This run took 340 seconds.
$ date --- stdout --- Fri Apr 12 19:27:47 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-services-change-propagation.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- 2f1c1646eff4abb51fc3bba666d449a1ddde1aae refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=3.0.0 <3.0.1" }, { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" }, { "source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.0.1" } ], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": [ "node_modules/ansi-regex", "node_modules/nyc/node_modules/ansi-regex", "node_modules/wide-align/node_modules/ansi-regex" ], "fixAvailable": true }, "busboy": { "name": "busboy", "severity": "high", "isDirect": false, "via": [ "dicer" ], "effects": [ "hyperswitch" ], "range": "<=0.3.1", "nodes": [ "node_modules/busboy" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "coveralls": { "name": "coveralls", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "*", "nodes": [ "node_modules/coveralls" ], "fixAvailable": false }, "debug": { "name": "debug", "severity": "low", "isDirect": false, "via": [ { "source": 1096792, "name": "debug", "dependency": "debug", "title": "Regular Expression Denial of Service in debug", "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", "severity": "low", "cwe": [ "CWE-400" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.3.1" } ], "effects": [ "mocha" ], "range": "4.0.0 - 4.3.0", "nodes": [ "node_modules/gc-stats/node_modules/debug", "node_modules/mocha/node_modules/debug" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "dicer": { "name": "dicer", "severity": "high", "isDirect": false, "via": [ { "source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=0.3.1" } ], "effects": [ "busboy" ], "range": "*", "nodes": [ "node_modules/dicer" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "hyperswitch": { "name": "hyperswitch", "severity": "high", "isDirect": true, "via": [ "busboy", "preq", "swagger-ui-dist" ], "effects": [], "range": ">=0.1.0", "nodes": [ "node_modules/hyperswitch" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "ini": { "name": "ini", "severity": "high", "isDirect": false, "via": [ { "source": 1093224, "name": "ini", "dependency": "ini", "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<1.3.6" } ], "effects": [], "range": "<1.3.6", "nodes": [ "node_modules/gc-stats/node_modules/ini" ], "fixAvailable": true }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [ "node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "kad": { "name": "kad", "severity": "high", "isDirect": false, "via": [ "merge", "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/kad" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "kad" ], "effects": [], "range": "<=0.2.2", "nodes": [ "node_modules/limitation" ], "fixAvailable": true }, "merge": { "name": "merge", "severity": "high", "isDirect": false, "via": [ { "source": 1096479, "name": "merge", "dependency": "merge", "title": "Prototype Pollution in merge", "url": "https://github.com/advisories/GHSA-7wpw-2hjm-89gp", "severity": "high", "cwe": [ "CWE-915" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<2.1.1" } ], "effects": [ "kad" ], "range": "<2.1.1", "nodes": [ "node_modules/merge" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha" ], "range": "<3.0.5", "nodes": [ "node_modules/gc-stats/node_modules/minimatch", "node_modules/minimatch" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096465, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": ">=1.0.0 <1.2.3" }, { "source": 1096466, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<0.2.1" }, { "source": 1096548, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.2.4" }, { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [ "mkdirp" ], "range": "<=0.2.3 || 1.0.0 - 1.2.5", "nodes": [ "node_modules/gc-stats/node_modules/minimist", "node_modules/gc-stats/node_modules/rc/node_modules/minimist", "node_modules/minimist" ], "fixAvailable": true }, "mkdirp": { "name": "mkdirp", "severity": "moderate", "isDirect": false, "via": [ "minimist" ], "effects": [], "range": "0.4.1 - 0.5.1", "nodes": [ "node_modules/gc-stats/node_modules/mkdirp" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": true, "via": [ "debug", "minimatch", "nanoid" ], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/mocha" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "moment": { "name": "moment", "severity": "high", "isDirect": false, "via": [ { "source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.18.0 <2.29.4" }, { "source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "cwe": [ "CWE-22", "CWE-27" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<2.29.2" } ], "effects": [], "range": "<=2.29.3", "nodes": [ "node_modules/moment" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "kad" ], "range": "<2.0.0", "nodes": [ "node_modules/ms" ], "fixAvailable": true }, "msgpack5": { "name": "msgpack5", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089202, "name": "msgpack5", "dependency": "msgpack5", "title": "Prototype poisoning", "url": "https://github.com/advisories/GHSA-gmjw-49p4-pcfm", "severity": "moderate", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H" }, "range": "<3.6.1" } ], "effects": [], "range": "<3.6.1", "nodes": [ "node_modules/msgpack5" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [ "mocha" ], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/nanoid" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" } ], "effects": [], "range": "6.5.0 - 6.5.2", "nodes": [ "node_modules/qs" ], "fixAvailable": true }, "redis": { "name": "redis", "severity": "high", "isDirect": true, "via": [ { "source": 1089196, "name": "redis", "dependency": "redis", "title": "Node-Redis potential exponential regex in monitor mode", "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.6.0 <3.1.1" } ], "effects": [], "range": "2.6.0 - 3.1.0", "nodes": [ "node_modules/redis" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "coveralls", "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [], "range": "<5.7.2 || >=6.0.0 <6.3.1", "nodes": [ "node_modules/@babel/core/node_modules/semver", "node_modules/@wikimedia/jsonschema-tools/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/gc-stats/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver" ], "fixAvailable": true }, "swagger-ui-dist": { "name": "swagger-ui-dist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088759, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Spoofing attack in swagger-ui-dist", "url": "https://github.com/advisories/GHSA-6c9x-mj3g-h47x", "severity": "moderate", "cwe": [ "CWE-1021" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.1.3" }, { "source": 1092160, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Server side request forgery in SwaggerUI", "url": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<4.1.3" } ], "effects": [ "hyperswitch" ], "range": "<=4.1.2", "nodes": [ "node_modules/swagger-ui-dist" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "tar": { "name": "tar", "severity": "high", "isDirect": false, "via": [ { "source": 1089684, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.14" }, { "source": 1095117, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": "<4.4.18" }, { "source": 1096309, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning", "url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", "severity": "high", "cwe": [ "CWE-22", "CWE-23", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.15" }, { "source": 1096376, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.16" }, { "source": 1096411, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.18" }, { "source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<=6.2.0", "nodes": [ "node_modules/gc-stats/node_modules/tar" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "underscore": { "name": "underscore", "severity": "critical", "isDirect": false, "via": [ { "source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": [ "CWE-94" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.3.2 <1.12.1" } ], "effects": [], "range": "1.3.2 - 1.12.0", "nodes": [ "node_modules/underscore" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 10, "high": 16, "critical": 5, "total": 32 }, "dependencies": { "prod": 157, "dev": 404, "optional": 78, "peer": 0, "peerOptional": 0, "total": 637 } } } --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=3.0.0 <3.0.1" }, { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" }, { "source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.0.1" } ], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": [ "node_modules/ansi-regex", "node_modules/nyc/node_modules/ansi-regex", "node_modules/wide-align/node_modules/ansi-regex" ], "fixAvailable": true }, "busboy": { "name": "busboy", "severity": "high", "isDirect": false, "via": [ "dicer" ], "effects": [ "hyperswitch" ], "range": "<=0.3.1", "nodes": [ "node_modules/busboy" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "coveralls": { "name": "coveralls", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "*", "nodes": [ "node_modules/coveralls" ], "fixAvailable": false }, "debug": { "name": "debug", "severity": "low", "isDirect": false, "via": [ { "source": 1096792, "name": "debug", "dependency": "debug", "title": "Regular Expression Denial of Service in debug", "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", "severity": "low", "cwe": [ "CWE-400" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.3.1" } ], "effects": [ "mocha" ], "range": "4.0.0 - 4.3.0", "nodes": [ "node_modules/gc-stats/node_modules/debug", "node_modules/mocha/node_modules/debug" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "dicer": { "name": "dicer", "severity": "high", "isDirect": false, "via": [ { "source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=0.3.1" } ], "effects": [ "busboy" ], "range": "*", "nodes": [ "node_modules/dicer" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "hyperswitch": { "name": "hyperswitch", "severity": "high", "isDirect": true, "via": [ "busboy", "preq", "swagger-ui-dist" ], "effects": [], "range": ">=0.1.0", "nodes": [ "node_modules/hyperswitch" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "ini": { "name": "ini", "severity": "high", "isDirect": false, "via": [ { "source": 1093224, "name": "ini", "dependency": "ini", "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<1.3.6" } ], "effects": [], "range": "<1.3.6", "nodes": [ "node_modules/gc-stats/node_modules/ini" ], "fixAvailable": true }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [ "node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "kad": { "name": "kad", "severity": "high", "isDirect": false, "via": [ "merge", "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/kad" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "kad" ], "effects": [], "range": "<=0.2.2", "nodes": [ "node_modules/limitation" ], "fixAvailable": true }, "merge": { "name": "merge", "severity": "high", "isDirect": false, "via": [ { "source": 1096479, "name": "merge", "dependency": "merge", "title": "Prototype Pollution in merge", "url": "https://github.com/advisories/GHSA-7wpw-2hjm-89gp", "severity": "high", "cwe": [ "CWE-915" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<2.1.1" } ], "effects": [ "kad" ], "range": "<2.1.1", "nodes": [ "node_modules/merge" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha" ], "range": "<3.0.5", "nodes": [ "node_modules/gc-stats/node_modules/minimatch", "node_modules/minimatch" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096465, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": ">=1.0.0 <1.2.3" }, { "source": 1096466, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<0.2.1" }, { "source": 1096548, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.2.4" }, { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [ "mkdirp" ], "range": "<=0.2.3 || 1.0.0 - 1.2.5", "nodes": [ "node_modules/gc-stats/node_modules/minimist", "node_modules/gc-stats/node_modules/rc/node_modules/minimist", "node_modules/minimist" ], "fixAvailable": true }, "mkdirp": { "name": "mkdirp", "severity": "moderate", "isDirect": false, "via": [ "minimist" ], "effects": [], "range": "0.4.1 - 0.5.1", "nodes": [ "node_modules/gc-stats/node_modules/mkdirp" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": true, "via": [ "debug", "minimatch", "nanoid" ], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/mocha" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "moment": { "name": "moment", "severity": "high", "isDirect": false, "via": [ { "source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.18.0 <2.29.4" }, { "source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "cwe": [ "CWE-22", "CWE-27" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<2.29.2" } ], "effects": [], "range": "<=2.29.3", "nodes": [ "node_modules/moment" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "kad" ], "range": "<2.0.0", "nodes": [ "node_modules/ms" ], "fixAvailable": true }, "msgpack5": { "name": "msgpack5", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089202, "name": "msgpack5", "dependency": "msgpack5", "title": "Prototype poisoning", "url": "https://github.com/advisories/GHSA-gmjw-49p4-pcfm", "severity": "moderate", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H" }, "range": "<3.6.1" } ], "effects": [], "range": "<3.6.1", "nodes": [ "node_modules/msgpack5" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [ "mocha" ], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/nanoid" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" } ], "effects": [], "range": "6.5.0 - 6.5.2", "nodes": [ "node_modules/qs" ], "fixAvailable": true }, "redis": { "name": "redis", "severity": "high", "isDirect": true, "via": [ { "source": 1089196, "name": "redis", "dependency": "redis", "title": "Node-Redis potential exponential regex in monitor mode", "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.6.0 <3.1.1" } ], "effects": [], "range": "2.6.0 - 3.1.0", "nodes": [ "node_modules/redis" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "coveralls", "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [], "range": "<5.7.2 || >=6.0.0 <6.3.1", "nodes": [ "node_modules/@babel/core/node_modules/semver", "node_modules/@wikimedia/jsonschema-tools/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/gc-stats/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver" ], "fixAvailable": true }, "swagger-ui-dist": { "name": "swagger-ui-dist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088759, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Spoofing attack in swagger-ui-dist", "url": "https://github.com/advisories/GHSA-6c9x-mj3g-h47x", "severity": "moderate", "cwe": [ "CWE-1021" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.1.3" }, { "source": 1092160, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Server side request forgery in SwaggerUI", "url": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<4.1.3" } ], "effects": [ "hyperswitch" ], "range": "<=4.1.2", "nodes": [ "node_modules/swagger-ui-dist" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "tar": { "name": "tar", "severity": "high", "isDirect": false, "via": [ { "source": 1089684, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.14" }, { "source": 1095117, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": "<4.4.18" }, { "source": 1096309, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning", "url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", "severity": "high", "cwe": [ "CWE-22", "CWE-23", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.15" }, { "source": 1096376, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.16" }, { "source": 1096411, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.18" }, { "source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<=6.2.0", "nodes": [ "node_modules/gc-stats/node_modules/tar" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "underscore": { "name": "underscore", "severity": "critical", "isDirect": false, "via": [ { "source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": [ "CWE-94" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.3.2 <1.12.1" } ], "effects": [], "range": "1.3.2 - 1.12.0", "nodes": [ "node_modules/underscore" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 10, "high": 16, "critical": 5, "total": 32 }, "dependencies": { "prod": 157, "dev": 404, "optional": 78, "peer": 0, "peerOptional": 0, "total": 637 } } } --- end --- Attempting to npm audit fix $ /usr/bin/npm audit fix --dry-run --only=dev --json --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production npm WARN audit fix semver@5.7.0 node_modules/gc-stats/node_modules/semver npm WARN audit fix semver@5.7.0 is a bundled dependency of npm WARN audit fix semver@5.7.0 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix semver@5.7.0 It cannot be fixed automatically. npm WARN audit fix semver@5.7.0 Check for updates to the gc-stats package. npm WARN audit fix minimatch@3.0.4 node_modules/gc-stats/node_modules/minimatch npm WARN audit fix minimatch@3.0.4 is a bundled dependency of npm WARN audit fix minimatch@3.0.4 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimatch@3.0.4 It cannot be fixed automatically. npm WARN audit fix minimatch@3.0.4 Check for updates to the gc-stats package. npm WARN audit fix debug@4.1.1 node_modules/gc-stats/node_modules/debug npm WARN audit fix debug@4.1.1 is a bundled dependency of npm WARN audit fix debug@4.1.1 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix debug@4.1.1 It cannot be fixed automatically. npm WARN audit fix debug@4.1.1 Check for updates to the gc-stats package. npm WARN audit fix ini@1.3.5 node_modules/gc-stats/node_modules/ini npm WARN audit fix ini@1.3.5 is a bundled dependency of npm WARN audit fix ini@1.3.5 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix ini@1.3.5 It cannot be fixed automatically. npm WARN audit fix ini@1.3.5 Check for updates to the gc-stats package. npm WARN audit fix minimist@1.2.0 node_modules/gc-stats/node_modules/rc/node_modules/minimist npm WARN audit fix minimist@1.2.0 is a bundled dependency of npm WARN audit fix minimist@1.2.0 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically. npm WARN audit fix minimist@1.2.0 Check for updates to the gc-stats package. npm WARN audit fix minimist@0.0.8 node_modules/gc-stats/node_modules/minimist npm WARN audit fix minimist@0.0.8 is a bundled dependency of npm WARN audit fix minimist@0.0.8 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically. npm WARN audit fix minimist@0.0.8 Check for updates to the gc-stats package. npm WARN audit fix tar@4.4.8 node_modules/gc-stats/node_modules/tar npm WARN audit fix tar@4.4.8 is a bundled dependency of npm WARN audit fix tar@4.4.8 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix tar@4.4.8 It cannot be fixed automatically. npm WARN audit fix tar@4.4.8 Check for updates to the gc-stats package. npm WARN audit fix mkdirp@0.5.1 node_modules/gc-stats/node_modules/mkdirp npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of npm WARN audit fix mkdirp@0.5.1 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically. npm WARN audit fix mkdirp@0.5.1 Check for updates to the gc-stats package. npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.23.6', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@39.2.2', npm WARN EBADENGINE required: { node: '^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } --- stdout --- { "added": 586, "removed": 0, "changed": 0, "audited": 653, "funding": 59, "audit": { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "" ], "fixAvailable": true }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=3.0.0 <3.0.1" }, { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" }, { "source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.0.1" } ], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": [ "", "", "" ], "fixAvailable": true }, "busboy": { "name": "busboy", "severity": "high", "isDirect": false, "via": [ "dicer" ], "effects": [ "hyperswitch" ], "range": "<=0.3.1", "nodes": [ "node_modules/busboy" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "coveralls": { "name": "coveralls", "severity": "moderate", "isDirect": false, "via": [ "request" ], "effects": [], "range": "*", "nodes": [ "" ], "fixAvailable": false }, "debug": { "name": "debug", "severity": "low", "isDirect": false, "via": [ { "source": 1096792, "name": "debug", "dependency": "debug", "title": "Regular Expression Denial of Service in debug", "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", "severity": "low", "cwe": [ "CWE-400" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.3.1" } ], "effects": [ "mocha" ], "range": "4.0.0 - 4.3.0", "nodes": [ "", "node_modules/gc-stats/node_modules/debug" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "dicer": { "name": "dicer", "severity": "high", "isDirect": false, "via": [ { "source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=0.3.1" } ], "effects": [ "busboy" ], "range": "*", "nodes": [ "node_modules/dicer" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "hyperswitch": { "name": "hyperswitch", "severity": "high", "isDirect": true, "via": [ "busboy", "preq", "swagger-ui-dist" ], "effects": [], "range": ">=0.1.0", "nodes": [ "node_modules/hyperswitch" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "ini": { "name": "ini", "severity": "high", "isDirect": false, "via": [ { "source": 1093224, "name": "ini", "dependency": "ini", "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<1.3.6" } ], "effects": [], "range": "<1.3.6", "nodes": [ "node_modules/gc-stats/node_modules/ini" ], "fixAvailable": true }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [ "" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "" ], "fixAvailable": true }, "kad": { "name": "kad", "severity": "high", "isDirect": false, "via": [ "merge", "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "kad" ], "effects": [], "range": "<=0.2.2", "nodes": [ "" ], "fixAvailable": true }, "merge": { "name": "merge", "severity": "high", "isDirect": false, "via": [ { "source": 1096479, "name": "merge", "dependency": "merge", "title": "Prototype Pollution in merge", "url": "https://github.com/advisories/GHSA-7wpw-2hjm-89gp", "severity": "high", "cwe": [ "CWE-915" ], "cvss": { "score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<2.1.1" } ], "effects": [ "kad" ], "range": "<2.1.1", "nodes": [ "" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha" ], "range": "<3.0.5", "nodes": [ "node_modules/gc-stats/node_modules/minimatch", "node_modules/minimatch" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096465, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": ">=1.0.0 <1.2.3" }, { "source": 1096466, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<0.2.1" }, { "source": 1096548, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.2.4" }, { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [ "mkdirp" ], "range": "<=0.2.3 || 1.0.0 - 1.2.5", "nodes": [ "", "node_modules/gc-stats/node_modules/minimist", "node_modules/gc-stats/node_modules/rc/node_modules/minimist" ], "fixAvailable": true }, "mkdirp": { "name": "mkdirp", "severity": "moderate", "isDirect": false, "via": [ "minimist" ], "effects": [], "range": "0.4.1 - 0.5.1", "nodes": [ "node_modules/gc-stats/node_modules/mkdirp" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": false, "via": [ "debug", "minimatch", "nanoid" ], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [ "" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "moment": { "name": "moment", "severity": "high", "isDirect": false, "via": [ { "source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.18.0 <2.29.4" }, { "source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "cwe": [ "CWE-22", "CWE-27" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<2.29.2" } ], "effects": [], "range": "<=2.29.3", "nodes": [ "" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "kad" ], "range": "<2.0.0", "nodes": [ "" ], "fixAvailable": true }, "msgpack5": { "name": "msgpack5", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089202, "name": "msgpack5", "dependency": "msgpack5", "title": "Prototype poisoning", "url": "https://github.com/advisories/GHSA-gmjw-49p4-pcfm", "severity": "moderate", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H" }, "range": "<3.6.1" } ], "effects": [], "range": "<3.6.1", "nodes": [ "" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [ "mocha" ], "range": "3.0.0 - 3.1.30", "nodes": [ "" ], "fixAvailable": { "name": "mocha", "version": "10.4.0", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" } ], "effects": [], "range": "6.5.0 - 6.5.2", "nodes": [ "" ], "fixAvailable": true }, "redis": { "name": "redis", "severity": "high", "isDirect": false, "via": [ { "source": 1089196, "name": "redis", "dependency": "redis", "title": "Node-Redis potential exponential regex in monitor mode", "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.6.0 <3.1.1" } ], "effects": [], "range": "2.6.0 - 3.1.0", "nodes": [ "" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "coveralls", "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [], "range": "<5.7.2 || >=6.0.0 <6.3.1", "nodes": [ "", "", "", "", "", "node_modules/gc-stats/node_modules/semver" ], "fixAvailable": true }, "swagger-ui-dist": { "name": "swagger-ui-dist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088759, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Spoofing attack in swagger-ui-dist", "url": "https://github.com/advisories/GHSA-6c9x-mj3g-h47x", "severity": "moderate", "cwe": [ "CWE-1021" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.1.3" }, { "source": 1092160, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Server side request forgery in SwaggerUI", "url": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<4.1.3" } ], "effects": [ "hyperswitch" ], "range": "<=4.1.2", "nodes": [ "" ], "fixAvailable": { "name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true } }, "tar": { "name": "tar", "severity": "high", "isDirect": false, "via": [ { "source": 1089684, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.14" }, { "source": 1095117, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": "<4.4.18" }, { "source": 1096309, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning", "url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", "severity": "high", "cwe": [ "CWE-22", "CWE-23", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=4.0.0 <4.4.15" }, { "source": 1096376, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.16" }, { "source": 1096411, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", "severity": "high", "cwe": [ "CWE-22", "CWE-59" ], "cvss": { "score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, "range": ">=3.0.0 <4.4.18" }, { "source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<=6.2.0", "nodes": [ "node_modules/gc-stats/node_modules/tar" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "underscore": { "name": "underscore", "severity": "critical", "isDirect": false, "via": [ { "source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": [ "CWE-94" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.3.2 <1.12.1" } ], "effects": [], "range": "1.3.2 - 1.12.0", "nodes": [ "" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 10, "high": 16, "critical": 5, "total": 32 }, "dependencies": { "prod": 156, "dev": 420, "optional": 78, "peer": 0, "peerOptional": 0, "total": 652 } } } } --- end --- {"added": 586, "removed": 0, "changed": 0, "audited": 653, "funding": 59, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@babel/traverse": {"name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [{"source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": ["CWE-184", "CWE-697"], "cvss": {"score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "range": "<7.23.2"}], "effects": [], "range": "<7.23.2", "nodes": [""], "fixAvailable": true}, "ansi-regex": {"name": "ansi-regex", "severity": "high", "isDirect": false, "via": [{"source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": ["CWE-697", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=3.0.0 <3.0.1"}, {"source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": ["CWE-697", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <4.1.1"}, {"source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": ["CWE-697", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=5.0.0 <5.0.1"}], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": ["", "", ""], "fixAvailable": true}, "busboy": {"name": "busboy", "severity": "high", "isDirect": false, "via": ["dicer"], "effects": ["hyperswitch"], "range": "<=0.3.1", "nodes": ["node_modules/busboy"], "fixAvailable": {"name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true}}, "coveralls": {"name": "coveralls", "severity": "moderate", "isDirect": false, "via": ["request"], "effects": [], "range": "*", "nodes": [""], "fixAvailable": false}, "debug": {"name": "debug", "severity": "low", "isDirect": false, "via": [{"source": 1096792, "name": "debug", "dependency": "debug", "title": "Regular Expression Denial of Service in debug", "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", "severity": "low", "cwe": ["CWE-400"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=4.0.0 <4.3.1"}], "effects": ["mocha"], "range": "4.0.0 - 4.3.0", "nodes": ["", "node_modules/gc-stats/node_modules/debug"], "fixAvailable": {"name": "mocha", "version": "10.4.0", "isSemVerMajor": true}}, "dicer": {"name": "dicer", "severity": "high", "isDirect": false, "via": [{"source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2", "severity": "high", "cwe": ["CWE-248"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<=0.3.1"}], "effects": ["busboy"], "range": "*", "nodes": ["node_modules/dicer"], "fixAvailable": {"name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true}}, "hyperswitch": {"name": "hyperswitch", "severity": "high", "isDirect": true, "via": ["busboy", "preq", "swagger-ui-dist"], "effects": [], "range": ">=0.1.0", "nodes": ["node_modules/hyperswitch"], "fixAvailable": {"name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true}}, "ini": {"name": "ini", "severity": "high", "isDirect": false, "via": [{"source": 1093224, "name": "ini", "dependency": "ini", "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": "<1.3.6"}], "effects": [], "range": "<1.3.6", "nodes": ["node_modules/gc-stats/node_modules/ini"], "fixAvailable": true}, "json-schema": {"name": "json-schema", "severity": "critical", "isDirect": false, "via": [{"source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": ["CWE-915", "CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<0.4.0"}], "effects": ["jsprim"], "range": "<0.4.0", "nodes": [""], "fixAvailable": true}, "json5": {"name": "json5", "severity": "high", "isDirect": false, "via": [{"source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": ">=2.0.0 <2.2.2"}], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [""], "fixAvailable": true}, "jsprim": {"name": "jsprim", "severity": "critical", "isDirect": false, "via": ["json-schema"], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [""], "fixAvailable": true}, "kad": {"name": "kad", "severity": "high", "isDirect": false, "via": ["merge", "ms"], "effects": ["limitation"], "range": "*", "nodes": [""], "fixAvailable": true}, "limitation": {"name": "limitation", "severity": "moderate", "isDirect": false, "via": ["kad"], "effects": [], "range": "<=0.2.2", "nodes": [""], "fixAvailable": true}, "merge": {"name": "merge", "severity": "high", "isDirect": false, "via": [{"source": 1096479, "name": "merge", "dependency": "merge", "title": "Prototype Pollution in merge", "url": "https://github.com/advisories/GHSA-7wpw-2hjm-89gp", "severity": "high", "cwe": ["CWE-915"], "cvss": {"score": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": "<2.1.1"}], "effects": ["kad"], "range": "<2.1.1", "nodes": [""], "fixAvailable": true}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.0.5"}], "effects": ["mocha"], "range": "<3.0.5", "nodes": ["node_modules/gc-stats/node_modules/minimatch", "node_modules/minimatch"], "fixAvailable": {"name": "mocha", "version": "10.4.0", "isSemVerMajor": true}}, "minimist": {"name": "minimist", "severity": "critical", "isDirect": false, "via": [{"source": 1096465, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": ">=1.0.0 <1.2.3"}, {"source": 1096466, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": "<0.2.1"}, {"source": 1096548, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<0.2.4"}, {"source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.0.0 <1.2.6"}], "effects": ["mkdirp"], "range": "<=0.2.3 || 1.0.0 - 1.2.5", "nodes": ["", "node_modules/gc-stats/node_modules/minimist", "node_modules/gc-stats/node_modules/rc/node_modules/minimist"], "fixAvailable": true}, "mkdirp": {"name": "mkdirp", "severity": "moderate", "isDirect": false, "via": ["minimist"], "effects": [], "range": "0.4.1 - 0.5.1", "nodes": ["node_modules/gc-stats/node_modules/mkdirp"], "fixAvailable": true}, "mocha": {"name": "mocha", "severity": "high", "isDirect": false, "via": ["debug", "minimatch", "nanoid"], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [""], "fixAvailable": {"name": "mocha", "version": "10.4.0", "isSemVerMajor": true}}, "moment": {"name": "moment", "severity": "high", "isDirect": false, "via": [{"source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-wc69-rhjr-hc9g", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.18.0 <2.29.4"}, {"source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "cwe": ["CWE-22", "CWE-27"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "range": "<2.29.2"}], "effects": [], "range": "<=2.29.3", "nodes": [""], "fixAvailable": true}, "ms": {"name": "ms", "severity": "moderate", "isDirect": false, "via": [{"source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<2.0.0"}], "effects": ["kad"], "range": "<2.0.0", "nodes": [""], "fixAvailable": true}, "msgpack5": {"name": "msgpack5", "severity": "moderate", "isDirect": false, "via": [{"source": 1089202, "name": "msgpack5", "dependency": "msgpack5", "title": "Prototype poisoning", "url": "https://github.com/advisories/GHSA-gmjw-49p4-pcfm", "severity": "moderate", "cwe": ["CWE-915", "CWE-1321"], "cvss": {"score": 6.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H"}, "range": "<3.6.1"}], "effects": [], "range": "<3.6.1", "nodes": [""], "fixAvailable": true}, "nanoid": {"name": "nanoid", "severity": "moderate", "isDirect": false, "via": [{"source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": ["CWE-200"], "cvss": {"score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "range": ">=3.0.0 <3.1.31"}], "effects": ["mocha"], "range": "3.0.0 - 3.1.30", "nodes": [""], "fixAvailable": {"name": "mocha", "version": "10.4.0", "isSemVerMajor": true}}, "preq": {"name": "preq", "severity": "high", "isDirect": true, "via": ["request", "requestretry"], "effects": [], "range": "*", "nodes": ["node_modules/preq"], "fixAvailable": false}, "qs": {"name": "qs", "severity": "high", "isDirect": false, "via": [{"source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=6.5.0 <6.5.3"}], "effects": [], "range": "6.5.0 - 6.5.2", "nodes": [""], "fixAvailable": true}, "redis": {"name": "redis", "severity": "high", "isDirect": false, "via": [{"source": 1089196, "name": "redis", "dependency": "redis", "title": "Node-Redis potential exponential regex in monitor mode", "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3", "severity": "high", "cwe": ["CWE-400"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=2.6.0 <3.1.1"}], "effects": [], "range": "2.6.0 - 3.1.0", "nodes": [""], "fixAvailable": true}, "request": {"name": "request", "severity": "moderate", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "tough-cookie"], "effects": ["coveralls", "preq", "requestretry"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "requestretry": {"name": "requestretry", "severity": "high", "isDirect": false, "via": [{"source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": ["CWE-200"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<7.0.0"}, "request"], "effects": ["preq"], "range": "*", "nodes": ["node_modules/requestretry"], "fixAvailable": false}, "semver": {"name": "semver", "severity": "moderate", "isDirect": false, "via": [{"source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<5.7.2"}, {"source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=6.0.0 <6.3.1"}], "effects": [], "range": "<5.7.2 || >=6.0.0 <6.3.1", "nodes": ["", "", "", "", "", "node_modules/gc-stats/node_modules/semver"], "fixAvailable": true}, "swagger-ui-dist": {"name": "swagger-ui-dist", "severity": "moderate", "isDirect": false, "via": [{"source": 1088759, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Spoofing attack in swagger-ui-dist", "url": "https://github.com/advisories/GHSA-6c9x-mj3g-h47x", "severity": "moderate", "cwe": ["CWE-1021"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<4.1.3"}, {"source": 1092160, "name": "swagger-ui-dist", "dependency": "swagger-ui-dist", "title": "Server side request forgery in SwaggerUI", "url": "https://github.com/advisories/GHSA-qrmm-w75w-3wpx", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 0, "vectorString": null}, "range": "<4.1.3"}], "effects": ["hyperswitch"], "range": "<=4.1.2", "nodes": [""], "fixAvailable": {"name": "hyperswitch", "version": "0.10.5", "isSemVerMajor": true}}, "tar": {"name": "tar", "severity": "high", "isDirect": false, "via": [{"source": 1089684, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}, "range": ">=4.0.0 <4.4.14"}, {"source": 1095117, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}, "range": "<4.4.18"}, {"source": 1096309, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning", "url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", "severity": "high", "cwe": ["CWE-22", "CWE-23", "CWE-59"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}, "range": ">=4.0.0 <4.4.15"}, {"source": 1096376, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", "severity": "high", "cwe": ["CWE-22", "CWE-59"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}, "range": ">=3.0.0 <4.4.16"}, {"source": 1096411, "name": "tar", "dependency": "tar", "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", "severity": "high", "cwe": ["CWE-22", "CWE-59"], "cvss": {"score": 8.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}, "range": ">=3.0.0 <4.4.18"}, {"source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": ["CWE-400"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "range": "<6.2.1"}], "effects": [], "range": "<=6.2.0", "nodes": ["node_modules/gc-stats/node_modules/tar"], "fixAvailable": true}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/tough-cookie"], "fixAvailable": false}, "underscore": {"name": "underscore", "severity": "critical", "isDirect": false, "via": [{"source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}], "effects": [], "range": "1.3.2 - 1.12.0", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 1, "moderate": 10, "high": 16, "critical": 5, "total": 32}, "dependencies": {"prod": 156, "dev": 420, "optional": 78, "peer": 0, "peerOptional": 0, "total": 652}}}} $ /usr/bin/npm audit fix --only=dev --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production npm WARN audit fix semver@5.7.0 node_modules/gc-stats/node_modules/semver npm WARN audit fix semver@5.7.0 is a bundled dependency of npm WARN audit fix semver@5.7.0 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix semver@5.7.0 It cannot be fixed automatically. npm WARN audit fix semver@5.7.0 Check for updates to the gc-stats package. npm WARN audit fix minimatch@3.0.4 node_modules/gc-stats/node_modules/minimatch npm WARN audit fix minimatch@3.0.4 is a bundled dependency of npm WARN audit fix minimatch@3.0.4 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimatch@3.0.4 It cannot be fixed automatically. npm WARN audit fix minimatch@3.0.4 Check for updates to the gc-stats package. npm WARN audit fix debug@4.1.1 node_modules/gc-stats/node_modules/debug npm WARN audit fix debug@4.1.1 is a bundled dependency of npm WARN audit fix debug@4.1.1 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix debug@4.1.1 It cannot be fixed automatically. npm WARN audit fix debug@4.1.1 Check for updates to the gc-stats package. npm WARN audit fix ini@1.3.5 node_modules/gc-stats/node_modules/ini npm WARN audit fix ini@1.3.5 is a bundled dependency of npm WARN audit fix ini@1.3.5 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix ini@1.3.5 It cannot be fixed automatically. npm WARN audit fix ini@1.3.5 Check for updates to the gc-stats package. npm WARN audit fix minimist@1.2.0 node_modules/gc-stats/node_modules/rc/node_modules/minimist npm WARN audit fix minimist@1.2.0 is a bundled dependency of npm WARN audit fix minimist@1.2.0 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically. npm WARN audit fix minimist@1.2.0 Check for updates to the gc-stats package. npm WARN audit fix minimist@0.0.8 node_modules/gc-stats/node_modules/minimist npm WARN audit fix minimist@0.0.8 is a bundled dependency of npm WARN audit fix minimist@0.0.8 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically. npm WARN audit fix minimist@0.0.8 Check for updates to the gc-stats package. npm WARN audit fix tar@4.4.8 node_modules/gc-stats/node_modules/tar npm WARN audit fix tar@4.4.8 is a bundled dependency of npm WARN audit fix tar@4.4.8 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix tar@4.4.8 It cannot be fixed automatically. npm WARN audit fix tar@4.4.8 Check for updates to the gc-stats package. npm WARN audit fix mkdirp@0.5.1 node_modules/gc-stats/node_modules/mkdirp npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of npm WARN audit fix mkdirp@0.5.1 gc-stats@1.4.0 at node_modules/gc-stats npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically. npm WARN audit fix mkdirp@0.5.1 Check for updates to the gc-stats package. npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.23.6', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@39.2.2', npm WARN EBADENGINE required: { node: '^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated json-schema-ref-parser@7.1.4: Please switch to @apidevtools/json-schema-ref-parser --- stdout --- added 585 packages, and audited 652 packages in 2m 59 packages are looking for funding run `npm fund` for details # npm audit report debug 4.0.0 - 4.3.0 Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c fix available via `npm audit fix` node_modules/gc-stats/node_modules/debug dicer * Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available via `npm audit fix --force` Will install hyperswitch@0.10.5, which is a breaking change node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy hyperswitch >=0.1.0 Depends on vulnerable versions of busboy Depends on vulnerable versions of preq Depends on vulnerable versions of swagger-ui-dist node_modules/hyperswitch ini <1.3.6 Severity: high ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37 fix available via `npm audit fix` node_modules/gc-stats/node_modules/ini minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via `npm audit fix --force` Will install mocha@10.4.0, which is a breaking change node_modules/gc-stats/node_modules/minimatch node_modules/minimatch mocha 5.1.0 - 9.2.1 Depends on vulnerable versions of minimatch Depends on vulnerable versions of nanoid node_modules/mocha minimist <=0.2.3 || 1.0.0 - 1.2.5 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via `npm audit fix` node_modules/gc-stats/node_modules/minimist node_modules/gc-stats/node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/gc-stats/node_modules/mkdirp ms <2.0.0 Severity: moderate Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f fix available via `npm audit fix` node_modules/ms wikimedia-kad-fork * Depends on vulnerable versions of ms node_modules/wikimedia-kad-fork limitation >=0.2.3 Depends on vulnerable versions of wikimedia-kad-fork node_modules/limitation nanoid 3.0.0 - 3.1.30 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2 fix available via `npm audit fix --force` Will install mocha@10.4.0, which is a breaking change node_modules/nanoid request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request coveralls * Depends on vulnerable versions of request node_modules/coveralls preq * Depends on vulnerable versions of request Depends on vulnerable versions of requestretry node_modules/preq requestretry * Depends on vulnerable versions of request node_modules/requestretry semver <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via `npm audit fix` node_modules/gc-stats/node_modules/semver swagger-ui-dist <=4.1.2 Severity: moderate Spoofing attack in swagger-ui-dist - https://github.com/advisories/GHSA-6c9x-mj3g-h47x Server side request forgery in SwaggerUI - https://github.com/advisories/GHSA-qrmm-w75w-3wpx fix available via `npm audit fix --force` Will install hyperswitch@0.10.5, which is a breaking change node_modules/swagger-ui-dist tar <=6.2.0 Severity: high Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36 fix available via `npm audit fix` node_modules/gc-stats/node_modules/tar tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie 21 vulnerabilities (1 low, 10 moderate, 9 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- Verifying that tests still pass $ /usr/bin/npm ci --- stderr --- npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.23.6', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@39.2.2', npm WARN EBADENGINE required: { node: '^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated json-schema-ref-parser@7.1.4: Please switch to @apidevtools/json-schema-ref-parser --- stdout --- added 585 packages, and audited 652 packages in 2m 59 packages are looking for funding run `npm fund` for details 21 vulnerabilities (1 low, 10 moderate, 9 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stdout --- > change-propagation@0.12.0 test > export MOCK_SERVICES=true && npm run lint && mocha --recursive > change-propagation@0.12.0 lint > eslint --cache --ext .js . JobQueue rules ✓ Should propagate updateBetaFeaturesUserCounts job (503ms) ✓ Should propagate cdnPurge job (3507ms) ✓ Should support partitioned refreshLinks (513ms) ✓ Should deduplicate based on ID (2005ms) ✓ Should deduplicate based on SHA1 (4008ms) ✓ Should deduplicate based on SHA1 and root job combination (4004ms) ✓ Should deduplicate base on root job (4004ms) ✓ Should support delayed jobs with re-enqueue (13012ms) Rule ✓ topic required ✓ no-op rule ✓ simple rule - one request ✓ simple rule - multiple requests Matching ✓ all ✓ simple value match ✓ simple value mismatch ✓ regex match ✓ regex match with undefined ✓ regex mismatch ✓ array match ✓ malformed match ✓ match_not ✓ match_not array ✓ matches match and match_not ✓ matches match but not match_not ✓ matches match_not but not match ✓ matches match but is canary event and should_discard_canary_events is true ✓ matches match and is canary event and should_discard_canary_events is false ✓ expansion ✓ expansion with named groups ✓ checks for named and unnamed groups mixing Sampler ✓ Should accept the correct number of values (79ms) Basic rule management ✓ Should call simple executor (502ms) ✓ Should retry simple executor (502ms) ✓ Should retry simple executor no more than limit (2002ms) 1) Should emit valid retry message ✓ Should not retry if retry_on not matched (2002ms) ✓ Should not follow redirects (2002ms) ✓ Should not crash with unparsable JSON (502ms) ✓ Should support producing to topics on exec (502ms) 2) Should emit valid messages to error topic ✓ Sampling should only propagate a stable subset (2003ms) ✓ Should support array topics (501ms) ✓ Should support exclude_topics stanza (2001ms) update rules ✓ Should update summary endpoint (503ms) ✓ Should update summary endpoint, transcludes topic (500ms) ✓ Should update summary endpoint on page images change (503ms) ✓ Should not update summary for a blacklisted title (2001ms) ✓ Should update definition endpoint (502ms) ✓ Should not react to revision change event from restbase for definition endpoint (2002ms) ✓ Should update mobile apps endpoint (502ms) ✓ Should not update definition endpoint for non-main namespace (2001ms) ✓ Should update RESTBase on resource_change from MW (502ms) ✓ Should update RESTBase on revision create (502ms) ✓ Should not update RESTBase on revision create for a blacklisted title (2002ms) ✓ Should not update RESTBase on revision create for wikidata (2002ms) ✓ Should update RESTBase on page delete (502ms) ✓ Should update RESTBase on page undelete (502ms) ✓ Should update RESTBase on page move (502ms) ✓ Should update RESTBase on revision visibility change (501ms) 3) Should update ORES on revision-create 4) Should update ORES on revision-create, error ✓ Should update RESTBase summary and mobile-sections on wikidata description change (3003ms) ✓ Should update RESTBase summary and mobile-sections on wikidata description revert (3002ms) ✓ Should update RESTBase summary and mobile-sections on wikidata undelete (3001ms) ✓ Should not ask Wikidata for info for non-main namespace titles (5002ms) ✓ Should not crash if wikidata description can not be found (3001ms) ✓ Should rerender image usages on file update (506ms) ✓ Should rerender transclusions on page update (506ms) ✓ Should process backlinks, on create (505ms) ✓ Should process backlinks, on delete (506ms) ✓ Should process backlinks, on undelete (503ms) ✓ Should purge caches on resource_change coming from RESTBase (51ms) ✓ Should purge caches on resource_change coming from Tilerator (100ms) 69 passing (1m) 4 failing 1) Basic rule management Should emit valid retry message: SyntaxError: Unexpected token o in JSON at position 1 at JSON.parse (<anonymous>) at /src/repo/test/utils/common.js:122:33 at tryCatcher (node_modules/bluebird/js/release/util.js:16:23) at Promise._settlePromiseFromHandler (node_modules/bluebird/js/release/promise.js:547:31) at Promise._settlePromise (node_modules/bluebird/js/release/promise.js:604:18) at Promise._settlePromise0 (node_modules/bluebird/js/release/promise.js:649:10) at Promise._settlePromises (node_modules/bluebird/js/release/promise.js:729:18) at _drainQueueStep (node_modules/bluebird/js/release/async.js:93:12) at _drainQueue (node_modules/bluebird/js/release/async.js:86:9) at Async._drainQueues (node_modules/bluebird/js/release/async.js:102:5) at Async.drainQueues [as _onImmediate] (node_modules/bluebird/js/release/async.js:15:14) at process.processImmediate (node:internal/timers:476:21) 2) Basic rule management Should emit valid messages to error topic: SyntaxError: Unexpected token o in JSON at position 1 at JSON.parse (<anonymous>) at /src/repo/test/utils/common.js:122:33 at tryCatcher (node_modules/bluebird/js/release/util.js:16:23) at Promise._settlePromiseFromHandler (node_modules/bluebird/js/release/promise.js:547:31) at Promise._settlePromise (node_modules/bluebird/js/release/promise.js:604:18) at Promise._settlePromise0 (node_modules/bluebird/js/release/promise.js:649:10) at Promise._settlePromises (node_modules/bluebird/js/release/promise.js:729:18) at _drainQueueStep (node_modules/bluebird/js/release/async.js:93:12) at _drainQueue (node_modules/bluebird/js/release/async.js:86:9) at Async._drainQueues (node_modules/bluebird/js/release/async.js:102:5) at Async.drainQueues [as _onImmediate] (node_modules/bluebird/js/release/async.js:15:14) at process.processImmediate (node:internal/timers:476:21) 3) update rules Should update ORES on revision-create: SyntaxError: Unexpected token o in JSON at position 1 at JSON.parse (<anonymous>) at /src/repo/test/utils/common.js:122:33 at tryCatcher (node_modules/bluebird/js/release/util.js:16:23) at Promise._settlePromiseFromHandler (node_modules/bluebird/js/release/promise.js:547:31) at Promise._settlePromise (node_modules/bluebird/js/release/promise.js:604:18) at Promise._settlePromise0 (node_modules/bluebird/js/release/promise.js:649:10) at Promise._settlePromises (node_modules/bluebird/js/release/promise.js:729:18) at _drainQueueStep (node_modules/bluebird/js/release/async.js:93:12) at _drainQueue (node_modules/bluebird/js/release/async.js:86:9) at Async._drainQueues (node_modules/bluebird/js/release/async.js:102:5) at Async.drainQueues [as _onImmediate] (node_modules/bluebird/js/release/async.js:15:14) at process.processImmediate (node:internal/timers:476:21) 4) update rules Should update ORES on revision-create, error: SyntaxError: Unexpected token o in JSON at position 1 at JSON.parse (<anonymous>) at /src/repo/test/utils/common.js:122:33 at tryCatcher (node_modules/bluebird/js/release/util.js:16:23) at Promise._settlePromiseFromHandler (node_modules/bluebird/js/release/promise.js:547:31) at Promise._settlePromise (node_modules/bluebird/js/release/promise.js:604:18) at Promise._settlePromise0 (node_modules/bluebird/js/release/promise.js:649:10) at Promise._settlePromises (node_modules/bluebird/js/release/promise.js:729:18) at _drainQueueStep (node_modules/bluebird/js/release/async.js:93:12) at _drainQueue (node_modules/bluebird/js/release/async.js:86:9) at Async._drainQueues (node_modules/bluebird/js/release/async.js:102:5) at Async.drainQueues [as _onImmediate] (node_modules/bluebird/js/release/async.js:15:14) at process.processImmediate (node:internal/timers:476:21) --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1534, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1478, in run self.npm_audit_fix(new_npm_audit) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 249, in npm_audit_fix self.check_call(['npm', 'test']) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 54, in check_call res.check_returncode() File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 4.