$ date
--- stdout ---
Sun May 17 08:37:23 UTC 2026
--- end ---
$ git clone file:///srv/git/mediawiki-services-cxserver.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
199b69aa3f1778a77ea1ab933cda2882cfca032b refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
"node_modules/@babel/plugin-transform-modules-systemjs"
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 268,
"dev": 592,
"optional": 52,
"peer": 39,
"peerOptional": 0,
"total": 910
}
}
}
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
"node_modules/@babel/plugin-transform-modules-systemjs"
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
"node_modules/fast-uri"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 268,
"dev": 592,
"optional": 52,
"peer": 39,
"peerOptional": 0,
"total": 910
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'cxserver@1.2.1',
npm WARN EBADENGINE required: { node: '>=24' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
"added": 910,
"removed": 0,
"changed": 0,
"audited": 911,
"funding": 209,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/plugin-transform-modules-systemjs": {
"name": "@babel/plugin-transform-modules-systemjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117908,
"name": "@babel/plugin-transform-modules-systemjs",
"dependency": "@babel/plugin-transform-modules-systemjs",
"title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input",
"url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp",
"severity": "high",
"cwe": [
"CWE-94",
"CWE-843"
],
"cvss": {
"score": 8.2,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
},
"range": ">=7.12.0 <=7.29.3"
}
],
"effects": [],
"range": "7.12.0 - 7.29.0",
"nodes": [
""
],
"fixAvailable": true
},
"fast-uri": {
"name": "fast-uri",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1117870,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
"url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.0"
},
{
"source": 1117884,
"name": "fast-uri",
"dependency": "fast-uri",
"title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
"url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc",
"severity": "high",
"cwe": [
"CWE-436"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<=3.1.1"
}
],
"effects": [],
"range": "<=3.1.1",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 268,
"dev": 592,
"optional": 52,
"peer": 39,
"peerOptional": 0,
"total": 910
}
}
}
}
--- end ---
{"added": 910, "removed": 0, "changed": 0, "audited": 911, "funding": 209, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@babel/plugin-transform-modules-systemjs": {"name": "@babel/plugin-transform-modules-systemjs", "severity": "high", "isDirect": false, "via": [{"source": 1117908, "name": "@babel/plugin-transform-modules-systemjs", "dependency": "@babel/plugin-transform-modules-systemjs", "title": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input", "url": "https://github.com/advisories/GHSA-fv7c-fp4j-7gwp", "severity": "high", "cwe": ["CWE-94", "CWE-843"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}, "range": ">=7.12.0 <=7.29.3"}], "effects": [], "range": "7.12.0 - 7.29.0", "nodes": [""], "fixAvailable": true}, "fast-uri": {"name": "fast-uri", "severity": "high", "isDirect": false, "via": [{"source": 1117870, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "url": "https://github.com/advisories/GHSA-q3j6-qgpj-74h6", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.0"}, {"source": 1117884, "name": "fast-uri", "dependency": "fast-uri", "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "url": "https://github.com/advisories/GHSA-v39h-62p7-jpjc", "severity": "high", "cwe": ["CWE-436"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<=3.1.1"}], "effects": [], "range": "<=3.1.1", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 2, "critical": 0, "total": 2}, "dependencies": {"prod": 268, "dev": 592, "optional": 52, "peer": 39, "peerOptional": 0, "total": 910}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'cxserver@1.2.1',
npm WARN EBADENGINE required: { node: '>=24' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 905 packages, and audited 906 packages in 15s
209 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'cxserver@1.2.1',
npm WARN EBADENGINE required: { node: '>=24' },
npm WARN EBADENGINE current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 905 packages, and audited 906 packages in 19s
209 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stderr ---
Could not find '/src/repo/test/unittest/**/*.js'
--- stdout ---
> cxserver@1.2.1 test
> npm run lint && npm run unittest
> cxserver@1.2.1 lint
> eslint .
/src/repo/app.js
51:1 warning The type 'Express' is undefined jsdoc/no-undefined-types
83:34 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
89:25 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
264:9 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
265:10 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/bin/segment.js
17:33 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/lib/Config.js
42:28 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
64:38 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
97:29 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/lib/adaptation/TemplateParameterMapper.js
110:5 warning Mixed spaces and tabs no-mixed-spaces-and-tabs
110:7 warning Expected no linebreak before this expression implicit-arrow-linebreak
113:4 warning Mixed spaces and tabs no-mixed-spaces-and-tabs
/src/repo/lib/lineardoc/MwContextualizer.js
143:35 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
/src/repo/lib/logging.js
7:1 warning The type 'winston.Logger' is undefined jsdoc/no-undefined-types
/src/repo/lib/mw/MWPageLoader.js
19:33 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/lib/suggestion/SectionSuggester.js
13:1 warning Missing JSDoc @param "dbPool" type jsdoc/require-param-type
/src/repo/lib/swagger-ui.js
26:9 warning Found readFile from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/lib/translationunits/MWCategory.js
15:41 warning Unsafe Regular Expression security/detect-unsafe-regex
/src/repo/lib/translationunits/MWFile.js
44:51 warning Unsafe Regular Expression security/detect-unsafe-regex
/src/repo/lib/translationunits/MWImage.js
123:68 warning Unsafe Regular Expression security/detect-unsafe-regex
/src/repo/lib/util.js
133:23 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/scripts/template-mapping.js
108:7 warning Found existsSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
114:14 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/spec.yaml
197:1 warning This line has a length of 139. Maximum allowed is 100 max-len
248:1 warning This line has a length of 139. Maximum allowed is 100 max-len
470:1 warning This line has a length of 109. Maximum allowed is 100 max-len
503:1 warning This line has a length of 216. Maximum allowed is 100 max-len
540:1 warning This line has a length of 110. Maximum allowed is 100 max-len
547:1 warning This line has a length of 216. Maximum allowed is 100 max-len
589:1 warning This line has a length of 106. Maximum allowed is 100 max-len
606:1 warning This line has a length of 134. Maximum allowed is 100 max-len
621:1 warning This line has a length of 109. Maximum allowed is 100 max-len
653:1 warning This line has a length of 106. Maximum allowed is 100 max-len
670:1 warning This line has a length of 134. Maximum allowed is 100 max-len
/src/repo/test/integration/spec.js
21:16 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
171:10 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
/src/repo/test/unittest/adaptation/SectionTest.js
31:20 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/lineardoc/LinearDoc.test.js
28:22 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
32:24 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
36:26 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
78:28 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
101:28 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
156:27 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
249:28 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/mw/MWPageLoaderTest.js
37:27 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
46:5 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/mw/SectionWrap.test.js
22:3 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/segmentation/CXSegmenter.test.js
28:19 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
34:3 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/testutils.js
22:5 warning Found writeFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/translationunits/MWReference.test.js
38:21 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
55:27 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename
/src/repo/test/unittest/utils/assert.js
8:40 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp
✖ 53 problems (0 errors, 53 warnings)
> cxserver@1.2.1 unittest
> NODE_ENV=test node --test 'test/unittest/**/*.js'
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1268, in main
libup.run()
~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 1208, in run
self.npm_audit_fix(new_npm_audit)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 239, in npm_audit_fix
self.npm_test()
~~~~~~~~~~~~~^^
File "/venv/lib/python3.13/site-packages/runner/__init__.py", line 289, in npm_test
self.check_call(["npm", "test"])
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.13/site-packages/runner/shell2.py", line 66, in check_call
res.check_returncode()
~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/subprocess.py", line 508, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
self.stderr)
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 1.