[main] Fix npm audit #597

nextcloud-command · 2025-03-16T03:14:08Z

Audit report

This audit fix resolves 11 of the total 14 vulnerabilities found in your project.

Updated dependencies

@babel/helpers
@linusborg/vue-simple-portal
@nextcloud/dialogs
@nextcloud/vue
@nextcloud/vue-select
floating-vue
vite
vue
vue-frag
vue-resize
vue2-datepicker

Fixed vulnerabilities

@babel/helpers #

Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Severity: moderate (CVSS 6.2)
Reference: GHSA-968p-4wvh-cqc8
Affected versions: <7.26.10
Package usage:
- node_modules/@babel/helpers

@linusborg/vue-simple-portal #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@linusborg/vue-simple-portal

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: >=4.2.0-beta.1
Package usage:
- node_modules/@nextcloud/dialogs

@nextcloud/vue #

Caused by vulnerable dependency:
Affected versions: <=8.23.1
Package usage:
- node_modules/@nextcloud/vue

@nextcloud/vue-select #

Caused by vulnerable dependency:
- vue
Affected versions: *
Package usage:
- node_modules/@nextcloud/vue-select

floating-vue #

Caused by vulnerable dependency:
- vue
- vue-resize
Affected versions: <=1.0.0-beta.19
Package usage:
- node_modules/floating-vue

vite #

Caused by vulnerable dependency:
- esbuild
Affected versions: 0.11.0 - 6.1.1
Package usage:
- node_modules/vite

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-frag #

Caused by vulnerable dependency:
- vue
Affected versions: >=1.3.1
Package usage:
- node_modules/vue-frag

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue2-datepicker #

Caused by vulnerable dependency:
- vue
Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
Package usage:
- node_modules/vue2-datepicker

Signed-off-by: GitHub <[email protected]>

fix(deps): Fix npm audit

7c7f5af

Signed-off-by: GitHub <[email protected]>

nextcloud-command requested a review from juliusknorr as a code owner March 16, 2025 03:14

nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Mar 16, 2025

nextcloud-command requested a review from max-nextcloud as a code owner March 16, 2025 03:14

juliusknorr approved these changes Mar 17, 2025

View reviewed changes

juliusknorr merged commit b2a6504 into main Mar 17, 2025
44 checks passed

juliusknorr deleted the automated/noid/main-fix-npm-audit branch March 17, 2025 21:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[main] Fix npm audit #597

[main] Fix npm audit #597

nextcloud-command commented Mar 16, 2025

[main] Fix npm audit #597

[main] Fix npm audit #597

Conversation

nextcloud-command commented Mar 16, 2025

Audit report

Updated dependencies

Fixed vulnerabilities

@babel/helpers #

@linusborg/vue-simple-portal #

@nextcloud/dialogs #

@nextcloud/vue #

@nextcloud/vue-select #

floating-vue #

vite #

vue #

vue-frag #

vue-resize #

vue2-datepicker #