This run took 161 seconds.
$ date --- stdout --- Tue Jun 11 08:10:55 UTC 2024 --- end --- $ git clone file:///srv/git/wikimedia-toolhub.git repo --depth=1 -b main --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config libraryupgrader --- stdout --- --- end --- $ git config --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/main --- stdout --- 5f7a33722abb3b3cfe00b92c670f2adbf23d2834 refs/heads/main --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@apollographql/graphql-upload-8-fork": { "name": "@apollographql/graphql-upload-8-fork", "severity": "high", "isDirect": false, "via": [ "busboy" ], "effects": [ "apollo-server-core" ], "range": "*", "nodes": [ "node_modules/@apollographql/graphql-upload-8-fork" ], "fixAvailable": true }, "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@sideway/formula": { "name": "@sideway/formula", "severity": "moderate", "isDirect": false, "via": [ { "source": 1091026, "name": "@sideway/formula", "dependency": "@sideway/formula", "title": "@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability", "url": "", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<3.0.1" } ], "effects": [], "range": "3.0.0", "nodes": [ "node_modules/@sideway/formula" ], "fixAvailable": true }, "@vue/cli": { "name": "@vue/cli", "severity": "high", "isDirect": true, "via": [ "download-git-repo", "vue-codemod" ], "effects": [], "range": "*", "nodes": [ "node_modules/@vue/cli" ], "fixAvailable": false }, "@vue/cli-plugin-unit-mocha": { "name": "@vue/cli-plugin-unit-mocha", "severity": "moderate", "isDirect": true, "via": [ "mocha" ], "effects": [], "range": ">=5.0.0-alpha.0", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "@vue/cli-service": { "name": "@vue/cli-service", "severity": "moderate", "isDirect": true, "via": [ "@vue/component-compiler-utils", "vue-loader" ], "effects": [], "range": "*", "nodes": [ "node_modules/@vue/cli-service" ], "fixAvailable": { "name": "@vue/cli-service", "version": "3.3.1", "isSemVerMajor": true } }, "@vue/component-compiler-utils": { "name": "@vue/component-compiler-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "@vue/cli-service", "vue-loader" ], "range": "*", "nodes": [ "node_modules/@vue/component-compiler-utils" ], "fixAvailable": { "name": "@vue/cli-service", "version": "3.3.1", "isSemVerMajor": true } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094090, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=3.0.0 <3.0.1" }, { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" }, { "source": 1094092, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.0.1" } ], "effects": [], "range": "3.0.0 || 4.0.0 - 4.1.0 || 5.0.0", "nodes": [ "node_modules/ansi-regex", "node_modules/inquirer/node_modules/ansi-regex", "node_modules/log-update/node_modules/ansi-regex", "node_modules/mocha/node_modules/ansi-regex", "node_modules/nyc/node_modules/ansi-regex", "node_modules/wide-align/node_modules/ansi-regex" ], "fixAvailable": true }, "apollo-server-core": { "name": "apollo-server-core", "severity": "high", "isDirect": false, "via": [ "@apollographql/graphql-upload-8-fork", { "source": 1093178, "name": "apollo-server-core", "dependency": "apollo-server-core", "title": "Prevent logging invalid header values", "url": "", "severity": "low", "cwe": [], "cvss": { "score": 0, "vectorString": null }, "range": "<2.26.1" } ], "effects": [], "range": "<=2.26.2", "nodes": [ "node_modules/apollo-server-core" ], "fixAvailable": true }, "async": { "name": "async", "severity": "high", "isDirect": false, "via": [ { "source": 1096476, "name": "async", "dependency": "async", "title": "Prototype Pollution in async", "url": "", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.6.4" } ], "effects": [], "range": "2.0.0 - 2.6.3", "nodes": [ "node_modules/portfinder/node_modules/async" ], "fixAvailable": true }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1097496, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "", "severity": "high", "cwe": [ "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/braces", "node_modules/braces", "node_modules/chokidar/node_modules/braces", "node_modules/eslint-webpack-plugin/node_modules/braces", "node_modules/fast-glob/node_modules/braces", "node_modules/http-proxy-middleware/node_modules/braces", "node_modules/mocha/node_modules/braces", "node_modules/stylelint-config-wikimedia/node_modules/braces", "node_modules/stylelint/node_modules/braces", "node_modules/webpack-dev-server/node_modules/braces" ], "fixAvailable": false }, "busboy": { "name": "busboy", "severity": "high", "isDirect": false, "via": [ "dicer" ], "effects": [ "@apollographql/graphql-upload-8-fork" ], "range": "<=0.3.1", "nodes": [ "node_modules/busboy" ], "fixAvailable": true }, "cacheable-request": { "name": "cacheable-request", "severity": "high", "isDirect": false, "via": [ "http-cache-semantics" ], "effects": [ "got" ], "range": "0.1.0 - 2.1.4", "nodes": [ "node_modules/cacheable-request" ], "fixAvailable": false }, "core-js-compat": { "name": "core-js-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "dicer": { "name": "dicer", "severity": "high", "isDirect": false, "via": [ { "source": 1093150, "name": "dicer", "dependency": "dicer", "title": "Crash in HeaderParser in dicer", "url": "", "severity": "high", "cwe": [ "CWE-248" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<=0.3.1" } ], "effects": [ "busboy" ], "range": "*", "nodes": [ "node_modules/dicer" ], "fixAvailable": true }, "download": { "name": "download", "severity": "moderate", "isDirect": false, "via": [ "got" ], "effects": [ "download-git-repo" ], "range": ">=4.0.0", "nodes": [ "node_modules/download" ], "fixAvailable": false }, "download-git-repo": { "name": "download-git-repo", "severity": "high", "isDirect": false, "via": [ "download", "git-clone" ], "effects": [ "@vue/cli" ], "range": "*", "nodes": [ "node_modules/download-git-repo" ], "fixAvailable": false }, "ejs": { "name": "ejs", "severity": "critical", "isDirect": false, "via": [ { "source": 1089270, "name": "ejs", "dependency": "ejs", "title": "ejs template injection vulnerability", "url": "", "severity": "critical", "cwe": [ "CWE-74" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<3.1.7" }, { "source": 1097492, "name": "ejs", "dependency": "ejs", "title": "ejs lacks certain pollution protection", "url": "", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.10" } ], "effects": [], "range": "<=3.1.9", "nodes": [ "node_modules/ejs" ], "fixAvailable": true }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "moderate", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": true }, "express": { "name": "express", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" } ], "effects": [], "range": "<4.19.2", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "follow-redirects": { "name": "follow-redirects", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "get-func-name": { "name": "get-func-name", "severity": "high", "isDirect": false, "via": [ { "source": 1094574, "name": "get-func-name", "dependency": "get-func-name", "title": "Chaijs/get-func-name vulnerable to ReDoS", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.0.1" } ], "effects": [], "range": "<2.0.1", "nodes": [ "node_modules/get-func-name" ], "fixAvailable": true }, "git-clone": { "name": "git-clone", "severity": "high", "isDirect": false, "via": [ { "source": 1093404, "name": "git-clone", "dependency": "git-clone", "title": "Command injection in git-clone", "url": "", "severity": "high", "cwe": [ "CWE-77", "CWE-88" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=0.2.0" } ], "effects": [ "download-git-repo" ], "range": "*", "nodes": [ "node_modules/git-clone" ], "fixAvailable": false }, "got": { "name": "got", "severity": "high", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" }, "cacheable-request" ], "effects": [ "download" ], "range": "<=11.8.3", "nodes": [ "node_modules/got" ], "fixAvailable": false }, "http-cache-semantics": { "name": "http-cache-semantics", "severity": "high", "isDirect": false, "via": [ { "source": 1092316, "name": "http-cache-semantics", "dependency": "http-cache-semantics", "title": "http-cache-semantics vulnerable to Regular Expression Denial of Service", "url": "", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.1.1" } ], "effects": [ "cacheable-request" ], "range": "<4.1.1", "nodes": [ "node_modules/http-cache-semantics" ], "fixAvailable": false }, "ip": { "name": "ip", "severity": "high", "isDirect": false, "via": [ { "source": 1096570, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" }, { "source": 1097346, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=2.0.1" } ], "effects": [], "range": "*", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jscodeshift": { "name": "jscodeshift", "severity": "high", "isDirect": false, "via": [ "micromatch" ], "effects": [ "vue-codemod" ], "range": "0.3.20 - 0.13.1", "nodes": [ "node_modules/jscodeshift" ], "fixAvailable": false }, "json-pointer": { "name": "json-pointer", "severity": "critical", "isDirect": true, "via": [ { "source": 1088901, "name": "json-pointer", "dependency": "json-pointer", "title": "Prototype Pollution in json-pointer", "url": "", "severity": "moderate", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=0.6.1" }, { "source": 1096878, "name": "json-pointer", "dependency": "json-pointer", "title": "json-pointer vulnerable to Prototype Pollution", "url": "", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.6.2" } ], "effects": [], "range": "<=0.6.1", "nodes": [ "node_modules/json-pointer" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5" ], "fixAvailable": true }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1097142, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1097143, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/loader-utils", "node_modules/null-loader/node_modules/loader-utils", "node_modules/thread-loader/node_modules/loader-utils", "node_modules/vue-loader/node_modules/loader-utils", "node_modules/vuetify-loader/node_modules/loader-utils" ], "fixAvailable": true }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "rapidoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ "braces" ], "effects": [ "jscodeshift" ], "range": "0.2.0 - 3.1.10", "nodes": [ "node_modules/micromatch" ], "fixAvailable": false }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1096549, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": true, "via": [ "minimatch", "nanoid" ], "effects": [ "@vue/cli-plugin-unit-mocha" ], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/mocha", "node_modules/mocha" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "moment": { "name": "moment", "severity": "high", "isDirect": false, "via": [ { "source": 1095072, "name": "moment", "dependency": "moment", "title": "Moment.js vulnerable to Inefficient Regular Expression Complexity", "url": "", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.18.0 <2.29.4" }, { "source": 1095083, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "", "severity": "high", "cwe": [ "CWE-22", "CWE-27" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<2.29.2" } ], "effects": [], "range": "<=2.29.3", "nodes": [ "node_modules/moment" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [ "mocha" ], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/@vue/cli-plugin-unit-mocha/node_modules/nanoid" ], "fixAvailable": { "name": "@vue/cli-plugin-unit-mocha", "version": "4.5.19", "isSemVerMajor": true } }, "node-forge": { "name": "node-forge", "severity": "high", "isDirect": false, "via": [ { "source": 1088746, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in `node-forge`", "url": "", "severity": "moderate", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<1.3.0" }, { "source": 1095012, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" }, { "source": 1095013, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" } ], "effects": [], "range": "<=1.2.1", "nodes": [ "node_modules/node-forge" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@vue/component-compiler-utils" ], "range": "<8.4.31", "nodes": [ "node_modules/@vue/component-compiler-utils/node_modules/postcss", "node_modules/postcss" ], "fixAvailable": { "name": "@vue/cli-service", "version": "3.3.1", "isSemVerMajor": true } }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "rapidoc": { "name": "rapidoc", "severity": "high", "isDirect": true, "via": [ "marked" ], "effects": [], "range": "<=9.1.3 || 9.1.5", "nodes": [ "node_modules/rapidoc" ], "fixAvailable": true }, "rss-parser": { "name": "rss-parser", "severity": "moderate", "isDirect": false, "via": [ "xml2js" ], "effects": [], "range": "<=3.12.0", "nodes": [ "node_modules/rss-parser" ], "fixAvailable": true }, "semver": { "name": "semver", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096482, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1096483, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<5.7.2" }, { "source": 1096484, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/register/node_modules/semver", "node_modules/@intlify/eslint-plugin-vue-i18n/node_modules/semver", "node_modules/@vue/cli-plugin-babel/node_modules/semver", "node_modules/@vue/cli-shared-utils/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/cross-spawn/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/editorconfig/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/find-cache-dir/node_modules/semver", "node_modules/jsonc-eslint-parser/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/node-notifier/node_modules/semver", "node_modules/normalize-package-data/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/stylelint-config-recommended-vue/node_modules/semver", "node_modules/vue-cli-plugin-vuetify/node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": true }, "shelljs": { "name": "shelljs", "severity": "high", "isDirect": false, "via": [ { "source": 1088208, "name": "shelljs", "dependency": "shelljs", "title": "Improper Privilege Management in shelljs", "url": "", "severity": "moderate", "cwe": [ "CWE-269" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.8.5" }, { "source": 1095126, "name": "shelljs", "dependency": "shelljs", "title": "Improper Privilege Management in shelljs", "url": "", "severity": "high", "cwe": [ "CWE-269" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" }, "range": "<0.8.5" } ], "effects": [], "range": "<=0.8.4", "nodes": [ "node_modules/shelljs" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091690, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.0.0 <5.14.2" } ], "effects": [], "range": "5.0.0 - 5.14.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096643, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": true }, "vue-codemod": { "name": "vue-codemod", "severity": "high", "isDirect": false, "via": [ "jscodeshift" ], "effects": [ "@vue/cli" ], "range": "*", "nodes": [ "node_modules/vue-codemod" ], "fixAvailable": false }, "vue-loader": { "name": "vue-loader", "severity": "moderate", "isDirect": false, "via": [ "@vue/component-compiler-utils" ], "effects": [ "@vue/cli-service" ], "range": "15.0.0-beta.1 - 15.11.1", "nodes": [ "node_modules/@vue/vue-loader-v15" ], "fixAvailable": { "name": "@vue/cli-service", "version": "3.3.1", "isSemVerMajor": true } }, "vuetify": { "name": "vuetify", "severity": "moderate", "isDirect": true, "via": [ { "source": 1089240, "name": "vuetify", "dependency": "vuetify", "title": "Vuetify Cross-site Scripting vulnerability", "url": "", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, "range": ">=2.0.0-beta.4 <2.6.10" } ], "effects": [], "range": "2.0.0-beta.4 - 2.6.9", "nodes": [ "node_modules/vuetify" ], "fixAvailable": true }, "webpack": { "name": "webpack", "severity": "critical", "isDirect": false, "via": [ { "source": 1094471, "name": "webpack", "dependency": "webpack", "title": "Cross-realm object access in Webpack 5", "url": "", "severity": "critical", "cwe": [], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=5.0.0 <5.76.0" } ], "effects": [], "range": "5.0.0 - 5.75.0", "nodes": [ "node_modules/webpack" ], "fixAvailable": true }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": true }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1095091, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "xml2js": { "name": "xml2js", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096693, "name": "xml2js", "dependency": "xml2js", "title": "xml2js is vulnerable to prototype pollution", "url": "", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<0.5.0" } ], "effects": [ "rss-parser" ], "range": "<0.5.0", "nodes": [ "node_modules/xml2js" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 18, "high": 30, "critical": 6, "total": 54 }, "dependencies": { "prod": 68, "dev": 2087, "optional": 3, "peer": 3, "peerOptional": 0, "total": 2154 } } } --- end --- Upgrading n:eslint from ^8.10.0 -> 8.57.0 Upgrading n:grunt-banana-checker from 0.10.0 -> 0.13.0 Upgrading n:stylelint from ^14.5.3 -> 16.2.0 $ /usr/bin/npm install --- stderr --- npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.20.1', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@37.9.6', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated source-map-url@0.4.1: See npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated urix@0.1.0: Please see npm WARN deprecated resolve-url@0.2.1: npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See for details npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated source-map-resolve@0.5.3: See npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See for details. npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See for details. npm WARN deprecated subscriptions-transport-ws@0.9.19: The `subscriptions-transport-ws` package is no longer maintained. We recommend you use `graphql-ws` instead. For help migrating Apollo software to `graphql-ws`, see For general help using `graphql-ws`, see npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out to learn what package you should use instead npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 2195 packages, and audited 2196 packages in 37s 196 packages are looking for funding run `npm fund` for details 53 vulnerabilities (17 moderate, 30 high, 6 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ /usr/bin/npm ci --- stderr --- npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: '@es-joy/jsdoccomment@0.20.1', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'eslint-plugin-jsdoc@37.9.6', npm WARN EBADENGINE required: { node: '^12 || ^14 || ^16 || ^17' }, npm WARN EBADENGINE current: { node: 'v18.19.0', npm: '9.2.0' } npm WARN EBADENGINE } npm WARN deprecated source-map-url@0.4.1: See npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained npm WARN deprecated urix@0.1.0: Please see npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated resolve-url@0.2.1: npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See for details npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated source-map-resolve@0.5.3: See npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See for details. npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See for details. npm WARN deprecated subscriptions-transport-ws@0.9.19: The `subscriptions-transport-ws` package is no longer maintained. We recommend you use `graphql-ws` instead. For help migrating Apollo software to `graphql-ws`, see For general help using `graphql-ws`, see npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out to learn what package you should use instead npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 2195 packages, and audited 2196 packages in 1m 196 packages are looking for funding run `npm fund` for details 53 vulnerabilities (16 moderate, 31 high, 6 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.0 TypeError: Cannot read properties of null (reading 'range') Occurred while linting /src/repo/vue/src/App.vue:200 Rule: "vuetify/grid-unknown-attributes" at SourceCode.getTokenBefore (/src/repo/node_modules/eslint/lib/source-code/token-store/index.js:298:18) at validateNode (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:155:42) at EventEmitter.validateBinaryExpression (/src/repo/node_modules/eslint/lib/rules/operator-linebreak.js:226:13) at EventEmitter.emit (node:events:517:28) at NodeEventGenerator.applySelector (/src/repo/node_modules/vue-eslint-parser/index.js:3883:26) at NodeEventGenerator.applySelectors (/src/repo/node_modules/vue-eslint-parser/index.js:3897:22) at NodeEventGenerator.enterNode (/src/repo/node_modules/vue-eslint-parser/index.js:3905:14) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:154:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) at traverse (/src/repo/node_modules/vue-eslint-parser/index.js:166:13) --- stdout --- > toolhub@1.0.0 test > npm run lint && npm run unit > toolhub@1.0.0 lint > npm run lint:eslint && npm run lint:vue && npm run lint:stylelint && npm run lint:banana && npm run lint:css-rtl > toolhub@1.0.0 lint:eslint > eslint . --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/", line 1789, in main, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/", line 1728, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/", line 1194, in npm_upgrade self.npm_test() File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/", line 325, in npm_test self.check_call(["npm", "test"]) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/", line 59, in check_call res.check_returncode() File "/usr/lib/python3.11/", line 502, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 2.