This run took 19 seconds.
$ date --- stdout --- Sat Apr 20 02:50:44 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-extensions-MobileFrontend.git repo --depth=1 -b REL1_39 --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/REL1_39 --- stdout --- 5e0a74e6ab168e9a25145246ba1ea7587bfb3897 refs/heads/REL1_39 --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@storybook/builder-webpack4": { "name": "@storybook/builder-webpack4", "severity": "high", "isDirect": false, "via": [ "@storybook/core-common", "autoprefixer", "css-loader", "postcss", "postcss-flexbugs-fixes", "react-dev-utils", "webpack-dev-middleware" ], "effects": [ "@storybook/core-server" ], "range": "*", "nodes": [ "node_modules/@storybook/builder-webpack4" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core": { "name": "@storybook/core", "severity": "high", "isDirect": false, "via": [ "@storybook/core-server" ], "effects": [ "@storybook/html" ], "range": "6.2.0-alpha.0 - 6.3.0-rc.12", "nodes": [ "node_modules/@storybook/core" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core-common": { "name": "@storybook/core-common", "severity": "high", "isDirect": false, "via": [ "glob-base" ], "effects": [ "@storybook/builder-webpack4", "@storybook/core-server", "@storybook/html" ], "range": "<=6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core-common" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core-server": { "name": "@storybook/core-server", "severity": "high", "isDirect": false, "via": [ "@storybook/builder-webpack4", "@storybook/core-common", "cpy", "css-loader", "webpack-dev-middleware" ], "effects": [ "@storybook/core" ], "range": "<=7.0.0-rc.11", "nodes": [ "node_modules/@storybook/core-server" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/html": { "name": "@storybook/html", "severity": "high", "isDirect": true, "via": [ "@storybook/core", "@storybook/core-common" ], "effects": [], "range": "6.2.0-alpha.0 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/html" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" } ], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex", "node_modules/webpack-cli/node_modules/ansi-regex" ], "fixAvailable": true }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "axios": { "name": "axios", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096525, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, "range": ">=0.8.1 <0.28.0" } ], "effects": [ "bundlesize", "github-build" ], "range": "0.8.1 - 0.27.2", "nodes": [ "node_modules/axios", "node_modules/github-build/node_modules/axios" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ "qs" ], "effects": [], "range": "1.19.0", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "browserify-sign": { "name": "browserify-sign", "severity": "high", "isDirect": false, "via": [ { "source": 1096644, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": ">=2.6.0 <=4.2.1" } ], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [ "node_modules/browserify-sign" ], "fixAvailable": true }, "browserslist": { "name": "browserslist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1093035, "name": "browserslist", "dependency": "browserslist", "title": "Regular Expression Denial of Service in browserslist", "url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.16.5" } ], "effects": [ "react-dev-utils" ], "range": "4.0.0 - 4.16.4", "nodes": [ "node_modules/react-dev-utils/node_modules/browserslist" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "bundlesize": { "name": "bundlesize", "severity": "moderate", "isDirect": true, "via": [ "axios" ], "effects": [], "range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1", "nodes": [ "node_modules/bundlesize" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "chokidar": { "name": "chokidar", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "watchpack-chokidar2" ], "range": "1.0.0-rc1 - 2.1.8", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/chokidar" ], "fixAvailable": true }, "core-js-compat": { "name": "core-js-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "cpy": { "name": "cpy", "severity": "high", "isDirect": false, "via": [ "globby" ], "effects": [ "@storybook/core-server" ], "range": "7.0.0 - 8.1.2", "nodes": [ "node_modules/cpy" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "css-loader": { "name": "css-loader", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values" ], "effects": [], "range": "0.15.0 - 4.3.0", "nodes": [ "node_modules/css-loader" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, "body-parser", "qs" ], "effects": [], "range": "<=4.19.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-glob": { "name": "fast-glob", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "globby" ], "range": "<=2.2.7", "nodes": [ "node_modules/fast-glob" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "follow-redirects": { "name": "follow-redirects", "severity": "high", "isDirect": false, "via": [ { "source": 1092623, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "severity": "moderate", "cwe": [ "CWE-200", "CWE-212" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<1.14.8" }, { "source": 1095014, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of sensitive information in follow-redirects", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "severity": "high", "cwe": [ "CWE-359" ], "cvss": { "score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "range": "<1.14.7" }, { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "github-build": { "name": "github-build", "severity": "moderate", "isDirect": false, "via": [ "axios" ], "effects": [], "range": "<=1.2.3", "nodes": [ "node_modules/github-build" ], "fixAvailable": true }, "glob-base": { "name": "glob-base", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "@storybook/core-common" ], "range": "*", "nodes": [ "node_modules/glob-base" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "glob-parent": { "name": "glob-parent", "severity": "high", "isDirect": false, "via": [ { "source": 1095007, "name": "glob-parent", "dependency": "glob-parent", "title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex", "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.1.2" } ], "effects": [ "chokidar", "fast-glob", "glob-base" ], "range": "<5.1.2", "nodes": [ "node_modules/fast-glob/node_modules/glob-parent", "node_modules/glob-base/node_modules/glob-parent", "node_modules/watchpack-chokidar2/node_modules/glob-parent" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "globby": { "name": "globby", "severity": "high", "isDirect": false, "via": [ "fast-glob" ], "effects": [ "cpy" ], "range": "8.0.0 - 9.2.0", "nodes": [ "node_modules/globby" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "icss-utils": { "name": "icss-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "css-loader", "postcss-modules-local-by-default", "postcss-modules-values" ], "range": "<=4.1.1", "nodes": [ "node_modules/icss-utils" ], "fixAvailable": true }, "immer": { "name": "immer", "severity": "critical", "isDirect": false, "via": [ { "source": 1089281, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx", "severity": "high", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<9.0.6" }, { "source": 1093726, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-33f9-j839-rf8h", "severity": "critical", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<9.0.6" } ], "effects": [ "react-dev-utils" ], "range": "<=9.0.5", "nodes": [ "node_modules/immer" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "ip": { "name": "ip", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096570, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" } ], "effects": [], "range": "<1.1.9", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jsdoc": { "name": "jsdoc", "severity": "high", "isDirect": true, "via": [ "markdown-it", "marked", "taffydb" ], "effects": [], "range": "3.2.0-dev - 3.6.11", "nodes": [ "node_modules/jsdoc" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": true, "via": [ { "source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": [ "CWE-1220" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=16.4.0" }, "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "<=16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5", "node_modules/webpack-cli/node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "less": { "name": "less", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3", "nodes": [ "node_modules/less" ], "fixAvailable": { "name": "less", "version": "3.13.1", "isSemVerMajor": false } }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094083, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1094084, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [ "react-dev-utils", "webpack-cli" ], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/file-loader/node_modules/loader-utils", "node_modules/html-loader/node_modules/loader-utils", "node_modules/loader-utils", "node_modules/postcss-loader/node_modules/loader-utils", "node_modules/raw-loader/node_modules/loader-utils", "node_modules/react-dev-utils/node_modules/loader-utils", "node_modules/style-loader/node_modules/loader-utils", "node_modules/url-loader/node_modules/loader-utils", "node_modules/webpack-cli/node_modules/loader-utils" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "markdown-it": { "name": "markdown-it", "severity": "moderate", "isDirect": false, "via": [ { "source": 1092663, "name": "markdown-it", "dependency": "markdown-it", "title": "Uncontrolled Resource Consumption in markdown-it", "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<12.3.2" } ], "effects": [ "jsdoc" ], "range": "<12.3.2", "nodes": [ "node_modules/markdown-it" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "jsdoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "node-fetch": { "name": "node-fetch", "severity": "high", "isDirect": false, "via": [ { "source": 1095073, "name": "node-fetch", "dependency": "node-fetch", "title": "node-fetch forwards secure headers to untrusted sites", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g", "severity": "high", "cwe": [ "CWE-173", "CWE-200", "CWE-601" ], "cvss": { "score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "range": "<2.6.7" } ], "effects": [], "range": "<2.6.7", "nodes": [ "node_modules/node-fetch" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@storybook/builder-webpack4", "autoprefixer", "css-loader", "icss-utils", "postcss-flexbugs-fixes", "postcss-less", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-flexbugs-fixes": { "name": "postcss-flexbugs-fixes", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=4.2.1", "nodes": [ "node_modules/postcss-flexbugs-fixes" ], "fixAvailable": true }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-modules-extract-imports": { "name": "postcss-modules-extract-imports", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/postcss-modules-extract-imports" ], "fixAvailable": true }, "postcss-modules-local-by-default": { "name": "postcss-modules-local-by-default", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [], "range": "<=4.0.0-rc.4", "nodes": [ "node_modules/postcss-modules-local-by-default" ], "fixAvailable": true }, "postcss-modules-scope": { "name": "postcss-modules-scope", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.2.0", "nodes": [ "node_modules/postcss-modules-scope" ], "fixAvailable": true }, "postcss-modules-values": { "name": "postcss-modules-values", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [ "css-loader" ], "range": "<=4.0.0-rc.5", "nodes": [ "node_modules/postcss-modules-values" ], "fixAvailable": true }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [ "refractor" ], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" }, { "source": 1096472, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.7.0 <6.7.3" }, { "source": 1096475, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.10.0 <6.10.3" } ], "effects": [ "body-parser", "express" ], "range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2", "nodes": [ "node_modules/body-parser/node_modules/qs", "node_modules/express/node_modules/qs", "node_modules/qs", "node_modules/request/node_modules/qs" ], "fixAvailable": true }, "react-dev-utils": { "name": "react-dev-utils", "severity": "critical", "isDirect": false, "via": [ "browserslist", "immer", "loader-utils", "recursive-readdir", "shell-quote" ], "effects": [ "@storybook/builder-webpack4" ], "range": "0.5.2 - 12.0.0-next.60", "nodes": [ "node_modules/react-dev-utils" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [ "react-dev-utils" ], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "refractor": { "name": "refractor", "severity": "high", "isDirect": false, "via": [ "prismjs" ], "effects": [], "range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0", "nodes": [ "node_modules/refractor" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "less" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096482, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@npmcli/fs/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver", "node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver", "node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver", "node_modules/@storybook/core-common/node_modules/semver", "node_modules/@storybook/core-server/node_modules/semver", "node_modules/@stylelint/postcss-css-in-js/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs2/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs3/node_modules/semver", "node_modules/babel-plugin-polyfill-regenerator/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-mediawiki/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint-template-visitor/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/fork-ts-checker-webpack-plugin/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/nyc/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "shell-quote": { "name": "shell-quote", "severity": "critical", "isDirect": false, "via": [ { "source": 1096375, "name": "shell-quote", "dependency": "shell-quote", "title": "Improper Neutralization of Special Elements used in a Command in Shell-quote", "url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7", "severity": "critical", "cwe": [ "CWE-77" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.7.2" } ], "effects": [ "react-dev-utils" ], "range": "<=1.7.2", "nodes": [ "node_modules/shell-quote" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "simple-get": { "name": "simple-get", "severity": "high", "isDirect": false, "via": [ { "source": 1090445, "name": "simple-get", "dependency": "simple-get", "title": "Exposure of Sensitive Information in simple-get", "url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.1" } ], "effects": [], "range": "3.0.0 - 3.1.0", "nodes": [ "node_modules/simple-get" ], "fixAvailable": true }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "taffydb": { "name": "taffydb", "severity": "high", "isDirect": false, "via": [ { "source": 1089386, "name": "taffydb", "dependency": "taffydb", "title": "TaffyDB can allow access to any data items in the DB", "url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6", "severity": "high", "cwe": [ "CWE-20", "CWE-668" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=2.7.3" } ], "effects": [ "jsdoc" ], "range": "*", "nodes": [ "node_modules/taffydb" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "tar": { "name": "tar", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<6.2.1", "nodes": [ "node_modules/tar" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091691, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.8.1" } ], "effects": [], "range": "<4.8.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "watchpack": { "name": "watchpack", "severity": "high", "isDirect": false, "via": [ "watchpack-chokidar2" ], "effects": [], "range": "1.7.2 - 1.7.5", "nodes": [ "node_modules/watchpack" ], "fixAvailable": true }, "watchpack-chokidar2": { "name": "watchpack-chokidar2", "severity": "high", "isDirect": false, "via": [ "chokidar" ], "effects": [ "watchpack" ], "range": "*", "nodes": [ "node_modules/watchpack-chokidar2" ], "fixAvailable": true }, "webpack-cli": { "name": "webpack-cli", "severity": "high", "isDirect": true, "via": [ "loader-utils" ], "effects": [], "range": "3.3.5 - 3.3.11", "nodes": [ "node_modules/webpack-cli" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [ "@storybook/core-server" ], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1095091, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 35, "high": 33, "critical": 8, "total": 76 }, "dependencies": { "prod": 1, "dev": 2059, "optional": 31, "peer": 0, "peerOptional": 0, "total": 2059 } } } --- end --- $ /usr/bin/composer install --- stderr --- No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information. Loading composer repositories with package information Updating dependencies Lock file operations: 36 installs, 0 updates, 0 removals - Locking composer/pcre (1.0.1) - Locking composer/semver (3.4.0) - Locking composer/spdx-licenses (1.5.8) - Locking composer/xdebug-handler (2.0.5) - Locking doctrine/deprecations (1.1.3) - Locking felixfbecker/advanced-json-rpc (v3.2.1) - Locking mediawiki/mediawiki-codesniffer (v38.0.0) - Locking mediawiki/mediawiki-phan-config (0.11.1) - Locking mediawiki/minus-x (1.1.1) - Locking mediawiki/phan-taint-check-plugin (3.3.2) - Locking microsoft/tolerant-php-parser (v0.1.2) - Locking netresearch/jsonmapper (v4.4.1) - Locking phan/phan (5.2.0) - Locking php-parallel-lint/php-console-color (v0.3) - Locking php-parallel-lint/php-console-highlighter (v0.5) - Locking php-parallel-lint/php-parallel-lint (v1.3.1) - Locking phpdocumentor/reflection-common (2.2.0) - Locking phpdocumentor/reflection-docblock (5.4.0) - Locking phpdocumentor/type-resolver (1.8.2) - Locking phpstan/phpdoc-parser (1.28.0) - Locking psr/container (2.0.2) - Locking psr/log (2.0.0) - Locking sabre/event (5.1.4) - Locking squizlabs/php_codesniffer (3.6.1) - Locking symfony/console (v5.4.36) - Locking symfony/deprecation-contracts (v3.4.0) - Locking symfony/polyfill-ctype (v1.29.0) - Locking symfony/polyfill-intl-grapheme (v1.29.0) - Locking symfony/polyfill-intl-normalizer (v1.29.0) - Locking symfony/polyfill-mbstring (v1.29.0) - Locking symfony/polyfill-php73 (v1.29.0) - Locking symfony/polyfill-php80 (v1.29.0) - Locking symfony/service-contracts (v3.4.2) - Locking symfony/string (v6.4.4) - Locking tysonandre/var_representation_polyfill (0.1.3) - Locking webmozart/assert (1.11.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 36 installs, 0 updates, 0 removals 0 [>---------------------------] 0 [->--------------------------] - Installing composer/pcre (1.0.1): Extracting archive - Installing squizlabs/php_codesniffer (3.6.1): Extracting archive - Installing symfony/polyfill-mbstring (v1.29.0): Extracting archive - Installing composer/spdx-licenses (1.5.8): Extracting archive - Installing composer/semver (3.4.0): Extracting archive - Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive - Installing symfony/polyfill-php80 (v1.29.0): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.29.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.29.0): Extracting archive - Installing symfony/polyfill-ctype (v1.29.0): Extracting archive - Installing symfony/string (v6.4.4): Extracting archive - Installing psr/container (2.0.2): Extracting archive - Installing symfony/service-contracts (v3.4.2): Extracting archive - Installing symfony/polyfill-php73 (v1.29.0): Extracting archive - Installing symfony/deprecation-contracts (v3.4.0): Extracting archive - Installing symfony/console (v5.4.36): Extracting archive - Installing sabre/event (5.1.4): Extracting archive - Installing netresearch/jsonmapper (v4.4.1): Extracting archive - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive - Installing webmozart/assert (1.11.0): Extracting archive - Installing phpstan/phpdoc-parser (1.28.0): Extracting archive - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive - Installing doctrine/deprecations (1.1.3): Extracting archive - Installing phpdocumentor/type-resolver (1.8.2): Extracting archive - Installing phpdocumentor/reflection-docblock (5.4.0): Extracting archive - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive - Installing psr/log (2.0.0): Extracting archive - Installing composer/xdebug-handler (2.0.5): Extracting archive - Installing phan/phan (5.2.0): Extracting archive - Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive - Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive - Installing mediawiki/minus-x (1.1.1): Extracting archive - Installing php-parallel-lint/php-console-color (v0.3): Extracting archive - Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive - Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive 0/36 [>---------------------------] 0% 19/36 [==============>-------------] 52% 31/36 [========================>---] 86% 36/36 [============================] 100% 3 package suggestions were added by new dependencies, use `composer suggest` to see details. Generating autoload files 15 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@storybook/builder-webpack4": { "name": "@storybook/builder-webpack4", "severity": "high", "isDirect": false, "via": [ "@storybook/core-common", "autoprefixer", "css-loader", "postcss", "postcss-flexbugs-fixes", "react-dev-utils", "webpack-dev-middleware" ], "effects": [ "@storybook/core-server" ], "range": "*", "nodes": [ "node_modules/@storybook/builder-webpack4" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core": { "name": "@storybook/core", "severity": "high", "isDirect": false, "via": [ "@storybook/core-server" ], "effects": [ "@storybook/html" ], "range": "6.2.0-alpha.0 - 6.3.0-rc.12", "nodes": [ "node_modules/@storybook/core" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core-common": { "name": "@storybook/core-common", "severity": "high", "isDirect": false, "via": [ "glob-base" ], "effects": [ "@storybook/builder-webpack4", "@storybook/core-server", "@storybook/html" ], "range": "<=6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core-common" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/core-server": { "name": "@storybook/core-server", "severity": "high", "isDirect": false, "via": [ "@storybook/builder-webpack4", "@storybook/core-common", "cpy", "css-loader", "webpack-dev-middleware" ], "effects": [ "@storybook/core" ], "range": "<=7.0.0-rc.11", "nodes": [ "node_modules/@storybook/core-server" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@storybook/html": { "name": "@storybook/html", "severity": "high", "isDirect": true, "via": [ "@storybook/core", "@storybook/core-common" ], "effects": [], "range": "6.2.0-alpha.0 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/html" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" } ], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex", "node_modules/webpack-cli/node_modules/ansi-regex" ], "fixAvailable": true }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "axios": { "name": "axios", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096525, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, "range": ">=0.8.1 <0.28.0" } ], "effects": [ "bundlesize", "github-build" ], "range": "0.8.1 - 0.27.2", "nodes": [ "node_modules/axios", "node_modules/github-build/node_modules/axios" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ "qs" ], "effects": [], "range": "1.19.0", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "browserify-sign": { "name": "browserify-sign", "severity": "high", "isDirect": false, "via": [ { "source": 1096644, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": ">=2.6.0 <=4.2.1" } ], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [ "node_modules/browserify-sign" ], "fixAvailable": true }, "browserslist": { "name": "browserslist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1093035, "name": "browserslist", "dependency": "browserslist", "title": "Regular Expression Denial of Service in browserslist", "url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.16.5" } ], "effects": [ "react-dev-utils" ], "range": "4.0.0 - 4.16.4", "nodes": [ "node_modules/react-dev-utils/node_modules/browserslist" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "bundlesize": { "name": "bundlesize", "severity": "moderate", "isDirect": true, "via": [ "axios" ], "effects": [], "range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1", "nodes": [ "node_modules/bundlesize" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "chokidar": { "name": "chokidar", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "watchpack-chokidar2" ], "range": "1.0.0-rc1 - 2.1.8", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/chokidar" ], "fixAvailable": true }, "core-js-compat": { "name": "core-js-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "cpy": { "name": "cpy", "severity": "high", "isDirect": false, "via": [ "globby" ], "effects": [ "@storybook/core-server" ], "range": "7.0.0 - 8.1.2", "nodes": [ "node_modules/cpy" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "css-loader": { "name": "css-loader", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values" ], "effects": [], "range": "0.15.0 - 4.3.0", "nodes": [ "node_modules/css-loader" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, "body-parser", "qs" ], "effects": [], "range": "<=4.19.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-glob": { "name": "fast-glob", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "globby" ], "range": "<=2.2.7", "nodes": [ "node_modules/fast-glob" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "follow-redirects": { "name": "follow-redirects", "severity": "high", "isDirect": false, "via": [ { "source": 1092623, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "severity": "moderate", "cwe": [ "CWE-200", "CWE-212" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<1.14.8" }, { "source": 1095014, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of sensitive information in follow-redirects", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "severity": "high", "cwe": [ "CWE-359" ], "cvss": { "score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "range": "<1.14.7" }, { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "github-build": { "name": "github-build", "severity": "moderate", "isDirect": false, "via": [ "axios" ], "effects": [], "range": "<=1.2.3", "nodes": [ "node_modules/github-build" ], "fixAvailable": true }, "glob-base": { "name": "glob-base", "severity": "high", "isDirect": false, "via": [ "glob-parent" ], "effects": [ "@storybook/core-common" ], "range": "*", "nodes": [ "node_modules/glob-base" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "glob-parent": { "name": "glob-parent", "severity": "high", "isDirect": false, "via": [ { "source": 1095007, "name": "glob-parent", "dependency": "glob-parent", "title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex", "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.1.2" } ], "effects": [ "chokidar", "fast-glob", "glob-base" ], "range": "<5.1.2", "nodes": [ "node_modules/fast-glob/node_modules/glob-parent", "node_modules/glob-base/node_modules/glob-parent", "node_modules/watchpack-chokidar2/node_modules/glob-parent" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "globby": { "name": "globby", "severity": "high", "isDirect": false, "via": [ "fast-glob" ], "effects": [ "cpy" ], "range": "8.0.0 - 9.2.0", "nodes": [ "node_modules/globby" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "icss-utils": { "name": "icss-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "css-loader", "postcss-modules-local-by-default", "postcss-modules-values" ], "range": "<=4.1.1", "nodes": [ "node_modules/icss-utils" ], "fixAvailable": true }, "immer": { "name": "immer", "severity": "critical", "isDirect": false, "via": [ { "source": 1089281, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx", "severity": "high", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<9.0.6" }, { "source": 1093726, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-33f9-j839-rf8h", "severity": "critical", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<9.0.6" } ], "effects": [ "react-dev-utils" ], "range": "<=9.0.5", "nodes": [ "node_modules/immer" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "ip": { "name": "ip", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096570, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" } ], "effects": [], "range": "<1.1.9", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jsdoc": { "name": "jsdoc", "severity": "high", "isDirect": true, "via": [ "markdown-it", "marked", "taffydb" ], "effects": [], "range": "3.2.0-dev - 3.6.11", "nodes": [ "node_modules/jsdoc" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": true, "via": [ { "source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": [ "CWE-1220" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=16.4.0" }, "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "<=16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5", "node_modules/webpack-cli/node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "less": { "name": "less", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3", "nodes": [ "node_modules/less" ], "fixAvailable": { "name": "less", "version": "3.13.1", "isSemVerMajor": false } }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094083, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1094084, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [ "react-dev-utils", "webpack-cli" ], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/file-loader/node_modules/loader-utils", "node_modules/html-loader/node_modules/loader-utils", "node_modules/loader-utils", "node_modules/postcss-loader/node_modules/loader-utils", "node_modules/raw-loader/node_modules/loader-utils", "node_modules/react-dev-utils/node_modules/loader-utils", "node_modules/style-loader/node_modules/loader-utils", "node_modules/url-loader/node_modules/loader-utils", "node_modules/webpack-cli/node_modules/loader-utils" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "markdown-it": { "name": "markdown-it", "severity": "moderate", "isDirect": false, "via": [ { "source": 1092663, "name": "markdown-it", "dependency": "markdown-it", "title": "Uncontrolled Resource Consumption in markdown-it", "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<12.3.2" } ], "effects": [ "jsdoc" ], "range": "<12.3.2", "nodes": [ "node_modules/markdown-it" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "jsdoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "node-fetch": { "name": "node-fetch", "severity": "high", "isDirect": false, "via": [ { "source": 1095073, "name": "node-fetch", "dependency": "node-fetch", "title": "node-fetch forwards secure headers to untrusted sites", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g", "severity": "high", "cwe": [ "CWE-173", "CWE-200", "CWE-601" ], "cvss": { "score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "range": "<2.6.7" } ], "effects": [], "range": "<2.6.7", "nodes": [ "node_modules/node-fetch" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@storybook/builder-webpack4", "autoprefixer", "css-loader", "icss-utils", "postcss-flexbugs-fixes", "postcss-less", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-flexbugs-fixes": { "name": "postcss-flexbugs-fixes", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=4.2.1", "nodes": [ "node_modules/postcss-flexbugs-fixes" ], "fixAvailable": true }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-modules-extract-imports": { "name": "postcss-modules-extract-imports", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/postcss-modules-extract-imports" ], "fixAvailable": true }, "postcss-modules-local-by-default": { "name": "postcss-modules-local-by-default", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [], "range": "<=4.0.0-rc.4", "nodes": [ "node_modules/postcss-modules-local-by-default" ], "fixAvailable": true }, "postcss-modules-scope": { "name": "postcss-modules-scope", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.2.0", "nodes": [ "node_modules/postcss-modules-scope" ], "fixAvailable": true }, "postcss-modules-values": { "name": "postcss-modules-values", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [ "css-loader" ], "range": "<=4.0.0-rc.5", "nodes": [ "node_modules/postcss-modules-values" ], "fixAvailable": true }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [ "refractor" ], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" }, { "source": 1096472, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.7.0 <6.7.3" }, { "source": 1096475, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.10.0 <6.10.3" } ], "effects": [ "body-parser", "express" ], "range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2", "nodes": [ "node_modules/body-parser/node_modules/qs", "node_modules/express/node_modules/qs", "node_modules/qs", "node_modules/request/node_modules/qs" ], "fixAvailable": true }, "react-dev-utils": { "name": "react-dev-utils", "severity": "critical", "isDirect": false, "via": [ "browserslist", "immer", "loader-utils", "recursive-readdir", "shell-quote" ], "effects": [ "@storybook/builder-webpack4" ], "range": "0.5.2 - 12.0.0-next.60", "nodes": [ "node_modules/react-dev-utils" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [ "react-dev-utils" ], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "refractor": { "name": "refractor", "severity": "high", "isDirect": false, "via": [ "prismjs" ], "effects": [], "range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0", "nodes": [ "node_modules/refractor" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "less" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096482, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@npmcli/fs/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver", "node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver", "node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver", "node_modules/@storybook/core-common/node_modules/semver", "node_modules/@storybook/core-server/node_modules/semver", "node_modules/@stylelint/postcss-css-in-js/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs2/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs3/node_modules/semver", "node_modules/babel-plugin-polyfill-regenerator/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-mediawiki/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint-template-visitor/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/fork-ts-checker-webpack-plugin/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/nyc/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.27.0", "isSemVerMajor": true } }, "shell-quote": { "name": "shell-quote", "severity": "critical", "isDirect": false, "via": [ { "source": 1096375, "name": "shell-quote", "dependency": "shell-quote", "title": "Improper Neutralization of Special Elements used in a Command in Shell-quote", "url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7", "severity": "critical", "cwe": [ "CWE-77" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.7.2" } ], "effects": [ "react-dev-utils" ], "range": "<=1.7.2", "nodes": [ "node_modules/shell-quote" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "simple-get": { "name": "simple-get", "severity": "high", "isDirect": false, "via": [ { "source": 1090445, "name": "simple-get", "dependency": "simple-get", "title": "Exposure of Sensitive Information in simple-get", "url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.1" } ], "effects": [], "range": "3.0.0 - 3.1.0", "nodes": [ "node_modules/simple-get" ], "fixAvailable": true }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.16.1", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "taffydb": { "name": "taffydb", "severity": "high", "isDirect": false, "via": [ { "source": 1089386, "name": "taffydb", "dependency": "taffydb", "title": "TaffyDB can allow access to any data items in the DB", "url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6", "severity": "high", "cwe": [ "CWE-20", "CWE-668" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=2.7.3" } ], "effects": [ "jsdoc" ], "range": "*", "nodes": [ "node_modules/taffydb" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "tar": { "name": "tar", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096915, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<6.2.1", "nodes": [ "node_modules/tar" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091691, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.8.1" } ], "effects": [], "range": "<4.8.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": { "name": "jsdom", "version": "24.0.0", "isSemVerMajor": true } }, "watchpack": { "name": "watchpack", "severity": "high", "isDirect": false, "via": [ "watchpack-chokidar2" ], "effects": [], "range": "1.7.2 - 1.7.5", "nodes": [ "node_modules/watchpack" ], "fixAvailable": true }, "watchpack-chokidar2": { "name": "watchpack-chokidar2", "severity": "high", "isDirect": false, "via": [ "chokidar" ], "effects": [ "watchpack" ], "range": "*", "nodes": [ "node_modules/watchpack-chokidar2" ], "fixAvailable": true }, "webpack-cli": { "name": "webpack-cli", "severity": "high", "isDirect": true, "via": [ "loader-utils" ], "effects": [], "range": "3.3.5 - 3.3.11", "nodes": [ "node_modules/webpack-cli" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [ "@storybook/core-server" ], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": { "name": "@storybook/html", "version": "6.5.16", "isSemVerMajor": false } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1095091, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 35, "high": 33, "critical": 8, "total": 76 }, "dependencies": { "prod": 1, "dev": 2059, "optional": 31, "peer": 0, "peerOptional": 0, "total": 2059 } } } --- end --- Attempting to npm audit fix Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1541, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1485, in run self.npm_audit_fix(new_npm_audit) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 181, in npm_audit_fix prior_lock = PackageLockJson() ^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 78, in __init__ raise RuntimeError("lockfileVersion 1 is no longer supported") RuntimeError: lockfileVersion 1 is no longer supported