This run took 13 seconds.
$ date
--- stdout ---
Wed Feb 7 14:35:46 UTC 2024
--- end ---
$ git clone file:///srv/git/mediawiki-skins-2018.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
4a8621da7bd9b3172e9bb3be20d0b176535eb936 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"acorn": {
"name": "acorn",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1085596,
"name": "acorn",
"dependency": "acorn",
"title": "Regular Expression Denial of Service in Acorn",
"url": "https://github.com/advisories/GHSA-6chw-6frg-f759",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=5.5.0 <5.7.4"
}
],
"effects": [],
"range": "5.5.0 - 5.7.3",
"nodes": [
"node_modules/acorn"
],
"fixAvailable": true
},
"ajv": {
"name": "ajv",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089034,
"name": "ajv",
"dependency": "ajv",
"title": "Prototype Pollution in Ajv",
"url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw",
"severity": "moderate",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<6.12.3"
}
],
"effects": [],
"range": "<6.12.3",
"nodes": [
"node_modules/ajv"
],
"fixAvailable": true
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094090,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=3.0.0 <3.0.1"
}
],
"effects": [],
"range": "3.0.0",
"nodes": [
"node_modules/strip-ansi/node_modules/ansi-regex"
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1085715,
"name": "braces",
"dependency": "braces",
"title": "Regular Expression Denial of Service in braces",
"url": "https://github.com/advisories/GHSA-g95f-p29q-9xw4",
"severity": "low",
"cwe": [
"CWE-185",
"CWE-400"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.3.1"
},
{
"source": 1089939,
"name": "braces",
"dependency": "braces",
"title": "Regular Expression Denial of Service (ReDoS) in braces",
"url": "https://github.com/advisories/GHSA-cwfw-4gq5-mrqx",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<2.3.1"
}
],
"effects": [
"micromatch"
],
"range": "<=2.3.0",
"nodes": [
"node_modules/micromatch/node_modules/braces"
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/browserslist"
],
"fixAvailable": true
},
"d3": {
"name": "d3",
"severity": "high",
"isDirect": false,
"via": [
"d3-brush",
"d3-color",
"d3-interpolate",
"d3-scale",
"d3-transition",
"d3-zoom"
],
"effects": [
"mermaid"
],
"range": "4.0.0-alpha.1 - 6.7.0",
"nodes": [
"node_modules/d3"
],
"fixAvailable": true
},
"d3-brush": {
"name": "d3-brush",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.1.0 - 2.1.0",
"nodes": [
"node_modules/d3-brush"
],
"fixAvailable": true
},
"d3-color": {
"name": "d3-color",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1088594,
"name": "d3-color",
"dependency": "d3-color",
"title": "d3-color vulnerable to ReDoS",
"url": "https://github.com/advisories/GHSA-36jr-mh4h-2g58",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.1.0"
}
],
"effects": [
"d3",
"d3-interpolate",
"d3-scale",
"d3-transition"
],
"range": "<3.1.0",
"nodes": [
"node_modules/d3-color"
],
"fixAvailable": true
},
"d3-interpolate": {
"name": "d3-interpolate",
"severity": "high",
"isDirect": false,
"via": [
"d3-color"
],
"effects": [
"d3-brush",
"d3-scale",
"d3-transition",
"d3-zoom"
],
"range": "0.1.3 - 2.0.1",
"nodes": [
"node_modules/d3-interpolate"
],
"fixAvailable": true
},
"d3-scale": {
"name": "d3-scale",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [
"d3"
],
"range": "0.1.3 - 3.3.0",
"nodes": [
"node_modules/d3-scale"
],
"fixAvailable": true
},
"d3-transition": {
"name": "d3-transition",
"severity": "high",
"isDirect": false,
"via": [
"d3-color",
"d3-interpolate"
],
"effects": [],
"range": "0.0.7 - 2.0.0",
"nodes": [
"node_modules/d3-transition"
],
"fixAvailable": true
},
"d3-zoom": {
"name": "d3-zoom",
"severity": "high",
"isDirect": false,
"via": [
"d3-interpolate",
"d3-transition"
],
"effects": [],
"range": "0.0.2 - 2.0.0",
"nodes": [
"node_modules/d3-zoom"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"dot-prop": {
"name": "dot-prop",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095026,
"name": "dot-prop",
"dependency": "dot-prop",
"title": "dot-prop Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm",
"severity": "high",
"cwe": [
"CWE-425",
"CWE-471",
"CWE-1321"
],
"cvss": {
"score": 7.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<4.2.1"
}
],
"effects": [],
"range": "<4.2.1",
"nodes": [
"node_modules/dot-prop"
],
"fixAvailable": true
},
"eslint-utils": {
"name": "eslint-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095022,
"name": "eslint-utils",
"dependency": "eslint-utils",
"title": "Arbitrary Code Execution in eslint-utils",
"url": "https://github.com/advisories/GHSA-3gx7-xhv7-5mx3",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.2.0 <1.4.1"
}
],
"effects": [],
"range": "1.2.0 - 1.4.0",
"nodes": [
"node_modules/eslint-utils"
],
"fixAvailable": true
},
"fast-glob": {
"name": "fast-glob",
"severity": "high",
"isDirect": false,
"via": [
"glob-parent"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": true
},
"getobject": {
"name": "getobject",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1093420,
"name": "getobject",
"dependency": "getobject",
"title": "Prototype pollution in getobject",
"url": "https://github.com/advisories/GHSA-957j-59c2-j692",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.0.0"
}
],
"effects": [
"grunt-legacy-util"
],
"range": "0.1.0",
"nodes": [
"node_modules/getobject"
],
"fixAvailable": true
},
"glob-base": {
"name": "glob-base",
"severity": "high",
"isDirect": false,
"via": [
"glob-parent"
],
"effects": [
"parse-glob"
],
"range": "*",
"nodes": [
"node_modules/glob-base"
],
"fixAvailable": true
},
"glob-parent": {
"name": "glob-parent",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095007,
"name": "glob-parent",
"dependency": "glob-parent",
"title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.1.2"
}
],
"effects": [
"fast-glob",
"glob-base"
],
"range": "<5.1.2",
"nodes": [
"node_modules/glob-base/node_modules/glob-parent",
"node_modules/glob-parent"
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "high",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"stylelint"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/stylelint/node_modules/globby"
],
"fixAvailable": true
},
"gonzales-pe": {
"name": "gonzales-pe",
"severity": "moderate",
"isDirect": false,
"via": [
"minimist"
],
"effects": [
"postcss-sass"
],
"range": "3.0.0-1 - 4.2.4",
"nodes": [
"node_modules/gonzales-pe"
],
"fixAvailable": true
},
"grunt": {
"name": "grunt",
"severity": "critical",
"isDirect": true,
"via": [
{
"source": 1089836,
"name": "grunt",
"dependency": "grunt",
"title": "Arbitrary Code Execution in grunt",
"url": "https://github.com/advisories/GHSA-m5pj-vjjf-4m3h",
"severity": "high",
"cwe": [
"CWE-1188"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.3.0"
},
{
"source": 1091643,
"name": "grunt",
"dependency": "grunt",
"title": "Race Condition in Grunt",
"url": "https://github.com/advisories/GHSA-rm36-94g8-835r",
"severity": "high",
"cwe": [
"CWE-367"
],
"cvss": {
"score": 7,
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.5.3"
},
{
"source": 1091644,
"name": "grunt",
"dependency": "grunt",
"title": "Path Traversal in Grunt",
"url": "https://github.com/advisories/GHSA-j383-35pm-c5h4",
"severity": "moderate",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.5.2"
},
"grunt-legacy-util",
"js-yaml"
],
"effects": [],
"range": "<=1.5.2",
"nodes": [
"node_modules/grunt"
],
"fixAvailable": true
},
"grunt-legacy-util": {
"name": "grunt-legacy-util",
"severity": "critical",
"isDirect": false,
"via": [
"getobject"
],
"effects": [
"grunt"
],
"range": "<=2.0.0",
"nodes": [
"node_modules/grunt-legacy-util"
],
"fixAvailable": true
},
"hosted-git-info": {
"name": "hosted-git-info",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089809,
"name": "hosted-git-info",
"dependency": "hosted-git-info",
"title": "Regular Expression Denial of Service in hosted-git-info",
"url": "https://github.com/advisories/GHSA-43f8-2h32-f4cj",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<2.8.9"
}
],
"effects": [],
"range": "<2.8.9",
"nodes": [
"node_modules/hosted-git-info"
],
"fixAvailable": true
},
"jquery": {
"name": "jquery",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1094146,
"name": "jquery",
"dependency": "jquery",
"title": "Potential XSS vulnerability in jQuery",
"url": "https://github.com/advisories/GHSA-jpcq-cgw6-v4j6",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"
},
"range": ">=1.0.3 <3.5.0"
},
{
"source": 1094170,
"name": "jquery",
"dependency": "jquery",
"title": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products",
"url": "https://github.com/advisories/GHSA-6c3j-c64m-qhgq",
"severity": "moderate",
"cwe": [
"CWE-79",
"CWE-1321"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=1.1.4 <3.4.0"
},
{
"source": 1094185,
"name": "jquery",
"dependency": "jquery",
"title": "Potential XSS vulnerability in jQuery",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"
},
"range": ">=1.2.0 <3.5.0"
},
{
"source": 1095438,
"name": "jquery",
"dependency": "jquery",
"title": "jQuery Cross Site Scripting vulnerability",
"url": "https://github.com/advisories/GHSA-257q-pv89-v3xv",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": ">=1.0.3 <3.5.0"
}
],
"effects": [],
"range": "<=3.4.1",
"nodes": [
"node_modules/jquery"
],
"fixAvailable": true
},
"js-yaml": {
"name": "js-yaml",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1085724,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "Denial of Service in js-yaml",
"url": "https://github.com/advisories/GHSA-2pr6-76vf-7546",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.13.0"
},
{
"source": 1095058,
"name": "js-yaml",
"dependency": "js-yaml",
"title": "Code Injection in js-yaml",
"url": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx",
"severity": "high",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.13.1"
}
],
"effects": [
"grunt"
],
"range": "<=3.13.0",
"nodes": [
"node_modules/cosmiconfig/node_modules/js-yaml",
"node_modules/eslint/node_modules/js-yaml",
"node_modules/js-yaml"
],
"fixAvailable": true
},
"kind-of": {
"name": "kind-of",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095056,
"name": "kind-of",
"dependency": "kind-of",
"title": "Validation Bypass in kind-of",
"url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp",
"severity": "high",
"cwe": [
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=6.0.0 <6.0.3"
}
],
"effects": [],
"range": "6.0.0 - 6.0.2",
"nodes": [
"node_modules/kind-of"
],
"fixAvailable": true
},
"lodash": {
"name": "lodash",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1085674,
"name": "lodash",
"dependency": "lodash",
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<4.17.11"
},
{
"source": 1094493,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-jf85-cpcp-j695",
"severity": "critical",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": "<4.17.12"
},
{
"source": 1094498,
"name": "lodash",
"dependency": "lodash",
"title": "Command Injection in lodash",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"severity": "high",
"cwe": [
"CWE-77",
"CWE-94"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<4.17.21"
},
{
"source": 1094499,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<4.17.11"
},
{
"source": 1094500,
"name": "lodash",
"dependency": "lodash",
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.17.21"
},
{
"source": 1096305,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
"severity": "high",
"cwe": [
"CWE-770",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": ">=3.7.0 <4.17.19"
}
],
"effects": [],
"range": "<=4.17.20",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"meow": {
"name": "meow",
"severity": "high",
"isDirect": false,
"via": [
"trim-newlines",
"yargs-parser"
],
"effects": [
"stylelint"
],
"range": "3.4.0 - 5.0.0",
"nodes": [
"node_modules/meow",
"node_modules/stylelint/node_modules/meow"
],
"fixAvailable": true
},
"mermaid": {
"name": "mermaid",
"severity": "high",
"isDirect": true,
"via": [
"d3"
],
"effects": [],
"range": "8.0.0-alpha.1 - 8.11.5 || 8.12.1",
"nodes": [
"node_modules/mermaid"
],
"fixAvailable": true
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
"braces",
"parse-glob"
],
"effects": [
"stylelint"
],
"range": "0.2.0 - 2.3.11",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": true
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095513,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095523,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": ">=1.0.0 <1.2.3"
},
{
"source": 1095524,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<0.2.1"
},
{
"source": 1095525,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.2.4"
},
{
"source": 1095526,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [
"gonzales-pe",
"mkdirp"
],
"range": "<=0.2.3 || 1.0.0 - 1.2.5",
"nodes": [
"node_modules/gonzales-pe/node_modules/minimist",
"node_modules/minimist",
"node_modules/mkdirp/node_modules/minimist"
],
"fixAvailable": true
},
"mixin-deep": {
"name": "mixin-deep",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095047,
"name": "mixin-deep",
"dependency": "mixin-deep",
"title": "Prototype Pollution in mixin-deep",
"url": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9",
"severity": "critical",
"cwe": [
"CWE-88"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.3.2"
}
],
"effects": [],
"range": "<1.3.2",
"nodes": [
"node_modules/mixin-deep"
],
"fixAvailable": true
},
"mkdirp": {
"name": "mkdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"minimist"
],
"effects": [],
"range": "0.4.1 - 0.5.1",
"nodes": [
"node_modules/mkdirp"
],
"fixAvailable": true
},
"moment": {
"name": "moment",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095072,
"name": "moment",
"dependency": "moment",
"title": "Moment.js vulnerable to Inefficient Regular Expression Complexity",
"url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.18.0 <2.29.4"
},
{
"source": 1095083,
"name": "moment",
"dependency": "moment",
"title": "Path Traversal: 'dir/../../filename' in moment.locale",
"url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4",
"severity": "high",
"cwe": [
"CWE-22",
"CWE-27"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": "<2.29.2"
}
],
"effects": [],
"range": "<=2.29.3",
"nodes": [
"node_modules/moment"
],
"fixAvailable": true
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"parse-glob": {
"name": "parse-glob",
"severity": "high",
"isDirect": false,
"via": [
"glob-base"
],
"effects": [
"micromatch"
],
"range": ">=2.1.0",
"nodes": [
"node_modules/parse-glob"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089729,
"name": "postcss",
"dependency": "postcss",
"title": "Regular Expression Denial of Service in postcss",
"url": "https://github.com/advisories/GHSA-hwj9-h5mp-3pm3",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=7.0.0 <7.0.36"
},
{
"source": 1093539,
"name": "postcss",
"dependency": "postcss",
"title": "Regular Expression Denial of Service in postcss",
"url": "https://github.com/advisories/GHSA-566m-qj78-rww5",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<7.0.36"
},
{
"source": 1094544,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"postcss-less",
"postcss-reporter",
"postcss-sass",
"sugarss"
],
"range": "<=8.4.30",
"nodes": [
"node_modules/postcss",
"node_modules/postcss-less/node_modules/postcss",
"node_modules/postcss-reporter/node_modules/postcss",
"node_modules/postcss-sass/node_modules/postcss",
"node_modules/sugarss/node_modules/postcss"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": true
},
"postcss-markdown": {
"name": "postcss-markdown",
"severity": "high",
"isDirect": false,
"via": [
"remark"
],
"effects": [
"stylelint"
],
"range": "<=0.36.0",
"nodes": [
"node_modules/postcss-markdown"
],
"fixAvailable": true
},
"postcss-reporter": {
"name": "postcss-reporter",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=5.0.0",
"nodes": [
"node_modules/postcss-reporter"
],
"fixAvailable": true
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"gonzales-pe",
"postcss"
],
"effects": [],
"range": "<=0.3.2",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": true
},
"remark": {
"name": "remark",
"severity": "high",
"isDirect": false,
"via": [
"remark-parse"
],
"effects": [
"postcss-markdown"
],
"range": "5.0.0 - 12.0.1",
"nodes": [
"node_modules/remark"
],
"fixAvailable": true
},
"remark-parse": {
"name": "remark-parse",
"severity": "high",
"isDirect": false,
"via": [
"trim"
],
"effects": [
"remark"
],
"range": "<=8.0.3",
"nodes": [
"node_modules/remark-parse"
],
"fixAvailable": true
},
"semver": {
"name": "semver",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1095365,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<5.7.2"
}
],
"effects": [],
"range": "<5.7.2",
"nodes": [
"node_modules/semver"
],
"fixAvailable": true
},
"set-value": {
"name": "set-value",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094511,
"name": "set-value",
"dependency": "set-value",
"title": "Prototype Pollution in set-value",
"url": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr",
"severity": "high",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 7.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<2.0.1"
},
{
"source": 1095129,
"name": "set-value",
"dependency": "set-value",
"title": "Prototype Pollution in set-value",
"url": "https://github.com/advisories/GHSA-4g88-fppr-53pp",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.0.1"
}
],
"effects": [
"union-value"
],
"range": "<=2.0.0",
"nodes": [
"node_modules/set-value",
"node_modules/union-value/node_modules/set-value"
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "high",
"isDirect": true,
"via": [
"globby",
"meow",
"micromatch",
"postcss-less",
"postcss-markdown",
"postcss-reporter",
"sugarss"
],
"effects": [],
"range": "2.0.0 - 13.3.0",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": true
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=1.0.1",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"trim": {
"name": "trim",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089867,
"name": "trim",
"dependency": "trim",
"title": "Regular Expression Denial of Service in trim",
"url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.0.3"
}
],
"effects": [
"remark-parse"
],
"range": "<0.0.3",
"nodes": [
"node_modules/trim"
],
"fixAvailable": true
},
"trim-newlines": {
"name": "trim-newlines",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095100,
"name": "trim-newlines",
"dependency": "trim-newlines",
"title": "Uncontrolled Resource Consumption in trim-newlines",
"url": "https://github.com/advisories/GHSA-7p7h-4mm5-852v",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.1"
}
],
"effects": [
"meow"
],
"range": "<3.0.1",
"nodes": [
"node_modules/stylelint/node_modules/trim-newlines",
"node_modules/trim-newlines"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095097,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
}
],
"effects": [
"nomnom"
],
"range": "1.3.2 - 1.12.0",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
},
"underscore.string": {
"name": "underscore.string",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1085693,
"name": "underscore.string",
"dependency": "underscore.string",
"title": "Regular Expression Denial of Service in underscore.string",
"url": "https://github.com/advisories/GHSA-v2p6-4mp7-3r9v",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.3.5"
}
],
"effects": [],
"range": "<3.3.5",
"nodes": [
"node_modules/underscore.string"
],
"fixAvailable": true
},
"union-value": {
"name": "union-value",
"severity": "high",
"isDirect": false,
"via": [
"set-value"
],
"effects": [],
"range": "<=1.0.0 || 2.0.0",
"nodes": [
"node_modules/union-value"
],
"fixAvailable": true
},
"yargs-parser": {
"name": "yargs-parser",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1088811,
"name": "yargs-parser",
"dependency": "yargs-parser",
"title": "yargs-parser Vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp",
"severity": "moderate",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
},
"range": ">=6.0.0 <13.1.2"
}
],
"effects": [
"meow"
],
"range": "6.0.0 - 13.1.1",
"nodes": [
"node_modules/yargs-parser"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 14,
"high": 30,
"critical": 10,
"total": 55
},
"dependencies": {
"prod": 53,
"dev": 533,
"optional": 0,
"peer": 0,
"peerOptional": 0,
"total": 585
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No lock file found. Updating dependencies instead of installing from lock file. Use composer update over composer install if you do not have a lock file.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 13 installs, 0 updates, 0 removals
- Locking composer/semver (1.4.2)
- Locking composer/spdx-licenses (1.4.0)
- Locking jakub-onderka/php-console-color (v0.2)
- Locking mediawiki/mediawiki-codesniffer (v21.0.0)
- Locking mediawiki/mediawiki-phan-config (0.3.0)
- Locking mediawiki/minus-x (0.3.1)
- Locking php-parallel-lint/php-console-highlighter (v0.3.2)
- Locking php-parallel-lint/php-parallel-lint (v1.0.0)
- Locking psr/log (1.1.4)
- Locking squizlabs/php_codesniffer (3.3.0)
- Locking symfony/console (v3.4.47)
- Locking symfony/debug (v4.4.44)
- Locking symfony/polyfill-mbstring (v1.29.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 13 installs, 0 updates, 0 removals
- Downloading squizlabs/php_codesniffer (3.3.0)
- Downloading composer/spdx-licenses (1.4.0)
- Downloading composer/semver (1.4.2)
- Downloading mediawiki/mediawiki-codesniffer (v21.0.0)
- Downloading mediawiki/mediawiki-phan-config (0.3.0)
- Downloading symfony/debug (v4.4.44)
- Downloading symfony/console (v3.4.47)
- Downloading mediawiki/minus-x (0.3.1)
- Downloading jakub-onderka/php-console-color (v0.2)
- Downloading php-parallel-lint/php-console-highlighter (v0.3.2)
- Downloading php-parallel-lint/php-parallel-lint (v1.0.0)
0/11 [>---------------------------] 0%
8/11 [====================>-------] 72%
11/11 [============================] 100% - Installing squizlabs/php_codesniffer (3.3.0): Extracting archive
- Installing composer/spdx-licenses (1.4.0): Extracting archive
- Installing composer/semver (1.4.2): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v21.0.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.3.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.29.0): Extracting archive
- Installing psr/log (1.1.4): Extracting archive
- Installing symfony/debug (v4.4.44): Extracting archive
- Installing symfony/console (v3.4.47): Extracting archive
- Installing mediawiki/minus-x (0.3.1): Extracting archive
- Installing jakub-onderka/php-console-color (v0.2): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v0.3.2): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.0.0): Extracting archive
0/4 [>---------------------------] 0%
4/4 [============================] 100%4 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package jakub-onderka/php-console-color is abandoned, you should avoid using it. Use php-parallel-lint/php-console-color instead.
Package symfony/debug is abandoned, you should avoid using it. Use symfony/error-handler instead.
Generating autoload files
4 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
Upgrading n:grunt from ^1.0.3 -> 1.6.1
Upgrading n:grunt-eslint from ^21.0.0 -> 24.3.0
Upgrading n:grunt-stylelint from ^0.10.0 -> 0.19.0
Upgrading n:stylelint from ^9.4.0 -> 14.14.0
Upgrading n:stylelint-config-wikimedia from ^0.4.3 -> 0.16.1
$ /usr/bin/npm install
--- stderr ---
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: 2018@undefined
npm ERR! Found: stylelint@14.14.0
npm ERR! node_modules/stylelint
npm ERR! dev stylelint@"14.14.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer stylelint@"15.x" from grunt-stylelint@0.19.0
npm ERR! node_modules/grunt-stylelint
npm ERR! dev grunt-stylelint@"0.19.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /cache/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:
npm ERR! /cache/_logs/2024-02-07T14_35_52_752Z-debug-0.log
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1384, in main
libup.run(args.repo, args.output, args.branch)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1322, in run
self.npm_upgrade(plan)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1017, in npm_upgrade
self.check_call(['npm', 'install'])
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/shell2.py", line 54, in check_call
res.check_returncode()
File "/usr/lib/python3.9/subprocess.py", line 460, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'install']' returned non-zero exit status 1.