Skip to content

[stable30] Fix npm audit#991

Merged
come-nc merged 1 commit into
stable30from
automated/noid/stable30-fix-npm-audit
Jun 30, 2025
Merged

[stable30] Fix npm audit#991
come-nc merged 1 commit into
stable30from
automated/noid/stable30-fix-npm-audit

Conversation

@nextcloud-command

@nextcloud-command nextcloud-command commented Apr 20, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Audit report

This audit fix resolves 9 of the total 16 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/dialogs #

  • Caused by vulnerable dependency:
  • Affected versions: 4.2.0-beta.1 - 6.3.1
  • Package usage:
    • node_modules/@nextcloud/dialogs

@nextcloud/vite-config #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.5.6
  • Package usage:
    • node_modules/@nextcloud/vite-config

@vitejs/plugin-vue2 #

  • Caused by vulnerable dependency:
  • Affected versions: *
  • Package usage:
    • node_modules/@vitejs/plugin-vue2

brace-expansion #

  • brace-expansion Regular Expression Denial of Service vulnerability
  • Severity: low (CVSS 3.1)
  • Reference: GHSA-v6h2-p8h4-qcjw
  • Affected versions: 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
  • Package usage:
    • node_modules/@eslint/eslintrc/node_modules/brace-expansion
    • node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
    • node_modules/@microsoft/api-extractor/node_modules/brace-expansion
    • node_modules/brace-expansion
    • node_modules/eslint-plugin-import/node_modules/brace-expansion
    • node_modules/eslint-plugin-n/node_modules/brace-expansion
    • node_modules/eslint/node_modules/brace-expansion
    • node_modules/glob/node_modules/brace-expansion

esbuild #

  • esbuild enables any website to send any requests to the development server and read the response
  • Severity: moderate (CVSS 5.3)
  • Reference: GHSA-67mh-4wv8-2f99
  • Affected versions: <=0.24.2
  • Package usage:
    • node_modules/esbuild
    • node_modules/vite/node_modules/esbuild

pbkdf2 #

  • pbkdf2 silently disregards Uint8Array input, returning static keys
  • Severity: critical 🚨
  • Reference: GHSA-v62p-rq8g-8h59
  • Affected versions: <=3.1.2
  • Package usage:
    • node_modules/pbkdf2

rollup-plugin-esbuild-minify #

  • Caused by vulnerable dependency:
  • Affected versions: <=1.2.0
  • Package usage:
    • node_modules/rollup-plugin-esbuild-minify

vite #

  • Vite's server.fs.deny bypassed with /. for files under project root
  • Severity: moderate
  • Reference: GHSA-859w-5945-r5v3
  • Affected versions: 0.11.0 - 6.1.6
  • Package usage:
    • node_modules/vite

vue-resize #

  • Caused by vulnerable dependency:
  • Affected versions: 0.4.0 - 1.0.1
  • Package usage:
    • node_modules/vue-resize

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Apr 20, 2025
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from 644a7b0 to f3659bb Compare May 4, 2025 03:46
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from f3659bb to 8fc8dcc Compare May 11, 2025 03:41
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 8fc8dcc to 105b1ae Compare May 18, 2025 03:48
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 105b1ae to e035688 Compare May 25, 2025 03:51
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch 2 times, most recently from e10f85b to 2b519ca Compare June 8, 2025 03:46
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 2b519ca to 52c84fa Compare June 15, 2025 03:44
@nextcloud-command
fix(deps): Fix npm audit
bf1db5e 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable30-fix-npm-audit branch from 52c84fa to bf1db5e Compare June 29, 2025 04:00
@come-nc come-nc merged commit 4aea01e into stable30 Jun 30, 2025
23 checks passed
@come-nc come-nc deleted the automated/noid/stable30-fix-npm-audit branch June 30, 2025 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@come-nc come-nc come-nc approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @come-nc