This run took 70 seconds.
$ date --- stdout --- Wed Oct 23 03:45:05 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-services-push-notifications.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- bc6ab04aed385f914fc33b8c1123eb0901a60fce refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@wikimedia/apn": { "name": "@wikimedia/apn", "severity": "moderate", "isDirect": true, "via": [ "jsonwebtoken", "node-forge" ], "effects": [], "range": "*", "nodes": [ "node_modules/@wikimedia/apn" ], "fixAvailable": false }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": true, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "express": { "name": "express", "severity": "high", "isDirect": true, "via": [ { "source": 1099529, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-xml-parser": { "name": "fast-xml-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1100054, "name": "fast-xml-parser", "dependency": "fast-xml-parser", "title": "fast-xml-parser vulnerable to ReDOS at currency parsing", "url": "https://github.com/advisories/GHSA-mpg4-rc92-vx8v", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.3.5 <4.4.1" } ], "effects": [], "range": "4.3.5 - 4.4.0", "nodes": [ "node_modules/fast-xml-parser" ], "fixAvailable": true }, "jsonwebtoken": { "name": "jsonwebtoken", "severity": "high", "isDirect": false, "via": [ { "source": 1097684, "name": "jsonwebtoken", "dependency": "jsonwebtoken", "title": "jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()", "url": "https://github.com/advisories/GHSA-qwph-4952-7xr6", "severity": "moderate", "cwe": [ "CWE-287", "CWE-327", "CWE-347" ], "cvss": { "score": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L" }, "range": "<9.0.0" }, { "source": 1097690, "name": "jsonwebtoken", "dependency": "jsonwebtoken", "title": "jsonwebtoken unrestricted key type could lead to legacy keys usage ", "url": "https://github.com/advisories/GHSA-8cf7-32gw-wr33", "severity": "high", "cwe": [ "CWE-327" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, "range": "<=8.5.1" }, { "source": 1097694, "name": "jsonwebtoken", "dependency": "jsonwebtoken", "title": "jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", "url": "https://github.com/advisories/GHSA-hjrf-2m68-5959", "severity": "moderate", "cwe": [ "CWE-287", "CWE-1259" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=8.5.1" } ], "effects": [ "@wikimedia/apn" ], "range": "<=8.5.1", "nodes": [ "node_modules/jsonwebtoken" ], "fixAvailable": false }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "micromatch": { "name": "micromatch", "severity": "moderate", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" } ], "effects": [], "range": "<4.0.8", "nodes": [ "node_modules/micromatch" ], "fixAvailable": true }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "node-forge": { "name": "node-forge", "severity": "high", "isDirect": false, "via": [ { "source": 1088227, "name": "node-forge", "dependency": "node-forge", "title": "Prototype Pollution in node-forge debug API.", "url": "https://github.com/advisories/GHSA-5rrq-pxf6-6jx5", "severity": "low", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.0.0" }, { "source": 1088228, "name": "node-forge", "dependency": "node-forge", "title": "Prototype Pollution in node-forge util.setPath API", "url": "https://github.com/advisories/GHSA-wxgw-qj99-44c2", "severity": "low", "cwe": [], "cvss": { "score": 0, "vectorString": null }, "range": "<0.10.0" }, { "source": 1088229, "name": "node-forge", "dependency": "node-forge", "title": "URL parsing in node-forge could lead to undesired behavior.", "url": "https://github.com/advisories/GHSA-gf8q-jrpm-jvxq", "severity": "low", "cwe": [ "CWE-601" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.0.0" }, { "source": 1088746, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in `node-forge`", "url": "https://github.com/advisories/GHSA-2r2c-g63r-vccr", "severity": "moderate", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<1.3.0" }, { "source": 1093719, "name": "node-forge", "dependency": "node-forge", "title": "Open Redirect in node-forge", "url": "https://github.com/advisories/GHSA-8fr3-hfg3-gpgp", "severity": "moderate", "cwe": [ "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.0.0" }, { "source": 1095011, "name": "node-forge", "dependency": "node-forge", "title": "Prototype Pollution in node-forge", "url": "https://github.com/advisories/GHSA-92xj-mqp7-vmcj", "severity": "high", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" }, "range": "<0.10.0" }, { "source": 1095012, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "https://github.com/advisories/GHSA-cfm4-qjh2-4765", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" }, { "source": 1095013, "name": "node-forge", "dependency": "node-forge", "title": "Improper Verification of Cryptographic Signature in node-forge", "url": "https://github.com/advisories/GHSA-x4jg-mjrx-434g", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": "<1.3.0" } ], "effects": [], "range": "<=1.2.1", "nodes": [ "node_modules/node-forge" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <6.3.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 4.0.0 - 6.2.2", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "request": { "name": "request", "severity": "moderate", "isDirect": true, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "send": { "name": "send", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099525, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "moderate", "isDirect": false, "via": [ { "source": 1099527, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation" ], "effects": [], "range": ">=3.1.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 10, "high": 8, "critical": 0, "total": 19 }, "dependencies": { "prod": 415, "dev": 417, "optional": 78, "peer": 0, "peerOptional": 0, "total": 908 } } } --- end --- $ /usr/bin/npm install --- stderr --- npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options. --- stdout --- added 874 packages, and audited 875 packages in 40s 159 packages are looking for funding run `npm fund` for details 11 vulnerabilities (7 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- Upgrading n:eslint-config-wikimedia from ^0.28.1 -> 0.28.2 $ /usr/bin/npm install --- stdout --- up to date, audited 875 packages in 3s 159 packages are looking for funding run `npm fund` for details 11 vulnerabilities (7 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ ./node_modules/.bin/eslint . --fix --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.1 ESLint couldn't find the plugin "eslint-plugin-json". (The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".) It's likely that the plugin isn't installed correctly. Try reinstalling by running the following: npm install eslint-plugin-json@latest --save-dev The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json". If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team. --- stdout --- --- end --- $ ./node_modules/.bin/eslint . -f json --- stderr --- Oops! Something went wrong! :( ESLint: 8.57.1 ESLint couldn't find the plugin "eslint-plugin-json". (The package "eslint-plugin-json" was not found when loaded as a Node module from the directory "/src/repo".) It's likely that the plugin isn't installed correctly. Try reinstalling by running the following: npm install eslint-plugin-json@latest --save-dev The plugin "eslint-plugin-json" was referenced from the config file in ".eslintrc.json". If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team. --- stdout --- --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1803, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1197, in npm_upgrade hook(update) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1500, in _handle_eslint errors = json.loads( ^^^^^^^^^^^ File "/usr/lib/python3.11/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)