wikipeg: main (log #1328445)

sourcepatches

This run took 33 seconds.

From 0969ff34d47ce415c837e3deb81bcf552a33a485 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Wed, 15 May 2024 05:40:48 +0000
Subject: [PATCH] build: Updating mediawiki/minus-x to 1.1.3

Change-Id: I32f92357b22347374ee3f7d4eb27faaa1336ec53
---
 composer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 5953e74..d179e3c 100644
--- a/composer.json
+++ b/composer.json
@@ -20,7 +20,7 @@
 	"require-dev": {
 		"mediawiki/mediawiki-codesniffer": "43.0.0",
 		"mediawiki/mediawiki-phan-config": "0.14.0",
-		"mediawiki/minus-x": "1.1.1",
+		"mediawiki/minus-x": "1.1.3",
 		"ockcyp/covers-validator": "1.6.0",
 		"php-parallel-lint/php-console-highlighter": "1.0.0",
 		"php-parallel-lint/php-parallel-lint": "1.4.0",
-- 
2.39.2

$ date
--- stdout ---
Wed May 15 05:40:24 UTC 2024

--- end ---
$ git clone file:///srv/git/wikipeg.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
bd1028d3524b8585fa4f127eaf32a06dd2e3d556 refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "jasmine-node": {
      "name": "jasmine-node",
      "severity": "critical",
      "isDirect": true,
      "via": [
        "underscore"
      ],
      "effects": [],
      "range": ">=1.16.1",
      "nodes": [
        "node_modules/jasmine-node"
      ],
      "fixAvailable": {
        "name": "jasmine-node",
        "version": "1.16.0",
        "isSemVerMajor": true
      }
    },
    "underscore": {
      "name": "underscore",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1095097,
          "name": "underscore",
          "dependency": "underscore",
          "title": "Arbitrary Code Execution in underscore",
          "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
          "severity": "critical",
          "cwe": [
            "CWE-94"
          ],
          "cvss": {
            "score": 9.8,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": ">=1.3.2 <1.12.1"
        }
      ],
      "effects": [
        "jasmine-node"
      ],
      "range": "1.3.2 - 1.12.0",
      "nodes": [
        "node_modules/underscore"
      ],
      "fixAvailable": {
        "name": "jasmine-node",
        "version": "1.16.0",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 2,
      "total": 2
    },
    "dependencies": {
      "prod": 1,
      "dev": 112,
      "optional": 0,
      "peer": 0,
      "peerOptional": 0,
      "total": 112
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 69 installs, 0 updates, 0 removals
  - Locking composer/pcre (3.1.3)
  - Locking composer/semver (3.4.0)
  - Locking composer/spdx-licenses (1.5.8)
  - Locking composer/xdebug-handler (3.0.5)
  - Locking dealerdirect/phpcodesniffer-composer-installer (v1.0.0)
  - Locking doctrine/deprecations (1.1.3)
  - Locking doctrine/instantiator (2.0.0)
  - Locking felixfbecker/advanced-json-rpc (v3.2.1)
  - Locking mediawiki/mediawiki-codesniffer (v43.0.0)
  - Locking mediawiki/mediawiki-phan-config (0.14.0)
  - Locking mediawiki/minus-x (1.1.1)
  - Locking mediawiki/phan-taint-check-plugin (6.0.0)
  - Locking microsoft/tolerant-php-parser (v0.1.2)
  - Locking myclabs/deep-copy (1.11.1)
  - Locking netresearch/jsonmapper (v4.4.1)
  - Locking nikic/php-parser (v5.0.2)
  - Locking ockcyp/covers-validator (v1.6.0)
  - Locking phan/phan (5.4.3)
  - Locking phar-io/manifest (2.0.4)
  - Locking phar-io/version (3.2.1)
  - Locking php-parallel-lint/php-console-color (v1.0.1)
  - Locking php-parallel-lint/php-console-highlighter (v1.0.0)
  - Locking php-parallel-lint/php-parallel-lint (v1.4.0)
  - Locking phpcsstandards/phpcsextra (1.1.2)
  - Locking phpcsstandards/phpcsutils (1.0.9)
  - Locking phpdocumentor/reflection-common (2.2.0)
  - Locking phpdocumentor/reflection-docblock (5.4.0)
  - Locking phpdocumentor/type-resolver (1.8.2)
  - Locking phpstan/phpdoc-parser (1.29.0)
  - Locking phpunit/php-code-coverage (9.2.31)
  - Locking phpunit/php-file-iterator (3.0.6)
  - Locking phpunit/php-invoker (3.1.1)
  - Locking phpunit/php-text-template (2.0.4)
  - Locking phpunit/php-timer (5.0.3)
  - Locking phpunit/phpunit (9.6.16)
  - Locking psr/container (2.0.2)
  - Locking psr/log (2.0.0)
  - Locking sabre/event (5.1.4)
  - Locking sebastian/cli-parser (1.0.2)
  - Locking sebastian/code-unit (1.0.8)
  - Locking sebastian/code-unit-reverse-lookup (2.0.3)
  - Locking sebastian/comparator (4.0.8)
  - Locking sebastian/complexity (2.0.3)
  - Locking sebastian/diff (4.0.6)
  - Locking sebastian/environment (5.1.5)
  - Locking sebastian/exporter (4.0.6)
  - Locking sebastian/global-state (5.0.7)
  - Locking sebastian/lines-of-code (1.0.4)
  - Locking sebastian/object-enumerator (4.0.4)
  - Locking sebastian/object-reflector (2.0.4)
  - Locking sebastian/recursion-context (4.0.5)
  - Locking sebastian/resource-operations (3.0.4)
  - Locking sebastian/type (3.2.1)
  - Locking sebastian/version (3.0.2)
  - Locking squizlabs/php_codesniffer (3.8.1)
  - Locking symfony/console (v5.4.39)
  - Locking symfony/deprecation-contracts (v3.5.0)
  - Locking symfony/polyfill-ctype (v1.29.0)
  - Locking symfony/polyfill-intl-grapheme (v1.29.0)
  - Locking symfony/polyfill-intl-normalizer (v1.29.0)
  - Locking symfony/polyfill-mbstring (v1.29.0)
  - Locking symfony/polyfill-php73 (v1.29.0)
  - Locking symfony/polyfill-php80 (v1.29.0)
  - Locking symfony/service-contracts (v3.5.0)
  - Locking symfony/string (v6.4.7)
  - Locking theseer/tokenizer (1.2.3)
  - Locking tysonandre/var_representation_polyfill (0.1.3)
  - Locking webmozart/assert (1.11.0)
  - Locking wikimedia/update-history (1.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 69 installs, 0 updates, 0 removals
    0 [>---------------------------]    0 [->--------------------------]
  - Installing squizlabs/php_codesniffer (3.8.1): Extracting archive
  - Installing dealerdirect/phpcodesniffer-composer-installer (v1.0.0): Extracting archive
  - Installing composer/pcre (3.1.3): Extracting archive
  - Installing symfony/polyfill-php80 (v1.29.0): Extracting archive
  - Installing phpcsstandards/phpcsutils (1.0.9): Extracting archive
  - Installing phpcsstandards/phpcsextra (1.1.2): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.29.0): Extracting archive
  - Installing composer/spdx-licenses (1.5.8): Extracting archive
  - Installing composer/semver (3.4.0): Extracting archive
  - Installing mediawiki/mediawiki-codesniffer (v43.0.0): Extracting archive
  - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.29.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.29.0): Extracting archive
  - Installing symfony/polyfill-ctype (v1.29.0): Extracting archive
  - Installing symfony/string (v6.4.7): Extracting archive
  - Installing symfony/deprecation-contracts (v3.5.0): Extracting archive
  - Installing psr/container (2.0.2): Extracting archive
  - Installing symfony/service-contracts (v3.5.0): Extracting archive
  - Installing symfony/polyfill-php73 (v1.29.0): Extracting archive
  - Installing symfony/console (v5.4.39): Extracting archive
  - Installing sabre/event (5.1.4): Extracting archive
  - Installing netresearch/jsonmapper (v4.4.1): Extracting archive
  - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
  - Installing webmozart/assert (1.11.0): Extracting archive
  - Installing phpstan/phpdoc-parser (1.29.0): Extracting archive
  - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
  - Installing doctrine/deprecations (1.1.3): Extracting archive
  - Installing phpdocumentor/type-resolver (1.8.2): Extracting archive
  - Installing phpdocumentor/reflection-docblock (5.4.0): Extracting archive
  - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
  - Installing psr/log (2.0.0): Extracting archive
  - Installing composer/xdebug-handler (3.0.5): Extracting archive
  - Installing phan/phan (5.4.3): Extracting archive
  - Installing mediawiki/phan-taint-check-plugin (6.0.0): Extracting archive
  - Installing mediawiki/mediawiki-phan-config (0.14.0): Extracting archive
  - Installing mediawiki/minus-x (1.1.1): Extracting archive
  - Installing sebastian/version (3.0.2): Extracting archive
  - Installing sebastian/type (3.2.1): Extracting archive
  - Installing sebastian/resource-operations (3.0.4): Extracting archive
  - Installing sebastian/recursion-context (4.0.5): Extracting archive
  - Installing sebastian/object-reflector (2.0.4): Extracting archive
  - Installing sebastian/object-enumerator (4.0.4): Extracting archive
  - Installing sebastian/global-state (5.0.7): Extracting archive
  - Installing sebastian/exporter (4.0.6): Extracting archive
  - Installing sebastian/environment (5.1.5): Extracting archive
  - Installing sebastian/diff (4.0.6): Extracting archive
  - Installing sebastian/comparator (4.0.8): Extracting archive
  - Installing sebastian/code-unit (1.0.8): Extracting archive
  - Installing sebastian/cli-parser (1.0.2): Extracting archive
  - Installing phpunit/php-timer (5.0.3): Extracting archive
  - Installing phpunit/php-text-template (2.0.4): Extracting archive
  - Installing phpunit/php-invoker (3.1.1): Extracting archive
  - Installing phpunit/php-file-iterator (3.0.6): Extracting archive
  - Installing theseer/tokenizer (1.2.3): Extracting archive
  - Installing nikic/php-parser (v5.0.2): Extracting archive
  - Installing sebastian/lines-of-code (1.0.4): Extracting archive
  - Installing sebastian/complexity (2.0.3): Extracting archive
  - Installing sebastian/code-unit-reverse-lookup (2.0.3): Extracting archive
  - Installing phpunit/php-code-coverage (9.2.31): Extracting archive
  - Installing phar-io/version (3.2.1): Extracting archive
  - Installing phar-io/manifest (2.0.4): Extracting archive
  - Installing myclabs/deep-copy (1.11.1): Extracting archive
  - Installing doctrine/instantiator (2.0.0): Extracting archive
  - Installing phpunit/phpunit (9.6.16): Extracting archive
  - Installing ockcyp/covers-validator (v1.6.0): Extracting archive
  - Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
  - Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
  - Installing wikimedia/update-history (1.0.1): Extracting archive
  0/67 [>---------------------------]   0%
 20/67 [========>-------------------]  29%
 32/67 [=============>--------------]  47%
 42/67 [=================>----------]  62%
 54/67 [======================>-----]  80%
 67/67 [============================] 100%
7 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
42 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils

--- end ---
Upgrading c:mediawiki/minus-x from 1.1.1 -> 1.1.3
$ /usr/bin/composer update
--- stderr ---
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 4 updates, 1 removal
  - Removing symfony/polyfill-php73 (v1.29.0)
  - Upgrading mediawiki/minus-x (1.1.1 => 1.1.3)
  - Upgrading psr/log (2.0.0 => 3.0.0)
  - Upgrading symfony/console (v5.4.39 => v6.4.7)
  - Upgrading symfony/string (v6.4.7 => v7.0.7)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 4 updates, 1 removal
    0 [>---------------------------]    0 [->--------------------------]
  - Removing symfony/polyfill-php73 (v1.29.0)
  - Upgrading symfony/string (v6.4.7 => v7.0.7): Extracting archive
  - Upgrading symfony/console (v5.4.39 => v6.4.7): Extracting archive
  - Upgrading psr/log (2.0.0 => 3.0.0): Extracting archive
  - Upgrading mediawiki/minus-x (1.1.1 => 1.1.3): Extracting archive
 0/4 [>---------------------------]   0%
 4/4 [============================] 100%
Generating autoload files
41 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found
--- stdout ---

--- end ---
$ /usr/bin/composer install
--- stderr ---
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Nothing to install, update or remove
Generating autoload files
41 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---

--- end ---
$ /usr/bin/composer test
--- stderr ---
> parallel-lint . --exclude vendor --exclude node_module
> phpunit
> covers-validator
> phpcs -sp
> phan --allow-polyfill-parser
Parsing files...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░   54 / 1464 (  6%) 47MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  108 / 1464 (  8%) 59MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  162 / 1464 ( 14%) 68MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  216 / 1464 ( 25%) 74MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  270 / 1464 ( 25%) 74MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  324 / 1464 ( 25%) 74MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  378 / 1464 ( 26%) 103MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  432 / 1464 ( 31%) 114MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  486 / 1464 ( 36%) 126MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  540 / 1464 ( 38%) 134MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  594 / 1464 ( 44%) 144MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  648 / 1464 ( 44%) 144MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  702 / 1464 ( 52%) 151MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  756 / 1464 ( 52%) 151MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  810 / 1464 ( 64%) 170MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  864 / 1464 ( 64%) 170MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  918 / 1464 ( 64%) 170MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  972 / 1464 ( 68%) 181MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1026 / 1464 ( 74%) 192MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1080 / 1464 ( 74%) 192MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1134 / 1464 ( 81%) 203MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1188 / 1464 ( 81%) 203MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1242 / 1464 ( 87%) 214MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1296 / 1464 ( 92%) 226MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1350 / 1464 ( 92%) 226MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1404 / 1464 ( 96%) 236MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1458 / 1464 ( 99%) 251MB
░░░░░░                                                 1464 / 1464 (100%) 256MB
Analyzing classes...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 277MB
Analyzing functions...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 278MB
Analyzing methods...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 283MB
Analyzing files...
░░░░░░░░░░░░                                           12 / 12 (100%) 290MB

> minus-x check .
> if [ 'x'$(which node) != 'x' ]; then php tests/php/runCommonTests.php ; fi
--- stdout ---
PHP 8.2.7 | 10 parallel jobs
...............                                              15/15 (100%)


Checked 15 files in 0.1 seconds
No syntax error found
PHPUnit 9.6.16 by Sebastian Bergmann and contributors.

No tests executed!
CoversValidator 1.6.0

No tests found to validate.
.............. 14 / 14 (100%)


Time: 272ms; Memory: 8MB

MinusX
======
Processing /src/repo...
.............................................................
...................................................
All good!
Running language-independent tests against PHP
SUCCESS: 608 / 608 assertions were successful

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "jasmine-node": {
      "name": "jasmine-node",
      "severity": "critical",
      "isDirect": true,
      "via": [
        "underscore"
      ],
      "effects": [],
      "range": ">=1.16.1",
      "nodes": [
        "node_modules/jasmine-node"
      ],
      "fixAvailable": {
        "name": "jasmine-node",
        "version": "1.16.0",
        "isSemVerMajor": true
      }
    },
    "underscore": {
      "name": "underscore",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1095097,
          "name": "underscore",
          "dependency": "underscore",
          "title": "Arbitrary Code Execution in underscore",
          "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
          "severity": "critical",
          "cwe": [
            "CWE-94"
          ],
          "cvss": {
            "score": 9.8,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": ">=1.3.2 <1.12.1"
        }
      ],
      "effects": [
        "jasmine-node"
      ],
      "range": "1.3.2 - 1.12.0",
      "nodes": [
        "node_modules/underscore"
      ],
      "fixAvailable": {
        "name": "jasmine-node",
        "version": "1.16.0",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 2,
      "total": 2
    },
    "dependencies": {
      "prod": 1,
      "dev": 112,
      "optional": 0,
      "peer": 0,
      "peerOptional": 0,
      "total": 112
    }
  }
}

--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
  "added": 112,
  "removed": 0,
  "changed": 0,
  "audited": 113,
  "funding": 20,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "jasmine-node": {
        "name": "jasmine-node",
        "severity": "critical",
        "isDirect": true,
        "via": [
          "underscore"
        ],
        "effects": [],
        "range": ">=1.16.1",
        "nodes": [
          "node_modules/jasmine-node"
        ],
        "fixAvailable": {
          "name": "jasmine-node",
          "version": "1.16.0",
          "isSemVerMajor": true
        }
      },
      "underscore": {
        "name": "underscore",
        "severity": "critical",
        "isDirect": false,
        "via": [
          {
            "source": 1095097,
            "name": "underscore",
            "dependency": "underscore",
            "title": "Arbitrary Code Execution in underscore",
            "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
            "severity": "critical",
            "cwe": [
              "CWE-94"
            ],
            "cvss": {
              "score": 9.8,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "range": ">=1.3.2 <1.12.1"
          }
        ],
        "effects": [
          "jasmine-node"
        ],
        "range": "1.3.2 - 1.12.0",
        "nodes": [
          "node_modules/underscore"
        ],
        "fixAvailable": {
          "name": "jasmine-node",
          "version": "1.16.0",
          "isSemVerMajor": true
        }
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 0,
        "moderate": 0,
        "high": 0,
        "critical": 2,
        "total": 2
      },
      "dependencies": {
        "prod": 1,
        "dev": 112,
        "optional": 0,
        "peer": 0,
        "peerOptional": 0,
        "total": 112
      }
    }
  }
}

--- end ---
{"added": 112, "removed": 0, "changed": 0, "audited": 113, "funding": 20, "audit": {"auditReportVersion": 2, "vulnerabilities": {"jasmine-node": {"name": "jasmine-node", "severity": "critical", "isDirect": true, "via": ["underscore"], "effects": [], "range": ">=1.16.1", "nodes": ["node_modules/jasmine-node"], "fixAvailable": {"name": "jasmine-node", "version": "1.16.0", "isSemVerMajor": true}}, "underscore": {"name": "underscore", "severity": "critical", "isDirect": false, "via": [{"source": 1095097, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}], "effects": ["jasmine-node"], "range": "1.3.2 - 1.12.0", "nodes": ["node_modules/underscore"], "fixAvailable": {"name": "jasmine-node", "version": "1.16.0", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 0, "critical": 2, "total": 2}, "dependencies": {"prod": 1, "dev": 112, "optional": 0, "peer": 0, "peerOptional": 0, "total": 112}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---

added 112 packages, and audited 113 packages in 1s

20 packages are looking for funding
  run `npm fund` for details

# npm audit report

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix --force`
Will install jasmine-node@1.16.0, which is a breaking change
node_modules/underscore
  jasmine-node  >=1.16.1
  Depends on vulnerable versions of underscore
  node_modules/jasmine-node

2 critical severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json

--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stdout ---

added 112 packages, and audited 113 packages in 1s

20 packages are looking for funding
  run `npm fund` for details

2 critical severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

--- end ---
$ /usr/bin/npm test
--- stdout ---

> wikipeg@4.0.0-git test
> make eslint && make test


generated parser API - 14 ms

    parse - 14 ms
        parses input - 4 ms
        throws an exception on syntax error - 4 ms

        start rule - 1 ms

            when |startRule| is not set - 0 ms
                starts parsing from the first allowed rule - 0 ms

            when |startRule| is set to an allowed rule - 1 ms
                starts parsing from specified rule - 1 ms

            when |startRule| is set to a disallowed start rule - 0 ms
                throws an exception - 0 ms

        tracing - 3 ms

            default tracer - 2 ms
                traces using console.log - 2 ms

            custom tracers - 1 ms

                trace - 1 ms
                    receives tracing events - 1 ms
        accepts custom options - 2 ms

PEG.js API - 44 ms

    buildParser - 44 ms
        builds a parser - 2 ms
        throws an exception on syntax error - 1 ms
        throws an exception on semantic error - 0 ms

        allowed start rules - 13 ms

            when optimizing for parsing speed - 6 ms

                when |allowedStartRules| is not set - 3 ms
                    generated parser can start only from the first rule - 3 ms

                when |allowedStartRules| is set - 3 ms
                    generated parser can start only from specified rules - 3 ms

            when optimizing for code size - 7 ms

                when |allowedStartRules| is not set - 5 ms
                    generated parser can start only from the first rule - 5 ms

                when |allowedStartRules| is set - 2 ms
                    generated parser can start only from specified rules - 2 ms

        intermediate results caching - 12 ms

            when |cache| is not set - 4 ms
                generated parser doesn't cache intermediate parse results - 4 ms

            when |cache| is set to |false| - 4 ms
                generated parser doesn't cache intermediate parse results - 4 ms

            when |cache| is set to |true| - 4 ms
                generated parser caches intermediate parse results - 4 ms

        tracing - 5 ms

            when |trace| is not set - 1 ms
                generated parser doesn't trace - 1 ms

            when |trace| is set to |false| - 2 ms
                generated parser doesn't trace - 2 ms

            when |trace| is set to |true| - 2 ms
                generated parser traces - 2 ms

        output - 9 ms

            when |output| is not set - 2 ms
                returns generated parser object - 2 ms

            when |output| is set to |"parser"| - 2 ms
                returns generated parser object - 2 ms

            when |output| is set to |"source"| - 2 ms
                returns generated parser source code - 2 ms

            when |headerComment| is set to |/*
 * some comment
 */| - 2 ms
                returns generated parser source code with that comment - 2 ms

            when |headerComment| is set to |/*
 * some comment
 */| and |language| is set to |php| - 1 ms
                returns generated php parser source code with that comment - 1 ms
        accepts custom options - 2 ms

plugin API - 27 ms

    use - 27 ms
        is called for each plugin - 4 ms
        receives configuration - 7 ms
        receives options - 4 ms
        can replace parser - 9 ms
        can change compiler passes - 1 ms
        can change options - 2 ms

generated parser behavior - 215 ms

    with options { cache : false } - 109 ms

        initializer - 9 ms
            executes the code before parsing starts - 4 ms

            available variables and functions - 5 ms
                |parser| contains the parser object - 3 ms
                |options| contains options - 2 ms

        rule - 12 ms
            doesn't cache rule match results - 3 ms

            when the expression matches - 2 ms
                returns its match result - 2 ms

            when the expression doesn't match - 7 ms

                without display name - 2 ms
                    reports match failure and doesn't record any expectation - 2 ms

                with display name - 5 ms
                    reports match failure and records an expectation of type "other" - 3 ms
                    discards any expectations recorded when matching the expression - 2 ms

        positive semantic predicate - 16 ms

            initializer variables & functions - 6 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 4 ms

            available variables & functions - 10 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 2 ms
                |location| returns current location info - 6 ms

        negative semantic predicate - 14 ms

            initializer variables & functions - 4 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 2 ms

            available variables & functions - 10 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 2 ms
                |location| returns current location info - 6 ms

        action - 21 ms

            initializer variables & functions - 4 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 2 ms

            available variables & functions - 17 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 3 ms
                |text| returns text matched by the expression - 2 ms
                |location| returns location info of the expression - 5 ms
                |expected| terminates parsing and throws an exception - 2 ms
                |error| terminates parsing and throws an exception - 3 ms

        error reporting - 22 ms

            found string reporting - 3 ms
                reports found string correctly at the end of input - 1 ms
                reports found string correctly in the middle of input - 2 ms

            message building - 9 ms
                builds message correctly with no alternative - 1 ms
                builds message correctly with one alternative - 2 ms
                builds message correctly with multiple alternatives - 2 ms
                builds message correctly at the end of input - 2 ms
                builds message correctly in the middle of input - 2 ms

            position reporting - 10 ms
                reports position correctly at the end of input - 1 ms
                reports position correctly in the middle of input - 2 ms
                reports position correctly with trailing input - 3 ms
                reports position correctly in complex cases - 4 ms

        complex examples - 15 ms
            handles arithmetics example correctly - 6 ms
            handles non-context-free language correctly - 5 ms
            handles nested comments example correctly - 4 ms

    with options { cache : true } - 106 ms

        initializer - 7 ms
            executes the code before parsing starts - 2 ms

            available variables and functions - 5 ms
                |parser| contains the parser object - 3 ms
                |options| contains options - 2 ms

        rule - 10 ms
            caches rule match results - 4 ms

            when the expression matches - 1 ms
                returns its match result - 1 ms

            when the expression doesn't match - 5 ms

                without display name - 2 ms
                    reports match failure and doesn't record any expectation - 2 ms

                with display name - 3 ms
                    reports match failure and records an expectation of type "other" - 1 ms
                    discards any expectations recorded when matching the expression - 2 ms

        positive semantic predicate - 13 ms

            initializer variables & functions - 4 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 2 ms

            available variables & functions - 9 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 2 ms
                |location| returns current location info - 5 ms

        negative semantic predicate - 14 ms

            initializer variables & functions - 4 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 2 ms

            available variables & functions - 10 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 4 ms
                |location| returns current location info - 4 ms

        action - 22 ms

            initializer variables & functions - 5 ms
                can access variables defined in the initializer - 2 ms
                can access functions defined in the initializer - 3 ms

            available variables & functions - 17 ms
                |parser| contains the parser object - 2 ms
                |options| contains options - 2 ms
                |text| returns text matched by the expression - 2 ms
                |location| returns location info of the expression - 5 ms
                |expected| terminates parsing and throws an exception - 3 ms
                |error| terminates parsing and throws an exception - 3 ms

        error reporting - 25 ms

            found string reporting - 7 ms
                reports found string correctly at the end of input - 3 ms
                reports found string correctly in the middle of input - 4 ms

            message building - 9 ms
                builds message correctly with no alternative - 2 ms
                builds message correctly with one alternative - 1 ms
                builds message correctly with multiple alternatives - 3 ms
                builds message correctly at the end of input - 1 ms
                builds message correctly in the middle of input - 2 ms

            position reporting - 9 ms
                reports position correctly at the end of input - 1 ms
                reports position correctly in the middle of input - 2 ms
                reports position correctly with trailing input - 1 ms
                reports position correctly in complex cases - 5 ms

        complex examples - 15 ms
            handles arithmetics example correctly - 5 ms
            handles non-context-free language correctly - 6 ms
            handles nested comments example correctly - 4 ms

compiler pass |removeProxyRules| - 2 ms

    when a proxy rule isn't listed in |allowedStartRules| - 1 ms
        updates references and removes it - 1 ms

    when a proxy rule is listed in |allowedStartRules| - 1 ms
        updates references but doesn't remove it - 1 ms

compiler pass |reportLeftRecursion| - 6 ms
    reports infinite loops for zero_or_more - 1 ms
    reports infinite loops for one_or_more - 0 ms
    computes empty string matching correctly - 5 ms

compiler pass |reportLeftRecursion| - 11 ms
    reports direct left recursion - 0 ms
    reports indirect left recursion - 1 ms

    in sequences - 10 ms
        reports left recursion if all preceding elements match empty string - 0 ms
        doesn't report left recursion if some preceding element doesn't match empty string - 1 ms
        computes empty string matching correctly - 9 ms

compiler pass |reportMissingRules| - 0 ms
    reports missing rules - 0 ms

PEG.js grammar parser - 29 ms
    parses Grammar - 1 ms
    parses Initializer - 0 ms
    parses Rule - 1 ms
    parses Expression - 0 ms
    parses ChoiceExpression - 1 ms
    parses ActionExpression - 0 ms
    parses SequenceExpression - 1 ms
    parses LabeledExpression - 0 ms
    parses PrefixedExpression - 1 ms
    parses PrefixedOperator - 0 ms
    parses SuffixedExpression - 0 ms
    parses SuffixedOperator - 1 ms
    parses PrimaryExpression - 1 ms
    parses RuleReferenceExpression - 0 ms
    parses SemanticPredicateExpression - 0 ms
    parses SemanticPredicateOperator - 1 ms
    parses WhiteSpace - 1 ms
    parses LineTerminator - 0 ms
    parses LineTerminatorSequence - 1 ms
    parses Comment - 0 ms
    parses MultiLineComment - 1 ms
    parses MultiLineCommentNoLineTerminator - 1 ms
    parses SingleLineComment - 1 ms
    parses Identifier - 0 ms
    parses IdentifierName - 1 ms
    parses IdentifierStart - 0 ms
    parses IdentifierPart - 2 ms
    parses LiteralMatcher - 0 ms
    parses StringLiteral - 1 ms
    parses DoubleStringCharacter - 1 ms
    parses SingleStringCharacter - 1 ms
    parses CharacterClassMatcher - 1 ms
    parses ClassCharacterRange - 0 ms
    parses ClassCharacter - 1 ms
    parses LineContinuation - 1 ms
    parses EscapeSequence - 0 ms
    parses CharacterEscapeSequence - 1 ms
    parses SingleEscapeCharacter - 1 ms
    parses NonEscapeCharacter - 0 ms
    parses HexEscapeSequence - 1 ms
    parses UnicodeEscapeSequence - 0 ms
    parses AnyMatcher - 0 ms
    parses CodeBlock - 0 ms
    parses Code - 1 ms
    parses __ - 1 ms
    parses _ - 1 ms
    parses EOS - 0 ms
    parses EOF - 1 ms

Finished in 0.355 seconds
172 tests, 477 assertions, 0 failures, 0 skipped


Running language-independent tests against PHP
SUCCESS: 608 / 608 assertions were successful
node tests/javascript/runCommonTests.js
Running language-independent tests against JavaScript
SUCCESS: 608 / 608 assertions were successful

--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json

--- end ---
build: Updating mediawiki/minus-x to 1.1.3

$ git add .
--- stdout ---

--- end ---
$ git commit -F /tmp/tmp20k6lqlu
--- stdout ---
[master 0969ff3] build: Updating mediawiki/minus-x to 1.1.3
 1 file changed, 1 insertion(+), 1 deletion(-)

--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 0969ff34d47ce415c837e3deb81bcf552a33a485 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Wed, 15 May 2024 05:40:48 +0000
Subject: [PATCH] build: Updating mediawiki/minus-x to 1.1.3

Change-Id: I32f92357b22347374ee3f7d4eb27faaa1336ec53
---
 composer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 5953e74..d179e3c 100644
--- a/composer.json
+++ b/composer.json
@@ -20,7 +20,7 @@
 	"require-dev": {
 		"mediawiki/mediawiki-codesniffer": "43.0.0",
 		"mediawiki/mediawiki-phan-config": "0.14.0",
-		"mediawiki/minus-x": "1.1.1",
+		"mediawiki/minus-x": "1.1.3",
 		"ockcyp/covers-validator": "1.6.0",
 		"php-parallel-lint/php-console-highlighter": "1.0.0",
 		"php-parallel-lint/php-parallel-lint": "1.4.0",
-- 
2.39.2


--- end ---
Source code is licensed under the AGPL.