracting archive
- Installing mediawiki/minus-x (1.1.3): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
- Installing serialization/serialization (4.1.0): Extracting archive
- Installing wikimedia/assert (v0.5.1): Extracting archive
- Installing wmde/php-vuejs-templating (2.0.0): Extracting archive
0/42 [>---------------------------] 0%
20/42 [=============>--------------] 47%
32/42 [=====================>------] 76%
42/42 [============================] 100%
3 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
16 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.1.9 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "moderate",
"isDirect": false,
"via": [
"nanoid",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": "8.2.0 - 10.5.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101163,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"request": {
"name": "request",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102832,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
}
],
"effects": [
"mocha"
],
"range": "6.0.0 - 6.0.1",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 6,
"high": 0,
"critical": 0,
"total": 6
},
"dependencies": {
"prod": 1,
"dev": 848,
"optional": 5,
"peer": 19,
"peerOptional": 0,
"total": 848
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 848,
"removed": 0,
"changed": 0,
"audited": 849,
"funding": 183,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"cypress-parallel": {
"name": "cypress-parallel",
"severity": "moderate",
"isDirect": true,
"via": [
"mocha"
],
"effects": [],
"range": "0.1.9 - 0.14.0",
"nodes": [
"node_modules/cypress-parallel"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "moderate",
"isDirect": false,
"via": [
"nanoid",
"serialize-javascript"
],
"effects": [
"cypress-parallel"
],
"range": "8.2.0 - 10.5.2",
"nodes": [
"node_modules/cypress-parallel/node_modules/mocha"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1101163,
"name": "nanoid",
"dependency": "nanoid",
"title": "Predictable results in nanoid generation when given non-integer values",
"url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55",
"severity": "moderate",
"cwe": [
"CWE-835"
],
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<3.3.8"
}
],
"effects": [
"mocha"
],
"range": "<3.3.8",
"nodes": [
"node_modules/cypress-parallel/node_modules/nanoid"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"request": {
"name": "request",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"tough-cookie"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": false
},
"serialize-javascript": {
"name": "serialize-javascript",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1102832,
"name": "serialize-javascript",
"dependency": "serialize-javascript",
"title": "Cross-site Scripting (XSS) in serialize-javascript",
"url": "https://github.com/advisories/GHSA-76p7-773f-r4q5",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=6.0.0 <6.0.2"
}
],
"effects": [
"mocha"
],
"range": "6.0.0 - 6.0.1",
"nodes": [
"node_modules/cypress-parallel/node_modules/serialize-javascript"
],
"fixAvailable": {
"name": "cypress-parallel",
"version": "0.15.0",
"isSemVerMajor": true
}
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"request"
],
"range": "<4.1.3",
"nodes": [
"node_modules/request/node_modules/tough-cookie"
],
"fixAvailable": false
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 6,
"high": 0,
"critical": 0,
"total": 6
},
"dependencies": {
"prod": 1,
"dev": 848,
"optional": 5,
"peer": 19,
"peerOptional": 0,
"total": 848
}
}
}
}
--- end ---
{"added": 848, "removed": 0, "changed": 0, "audited": 849, "funding": 183, "audit": {"auditReportVersion": 2, "vulnerabilities": {"cypress-parallel": {"name": "cypress-parallel", "severity": "moderate", "isDirect": true, "via": ["mocha"], "effects": [], "range": "0.1.9 - 0.14.0", "nodes": ["node_modules/cypress-parallel"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "mocha": {"name": "mocha", "severity": "moderate", "isDirect": false, "via": ["nanoid", "serialize-javascript"], "effects": ["cypress-parallel"], "range": "8.2.0 - 10.5.2", "nodes": ["node_modules/cypress-parallel/node_modules/mocha"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "nanoid": {"name": "nanoid", "severity": "moderate", "isDirect": false, "via": [{"source": 1101163, "name": "nanoid", "dependency": "nanoid", "title": "Predictable results in nanoid generation when given non-integer values", "url": "https://github.com/advisories/GHSA-mwcw-c2x4-8c55", "severity": "moderate", "cwe": ["CWE-835"], "cvss": {"score": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}, "range": "<3.3.8"}], "effects": ["mocha"], "range": "<3.3.8", "nodes": ["node_modules/cypress-parallel/node_modules/nanoid"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "request": {"name": "request", "severity": "moderate", "isDirect": true, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "tough-cookie"], "effects": [], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "serialize-javascript": {"name": "serialize-javascript", "severity": "moderate", "isDirect": false, "via": [{"source": 1102832, "name": "serialize-javascript", "dependency": "serialize-javascript", "title": "Cross-site Scripting (XSS) in serialize-javascript", "url": "https://github.com/advisories/GHSA-76p7-773f-r4q5", "severity": "moderate", "cwe": ["CWE-79"], "cvss": {"score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "range": ">=6.0.0 <6.0.2"}], "effects": ["mocha"], "range": "6.0.0 - 6.0.1", "nodes": ["node_modules/cypress-parallel/node_modules/serialize-javascript"], "fixAvailable": {"name": "cypress-parallel", "version": "0.15.0", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/request/node_modules/tough-cookie"], "fixAvailable": false}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 6, "high": 0, "critical": 0, "total": 6}, "dependencies": {"prod": 1, "dev": 848, "optional": 5, "peer": 19, "peerOptional": 0, "total": 848}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
--- stdout ---
added 847 packages, and audited 848 packages in 24s
183 packages are looking for funding
run `npm fund` for details
# npm audit report
nanoid <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix --force`
Will install cypress-parallel@0.15.0, which is a breaking change
node_modules/cypress-parallel/node_modules/nanoid
mocha 8.2.0 - 10.5.2
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of serialize-javascript
node_modules/cypress-parallel/node_modules/mocha
cypress-parallel 0.1.9 - 0.14.0
Depends on vulnerable versions of mocha
node_modules/cypress-parallel
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
serialize-javascript 6.0.0 - 6.0.1
Severity: moderate
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
fix available via `npm audit fix --force`
Will install cypress-parallel@0.15.0, which is a breaking change
node_modules/cypress-parallel/node_modules/serialize-javascript
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/request/node_modules/tough-cookie
6 moderate severity vulnerabilities
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@6.1.0: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
--- stdout ---
added 847 packages, and audited 848 packages in 20s
183 packages are looking for funding
run `npm fund` for details
6 moderate severity vulnerabilities
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
[Vue warn]: Avoid app logic that relies on enumerating keys on a component instance. The keys will be empty in production mode to avoid performance overhead.
[Vue warn]: Avoid app logic that relies on enumerating keys on a component instance. The keys will be empty in production mode to avoid performance overhead.
[Vue warn]: Avoid app logic that relies on enumerating keys on a component instance. The keys will be empty in production mode to avoid performance overhead.
[Vue warn]: Avoid app logic that relies on enumerating keys on a component instance. The keys will be empty in production mode to avoid performance overhead.
[Vue warn]: Avoid app logic that relies on enumerating keys on a component instance. The keys will be empty in production mode to avoid performance overhead.
�[33mThe CJS build of Vite's Node API is deprecated. See https://vitejs.dev/guide/troubleshooting.html#vite-cjs-node-api-deprecated for more details.�[39m
DEPRECATION WARNING: Sass's behavior for declarations that appear after nested
rules will be changing to match the behavior specified by CSS in an upcoming
version. To keep the existing behavior, move the declaration above the nested
rule. To opt into the new behavior, wrap the declaration in `& {}`.
More info: https://sass-lang.com/d/mixed-decls
╷
6 │ ┌ & > * + * {
7 │ │ margin-top: $dimension-layout-xsmall;
8 │ │ }
│ └─── nested rule
... │
11 │ padding: $dimension-layout-small;
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ declaration
╵
src/components/NewLexemeForm.vue 11:2 root stylesheet
DEPRECATION WARNING: Sass's behavior for declarations that appear after nested
rules will be changing to match the behavior specified by CSS in an upcoming
version. To keep the existing behavior, move the declaration above the nested
rule. To opt into the new behavior, wrap the declaration in `& {}`.
More info: https://sass-lang.com/d/mixed-decls
╷
6 │ ┌ & > * + * {
7 │ │ margin-top: $dimension-layout-xsmall;
8 │ │ }
│ └─── nested rule
... │
14 │ border-style: $border-style-base;
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ declaration
╵
src/components/NewLexemeForm.vue 14:2 root stylesheet
DEPRECATION WARNING: Sass's behavior for declarations that appear after nested
rules will be changing to match the behavior specified by CSS in an upcoming
version. To keep the existing behavior, move the declaration above the nested
rule. To opt into the new behavior, wrap the declaration in `& {}`.
More info: https://sass-lang.com/d/mixed-decls
╷
6 │ ┌ & > * + * {
7 │ │ margin-top: $dimension-layout-xsmall;
8 │ │ }
│ └─── nested rule
... │
15 │ border-width: $border-width-thin;
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ declaration
╵
src/components/NewLexemeForm.vue 15:2 root stylesheet
DEPRECATION WARNING: Sass's behavior for declarations that appear after nested
rules will be changing to match the behavior specified by CSS in an upcoming
version. To keep the existing behavior, move the declaration above the nested
rule. To opt into the new behavior, wrap the declaration in `& {}`.
More info: https://sass-lang.com/d/mixed-decls
╷
6 │ ┌ & > * + * {
7 │ │ margin-top: $dimension-layout-xsmall;
8 │ │ }
│ └─── nested rule
... │
16 │ border-radius: $border-radius-base;
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ declaration
╵
src/components/NewLexemeForm.vue 16:2 root stylesheet
DEPRECATION WARNING: Sass's behavior for declarations that appear after nested
rules will be changing to match the behavior specified by CSS in an upcoming
version. To keep the existing behavior, move the declaration above the nested
rule. To opt into the new behavior, wrap the declaration in `& {}`.
More info: https://sass-lang.com/d/mixed-decls
╷
6 │ ┌ & > * + * {
7 │ │ margin-top: $dimension-layout-xsmall;
8 │ │ }
│ └─── nested rule
... │
17 │ border-color: $border-color-base-subtle;
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ declaration
╵
src/components/NewLexemeForm.vue 17:2 root stylesheet
--- stdout ---
> test
> run-s test:*
> test:grunt
> grunt test
Running "eslint:all" (eslint) task
/src/repo/cypress/support/pageObjects/FormsSection.ts
143:2 warning Missing JSDoc @return declaration jsdoc/require-returns
144:1 warning Missing JSDoc @param "formId" type jsdoc/require-param-type
/src/repo/resources/entityChangers/FormChanger.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/resources/entityChangers/SenseChanger.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/resources/jquery.wikibase.lexemeformview.js
287:1 warning Missing JSDoc @param "lemmas" type jsdoc/require-param-type
288:1 warning Missing JSDoc @param "formIndex" type jsdoc/require-param-type
289:1 warning Missing JSDoc @param "formId" type jsdoc/require-param-type
290:1 warning Missing JSDoc @param "representations" type jsdoc/require-param-type
/src/repo/resources/jquery.wikibase.lexemeview.js
25:1 warning Expected 0 trailing lines jsdoc/tag-lines
/src/repo/resources/serialization/FormSerializer.js
12:1 warning The type 'serialization' is undefined jsdoc/no-undefined-types
/src/repo/resources/serialization/LexemeDeserializer.js
10:1 warning The type 'SERIALIZER' is undefined jsdoc/no-undefined-types
/src/repo/resources/serialization/SenseSerializer.js
12:1 warning The type 'serialization' is undefined jsdoc/no-undefined-types
/src/repo/resources/special/NewLexeme.js
6:2 warning Unused eslint-disable directive (no problems were reported from 'no-undef')
/src/repo/resources/special/NewLexemeFallback.js
8:3 warning NodeList.forEach not supported by Chrome<51, Firefox<50, Safari<10, IE & others. Use Array.prototype.forEach.call instead mediawiki/no-nodelist-unsupported-methods
/src/repo/resources/view/ViewFactoryFactory.js
17:1 warning Syntax error in type: [] jsdoc/valid-types
/src/repo/resources/widgets/GlossWidget.js
34:1 warning Syntax error in type: [{ value: string, language: string }] jsdoc/valid-types
/src/repo/tests/qunit/datamodel/Form.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/datamodel/Sense.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/entityChangers/FormChanger.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/entityChangers/SenseChanger.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/jquery.wikibase.lexemeformlistview.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/jquery.wikibase.lexemeformview.tests.js
1:1 warning Missing JSDoc @param "require" declaration jsdoc/require-param
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/jquery.wikibase.senselistview.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/jquery.wikibase.senseview.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/serialization/LexemeDeserializer.tests.js
1:1 warning Missing JSDoc @param "wb" declaration jsdoc/require-param
/src/repo/tests/qunit/widgets/GrammaticalFeatureListWidget.tests.js
1:1 warning Missing JSDoc @param "QUnit" declaration jsdoc/require-param
1:1 warning Missing JSDoc @param "require" declaration jsdoc/require-param
1:1 warning Missing JSDoc @param "sinon" declaration jsdoc/require-param
✖ 29 problems (0 errors, 29 warnings)
0 errors and 17 warnings potentially fixable with the `--fix` option.
Running "banana:WikibaseLexeme" (banana) task
>> The "fr" translation has 2 translations with trailing whitespace:
>> * wikibaselexeme-formidformatter-separator-multiple-representation
>> * wikibaselexeme-presentation-lexeme-display-label-separator-multiple-lemma
>> 3 message directories checked.
Running "jasmine_nodejs:all" (jasmine_nodejs) task
>> Executing 127 defined specs...
Test Suites & Specs:
1) GlossWidget
✔ add a new gloss
✔ switch to edit mode
✔ remove a gloss
✔ initialize widget with one gloss
✔ create with no glosses - when switched to edit mode empty gloss is added
✔ stop editing
✔ removes empty glosses when saved
2) wikibase.lexeme.widgets.LexemeHeader
✔ attempting to save with empty lemmas fails
✔ passes language and lexical category to LanguageAndLexicalCategoryWidget
✔ save lemma list with error
3) isUnsaveable
✔ returns true when there are changes but also lemmas with redundant languages
✔ returns true when there are no changes
✔ returns true when there are changes but saving is ongoing
✔ returns false by default
✔ cancel edit mode
✔ shows save button disabled when unsaveable
✔ shows save button enabled when not unsaveable
✔ save lemma list
4) hasChanges
✔ returns true when lexical category changes
✔ returns true when language changes
✔ ignores added empty lemmas
✔ returns true when lemmas change
✔ returns false by default
✔ updates language and lexical category on save
✔ shows save button disabled without changes
✔ passes lemmas to LemmaWidget
✔ switch to edit mode
✔ binds to lemma-widget hasRedundantLanguage event
5) mutationTypes
✔ uses unique ids for all mutation types
6) mutations
✔ UPDATE_REPRESENTATION_LANGUAGE changes correct representation language
✔ UPDATE_REPRESENTATION_VALUE changes correct representation value
✔ REMOVE_REPRESENTATION removes representation leaving others with updated index
✔ ADD_REPRESENTATION adds a new representation to the right form
✔ REPLACE_ALL_REPRESENTATIONS replaces representations of correct form
✔ DERIVE_REPRESENTATION_LANGUAGE_FROM_LEMMA changes representation language correctly
7) wikibase.lexeme.widgets.LemmaWidget
✔ edit mode is true
✔ edit mode is false
✔ can carry redundant lemma languages
✔ detects redundant lemma language to mark the individual languages
✔ initialize widget with one lemma
✔ add a new lemma
✔ detects redundant lemma languages to mark the widget
✔ marks-up the lemma term with the lemma language
✔ remove a lemma
8) InvalidLanguageIndicator
✔ creates mixin definition providing method to determine if language isInvalidLanguage
✔ creates mixin definition with watch that monitors the property recursively
✔ creates mixin property hasInvalidLanguage returning false for empty InvalidLanguages
✔ creates mixin watch handler that can find multiple invalid languages
✔ creates mixin definition with watch on desired property
✔ creates mixin watch handler not taking offence in empty language
✔ creates mixin definition with watch that does not fire immediately
✔ creates mixin watch handler that updates InvalidLanguages with respective language values
✔ creates mixin definition providing computed property hasInvalidLanguage
✔ creates mixin definition method isInvalidLanguage returning false for empty InvalidLanguages
✔ creates mixin property hasInvalidLanguage returning true for existing InvalidLanguages
✔ creates mixin definition that adds an InvalidLanguages property to data
9) LemmaList
10) copy
✔ clones Lemmas
✔ creates an identical LemmaList
11) equals
✔ returns false for objects that are not of type LemmaList
✔ returns false for LemmaList of different length
✔ ignores empty lemmas
✔ returns false for LemmaList with different lemmas
✔ returns true for LemmaList with same lemmas
✔ add
✔ getLemmas
✔ remove
✔ length
12) LexemeHeader.newLexemeHeaderStore
✔ action save on success processes tempuser values when present
✔ mutation updateRevisionId changes baseRevId to given value
✔ action save calls API with correct parameters when editing one of several existing lemmas
✔ action save calls API with correct parameters and changes state using data from response
✔ action save on success mutates the state to start saving, updates state and finishes saving
✔ action save calls API with correct parameters when removing one of several existing lemmas
✔ action save calls API with correct parameters when editing several existing lemmas
✔ action save calls API with correct parameters when editing an existing lemma
✔ mutation updateLanguage changes language and languageLink to given values
✔ failed save returns rejected promise with first error object if API returns multiple errors
✔ mutation startSaving switches the isSaving flag to true
✔ failed save returns rejected promise with a single error object
✔ mutation finishSaving switches the isSaving flag to false
✔ mutation updateLanguage changes lexical category and the link to given values
✔ action save calls API with correct parameters when adding, editing and removing lemmas
✔ action save calls API with correct parameters when removing an item from the state
✔ mutation updateLemmas changes lemmas to given values
13) RepresentationWidget
✔ can remove a representation
✔ switches to edit mode when editing
✔ is not in edit mode after editing is stopped
✔ detects redundant representation languages and marks the widget
✔ adds a representation with unique lemmas language on add after delete
✔ adds a new representation with lemma language when editing the widget with no representations and one lemma
✔ cannot add representation if not in edit mode
✔ adds a new empty representation when editing the widget with no representations and multiple lemmas
✔ adds an empty representation on add
✔ is not in edit mode after being created
✔ can carry redundant representations
✔ detects redundant representation languages and can mark the individual languages
✔ cannot remove representation if not in edit mode
✔ shows only the representation it contains when editing the widget with some representation
14) ItemSelectorWrapper
✔ passes the item ID to the entityselector widget on mount
15) LanguageAndLexicalCategoryWidget
✔ switches to edit mode and back
✔ shows the language and the lexical category
16) actionTypes
✔ uses unique ids for all action types
17) actions
✔ UPDATE_REPRESENTATION_LANGUAGE delegates to mutation
✔ REPLACE_ALL_REPRESENTATIONS delegates to mutation
✔ REMOVE_REPRESENTATION delegates to mutation
✔ UPDATE_REPRESENTATION_VALUE delegates to mutation
✔ ADD_REPRESENTATION on state having existing representation and one lemma mutates to empty values
✔ ADD_REPRESENTATION on state having no representations and one lemma mutates to empty values and derives lemma language
✔ ADD_REPRESENTATION on state having no representations and multiple lemmas mutates to empty values
18) RedundantLanguageIndicator
✔ creates mixin definition providing method to determine if language isRedundantLanguage
✔ creates mixin property hasRedundantLanguage returning false for empty redundantLanguages
✔ creates mixin definition with watch on desired property
✔ creates mixin definition providing computed property hasRedundantLanguage
✔ creates mixin watch handler that updates redundantLanguages with respective language values
✔ creates mixin definition that adds a redundantLanguages property to data
✔ creates mixin property hasRedundantLanguage returning true for existing redundantLanguages
✔ creates mixin definition with watch that monitors the property recursively
✔ creates mixin definition with watch that fires immediately
✔ creates mixin definition method isRedundantLanguage returning false for empty redundantLanguages
✔ creates mixin watch handler not taking offence in repeated empty language
✔ creates mixin watch handler that can find multiple redundant languages
19) store
✔ creates initial state
20) focusElement
✔ returns a callback without doing anything else
21) callback
✔ can handle missing element
✔ calls focus on selected element
22) LexemeSubEntityId
23) getIdSuffix
✔ returns the Sense id suffix
✔ returns the Form id suffix
>> Done!
Summary:
Suites: 23 of 23
Specs: 127 of 127
Expects: 0 (0 failures)
Finished in 0.739 seconds
>> Successful!
Running "jasmine_nodejs_reset" task
Running "stylelint:all" (stylelint) task
>> Linted 7 files without errors
Done.
> test:snl-distnodiff
> run-s snl:install snl:build snl:cp snl:diff
> snl:install
> npm -C $npm_package_config_snl_src i
> new-lexeme-special-page@0.0.1 prepare
> husky
added 1160 packages, and audited 1161 packages in 30s
206 packages are looking for funding
run `npm fund` for details
8 vulnerabilities (5 moderate, 3 high)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
> snl:build
> npm -C $npm_package_config_snl_src run build
> new-lexeme-special-page@0.0.1 build
> vite build
vite v5.4.0 building for production...
transforming...
✓ 100 modules transformed.
rendering chunks...
computing gzip size...
dist/style.css 27.27 kB │ gzip: 4.20 kB
dist/SpecialNewLexeme.cjs.js 104.34 kB │ gzip: 34.83 kB
✓ built in 2.62s
> snl:cp
> run-p snl:cp:*
> snl:cp:css
> cp $npm_package_config_snl_src/dist/$npm_package_config_snl_css $npm_package_config_snl_dist/
> snl:cp:cjs
> cp $npm_package_config_snl_src/dist/$npm_package_config_snl_cjs $npm_package_config_snl_dist/
> snl:diff
> git diff --exit-code $npm_package_config_snl_dist
> test:snl-main
> git -C $npm_package_config_snl_src branch --contains HEAD main | grep -q .
> test:mwlibs
> echo 'disabled (T297381)' # ZUUL_BRANCH=${ZUUL_BRANCH:-master} lib-version-check
disabled (T297381)
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
[DNM] there are no updates
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmpo37n16z8
--- stdout ---
On branch REL1_43
Your branch is up to date with 'origin/REL1_43'.
nothing to commit, working tree clean
--- end ---