This run took 136 seconds.
From f00ffef32cec3208f6b647d01cb9b5452aa2f327 Mon Sep 17 00:00:00 2001 From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org> Date: Tue, 19 Nov 2024 08:36:51 +0000 Subject: [PATCH] build: Updating npm dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * body-parser: 1.20.2 → 1.20.3 * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * express: 4.19.2 → 4.21.1 * https://github.com/advisories/GHSA-9wv6-86v2-598j * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * https://github.com/advisories/GHSA-qw6h-vgh9-j6wx * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * path-to-regexp: 0.1.7, 6.2.2 → 0.1.10, 6.3.0 * https://github.com/advisories/GHSA-9wv6-86v2-598j * send: 0.16.2, 0.18.0 → 0.16.2, 0.19.0 * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * serve-static: 1.15.0 → 1.16.2 * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg Change-Id: I01a6331070e18edccbfb1e75a28b7c94f98b4316 --- package-lock.json | 121 ++++++++++++++++++++++++++++------------------ 1 file changed, 74 insertions(+), 47 deletions(-) diff --git a/package-lock.json b/package-lock.json index fd1ff06..d298134 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1961,9 +1961,9 @@ "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" }, "node_modules/body-parser": { - "version": "1.20.2", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz", - "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==", + "version": "1.20.3", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz", + "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==", "dependencies": { "bytes": "3.1.2", "content-type": "~1.0.5", @@ -1973,7 +1973,7 @@ "http-errors": "2.0.0", "iconv-lite": "0.4.24", "on-finished": "2.4.1", - "qs": "6.11.0", + "qs": "6.13.0", "raw-body": "2.5.2", "type-is": "~1.6.18", "unpipe": "1.0.0" @@ -2670,9 +2670,9 @@ "dev": true }, "node_modules/cookie": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", - "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", "engines": { "node": ">= 0.6" } @@ -2713,9 +2713,9 @@ "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dev": true, "dependencies": { "path-key": "^3.1.0", @@ -3994,36 +3994,36 @@ } }, "node_modules/express": { - "version": "4.19.2", - "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz", - "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==", + "version": "4.21.1", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", + "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", - "finalhandler": "1.2.0", + "finalhandler": "1.3.1", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", - "qs": "6.11.0", + "qs": "6.13.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", - "serve-static": "1.15.0", + "send": "0.19.0", + "serve-static": "1.16.2", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", @@ -4042,6 +4042,14 @@ "ms": "2.0.0" } }, + "node_modules/express/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/express/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", @@ -4169,12 +4177,12 @@ } }, "node_modules/finalhandler": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz", - "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz", + "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==", "dependencies": { "debug": "2.6.9", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "on-finished": "2.4.1", "parseurl": "~1.3.3", @@ -4193,6 +4201,14 @@ "ms": "2.0.0" } }, + "node_modules/finalhandler/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/finalhandler/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", @@ -5807,9 +5823,12 @@ "integrity": "sha512-csC7Gt/z03tvtlicXqT2OMNc8wHk2rd7KSL4a/ZQxhY9YRyPPq3cSysg0ToskyGld89btn+zS8TdK0iaQp3M2g==" }, "node_modules/merge-descriptors": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz", - "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==" + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz", + "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==", + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } }, "node_modules/merge2": { "version": "1.4.1", @@ -6464,9 +6483,9 @@ } }, "node_modules/nise/node_modules/path-to-regexp": { - "version": "6.2.2", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.2.tgz", - "integrity": "sha512-GQX3SSMokngb36+whdpRXE+3f9V8UzyAorlYvOGx87ufGHehNTn5lCxrKtLyZ4Yl/wEKnNnr98ZzOwwDZV5ogw==", + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz", + "integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ==", "dev": true }, "node_modules/nock": { @@ -7164,9 +7183,9 @@ "dev": true }, "node_modules/path-to-regexp": { - "version": "0.1.7", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz", - "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==" + "version": "0.1.10", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", + "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==" }, "node_modules/performance-now": { "version": "2.1.0", @@ -7509,11 +7528,11 @@ } }, "node_modules/qs": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", - "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "version": "6.13.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", + "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", "dependencies": { - "side-channel": "^1.0.4" + "side-channel": "^1.0.6" }, "engines": { "node": ">=0.6" @@ -8055,9 +8074,9 @@ } }, "node_modules/send": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", - "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", + "version": "0.19.0", + "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz", + "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==", "dependencies": { "debug": "2.6.9", "depd": "2.0.0", @@ -8117,19 +8136,27 @@ } }, "node_modules/serve-static": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz", - "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==", + "version": "1.16.2", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz", + "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==", "dependencies": { - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "0.18.0" + "send": "0.19.0" }, "engines": { "node": ">= 0.8.0" } }, + "node_modules/serve-static/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/service-runner": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/service-runner/-/service-runner-5.0.0.tgz", -- 2.39.2
$ date --- stdout --- Tue Nov 19 08:34:51 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-services-mobileapps.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- 9c0250f3ab566e02062852309adcc0824f7b08ea refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "body-parser": { "name": "body-parser", "severity": "high", "isDirect": true, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express", "mock-express-response" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie", "node_modules/mock-express-response/node_modules/cookie" ], "fixAvailable": false }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100467, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<7.0.5" } ], "effects": [ "pre-commit" ], "range": "<7.0.5", "nodes": [ "node_modules/cross-spawn", "node_modules/pre-commit/node_modules/cross-spawn" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": true, "via": [ { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "mock-express-response": { "name": "mock-express-response", "severity": "low", "isDirect": true, "via": [ "cookie", "send" ], "effects": [], "range": "*", "nodes": [ "node_modules/mock-express-response" ], "fixAvailable": false }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <6.3.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 4.0.0 - 6.2.2", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "pre-commit": { "name": "pre-commit", "severity": "high", "isDirect": true, "via": [ "cross-spawn" ], "effects": [], "range": ">=1.1.0", "nodes": [ "node_modules/pre-commit" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/mock-express-response/node_modules/send", "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation" ], "effects": [], "range": ">=3.1.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 6, "high": 7, "critical": 0, "total": 17 }, "dependencies": { "prod": 257, "dev": 579, "optional": 24, "peer": 1, "peerOptional": 0, "total": 849 } } } --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "body-parser": { "name": "body-parser", "severity": "high", "isDirect": true, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express", "mock-express-response" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie", "node_modules/mock-express-response/node_modules/cookie" ], "fixAvailable": false }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100467, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<7.0.5" } ], "effects": [ "pre-commit" ], "range": "<7.0.5", "nodes": [ "node_modules/cross-spawn", "node_modules/pre-commit/node_modules/cross-spawn" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": true, "via": [ { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "mock-express-response": { "name": "mock-express-response", "severity": "low", "isDirect": true, "via": [ "cookie", "send" ], "effects": [], "range": "*", "nodes": [ "node_modules/mock-express-response" ], "fixAvailable": false }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <6.3.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 4.0.0 - 6.2.2", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "pre-commit": { "name": "pre-commit", "severity": "high", "isDirect": true, "via": [ "cross-spawn" ], "effects": [], "range": ">=1.1.0", "nodes": [ "node_modules/pre-commit" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/mock-express-response/node_modules/send", "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation" ], "effects": [], "range": ">=3.1.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 6, "high": 7, "critical": 0, "total": 17 }, "dependencies": { "prod": 257, "dev": 579, "optional": 24, "peer": 1, "peerOptional": 0, "total": 849 } } } --- end --- Attempting to npm audit fix $ /usr/bin/npm audit fix --dry-run --only=dev --json --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production --- stdout --- { "added": 852, "removed": 0, "changed": 0, "audited": 853, "funding": 124, "audit": { "auditReportVersion": 2, "vulnerabilities": { "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express", "mock-express-response" ], "range": "<0.7.0", "nodes": [ "", "node_modules/mock-express-response/node_modules/cookie" ], "fixAvailable": false }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100467, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<7.0.5" } ], "effects": [ "pre-commit" ], "range": "<7.0.5", "nodes": [ "", "node_modules/pre-commit/node_modules/cross-spawn" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "" ], "fixAvailable": true }, "limitation": { "name": "limitation", "severity": "moderate", "isDirect": false, "via": [ "wikimedia-kad-fork" ], "effects": [ "service-runner" ], "range": ">=0.2.3", "nodes": [ "node_modules/limitation" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "mock-express-response": { "name": "mock-express-response", "severity": "low", "isDirect": true, "via": [ "cookie", "send" ], "effects": [], "range": "*", "nodes": [ "node_modules/mock-express-response" ], "fixAvailable": false }, "ms": { "name": "ms", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<2.0.0" } ], "effects": [ "wikimedia-kad-fork" ], "range": "<2.0.0", "nodes": [ "node_modules/wikimedia-kad-fork/node_modules/ms" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <6.3.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 4.0.0 - 6.2.2", "nodes": [ "", "" ], "fixAvailable": true }, "pre-commit": { "name": "pre-commit", "severity": "high", "isDirect": true, "via": [ "cross-spawn" ], "effects": [], "range": ">=1.1.0", "nodes": [ "node_modules/pre-commit" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "preq": { "name": "preq", "severity": "high", "isDirect": true, "via": [ "request", "requestretry" ], "effects": [], "range": "*", "nodes": [ "node_modules/preq" ], "fixAvailable": false }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "preq", "requestretry" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": false }, "requestretry": { "name": "requestretry", "severity": "high", "isDirect": false, "via": [ { "source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<7.0.0" }, "request" ], "effects": [ "preq" ], "range": "*", "nodes": [ "node_modules/requestretry" ], "fixAvailable": false }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "", "node_modules/mock-express-response/node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "" ], "fixAvailable": true }, "service-runner": { "name": "service-runner", "severity": "moderate", "isDirect": true, "via": [ "limitation" ], "effects": [], "range": ">=3.1.0", "nodes": [ "node_modules/service-runner" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "request" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": false }, "wikimedia-kad-fork": { "name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": [ "ms" ], "effects": [ "limitation" ], "range": "*", "nodes": [ "node_modules/wikimedia-kad-fork" ], "fixAvailable": { "name": "service-runner", "version": "3.0.0", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 6, "high": 7, "critical": 0, "total": 17 }, "dependencies": { "prod": 260, "dev": 579, "optional": 24, "peer": 1, "peerOptional": 0, "total": 852 } } } } --- end --- {"added": 852, "removed": 0, "changed": 0, "audited": 853, "funding": 124, "audit": {"auditReportVersion": 2, "vulnerabilities": {"body-parser": {"name": "body-parser", "severity": "high", "isDirect": false, "via": [{"source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": ["CWE-405"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.20.3"}], "effects": ["express"], "range": "<1.20.3", "nodes": [""], "fixAvailable": true}, "cookie": {"name": "cookie", "severity": "low", "isDirect": false, "via": [{"source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": ["CWE-74"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.7.0"}], "effects": ["express", "mock-express-response"], "range": "<0.7.0", "nodes": ["", "node_modules/mock-express-response/node_modules/cookie"], "fixAvailable": false}, "cross-spawn": {"name": "cross-spawn", "severity": "high", "isDirect": false, "via": [{"source": 1100467, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<7.0.5"}], "effects": ["pre-commit"], "range": "<7.0.5", "nodes": ["", "node_modules/pre-commit/node_modules/cross-spawn"], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "express": {"name": "express", "severity": "high", "isDirect": false, "via": [{"source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<4.20.0"}, "body-parser", "cookie", "path-to-regexp", "send", "serve-static"], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [""], "fixAvailable": true}, "limitation": {"name": "limitation", "severity": "moderate", "isDirect": false, "via": ["wikimedia-kad-fork"], "effects": ["service-runner"], "range": ">=0.2.3", "nodes": ["node_modules/limitation"], "fixAvailable": {"name": "service-runner", "version": "3.0.0", "isSemVerMajor": true}}, "mock-express-response": {"name": "mock-express-response", "severity": "low", "isDirect": true, "via": ["cookie", "send"], "effects": [], "range": "*", "nodes": ["node_modules/mock-express-response"], "fixAvailable": false}, "ms": {"name": "ms", "severity": "moderate", "isDirect": false, "via": [{"source": 1094419, "name": "ms", "dependency": "ms", "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", "severity": "moderate", "cwe": ["CWE-1333"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<2.0.0"}], "effects": ["wikimedia-kad-fork"], "range": "<2.0.0", "nodes": ["node_modules/wikimedia-kad-fork/node_modules/ms"], "fixAvailable": {"name": "service-runner", "version": "3.0.0", "isSemVerMajor": true}}, "path-to-regexp": {"name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [{"source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <6.3.0"}, {"source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.10"}], "effects": ["express"], "range": "<=0.1.9 || 4.0.0 - 6.2.2", "nodes": ["", ""], "fixAvailable": true}, "pre-commit": {"name": "pre-commit", "severity": "high", "isDirect": true, "via": ["cross-spawn"], "effects": [], "range": ">=1.1.0", "nodes": ["node_modules/pre-commit"], "fixAvailable": {"name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true}}, "preq": {"name": "preq", "severity": "high", "isDirect": true, "via": ["request", "requestretry"], "effects": [], "range": "*", "nodes": ["node_modules/preq"], "fixAvailable": false}, "request": {"name": "request", "severity": "moderate", "isDirect": false, "via": [{"source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": ["CWE-918"], "cvss": {"score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "range": "<=2.88.2"}, "tough-cookie"], "effects": ["preq", "requestretry"], "range": "*", "nodes": ["node_modules/request"], "fixAvailable": false}, "requestretry": {"name": "requestretry", "severity": "high", "isDirect": false, "via": [{"source": 1090420, "name": "requestretry", "dependency": "requestretry", "title": "Cookie exposure in requestretry", "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", "severity": "high", "cwe": ["CWE-200"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "range": "<7.0.0"}, "request"], "effects": ["preq"], "range": "*", "nodes": ["node_modules/requestretry"], "fixAvailable": false}, "send": {"name": "send", "severity": "low", "isDirect": false, "via": [{"source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<0.19.0"}], "effects": ["express", "serve-static"], "range": "<0.19.0", "nodes": ["", "node_modules/mock-express-response/node_modules/send"], "fixAvailable": true}, "serve-static": {"name": "serve-static", "severity": "low", "isDirect": false, "via": [{"source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<1.16.0"}, "send"], "effects": [], "range": "<=1.16.0", "nodes": [""], "fixAvailable": true}, "service-runner": {"name": "service-runner", "severity": "moderate", "isDirect": true, "via": ["limitation"], "effects": [], "range": ">=3.1.0", "nodes": ["node_modules/service-runner"], "fixAvailable": {"name": "service-runner", "version": "3.0.0", "isSemVerMajor": true}}, "tough-cookie": {"name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [{"source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": ["CWE-1321"], "cvss": {"score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "range": "<4.1.3"}], "effects": ["request"], "range": "<4.1.3", "nodes": ["node_modules/tough-cookie"], "fixAvailable": false}, "wikimedia-kad-fork": {"name": "wikimedia-kad-fork", "severity": "moderate", "isDirect": false, "via": ["ms"], "effects": ["limitation"], "range": "*", "nodes": ["node_modules/wikimedia-kad-fork"], "fixAvailable": {"name": "service-runner", "version": "3.0.0", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 4, "moderate": 6, "high": 7, "critical": 0, "total": 17}, "dependencies": {"prod": 260, "dev": 579, "optional": 24, "peer": 1, "peerOptional": 0, "total": 852}}}} $ /usr/bin/npm audit fix --only=dev --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production npm WARN deprecated @types/long@5.0.0: This is a stub types definition. long provides its own type definitions, so you do not need this installed. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 --- stdout --- added 851 packages, and audited 852 packages in 11s 124 packages are looking for funding run `npm fund` for details # npm audit report cookie <0.7.0 cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x No fix available node_modules/mock-express-response/node_modules/cookie mock-express-response * Depends on vulnerable versions of cookie Depends on vulnerable versions of send node_modules/mock-express-response cross-spawn <7.0.5 Severity: high Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275 fix available via `npm audit fix --force` Will install pre-commit@1.0.10, which is a breaking change node_modules/pre-commit/node_modules/cross-spawn pre-commit >=1.1.0 Depends on vulnerable versions of cross-spawn node_modules/pre-commit ms <2.0.0 Severity: moderate Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f fix available via `npm audit fix --force` Will install service-runner@3.0.0, which is a breaking change node_modules/wikimedia-kad-fork/node_modules/ms wikimedia-kad-fork * Depends on vulnerable versions of ms node_modules/wikimedia-kad-fork limitation >=0.2.3 Depends on vulnerable versions of wikimedia-kad-fork node_modules/limitation service-runner >=3.1.0 Depends on vulnerable versions of limitation node_modules/service-runner request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request preq * Depends on vulnerable versions of request Depends on vulnerable versions of requestretry node_modules/preq requestretry * Depends on vulnerable versions of request node_modules/requestretry send <0.19.0 send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg fix available via `npm audit fix` node_modules/mock-express-response/node_modules/send tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie 13 vulnerabilities (3 low, 6 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. --- end --- Verifying that tests still pass $ /usr/bin/npm ci --- stderr --- npm WARN deprecated @types/long@5.0.0: This is a stub types definition. long provides its own type definitions, so you do not need this installed. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated kad-fs@0.0.4: This package is no longer maintained. npm WARN deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated kad-memstore@0.0.1: This package is no longer maintained. npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 --- stdout --- added 851 packages, and audited 852 packages in 16s 124 packages are looking for funding run `npm fund` for details 13 vulnerabilities (3 low, 6 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stderr --- (node:439) Warning: "version" is a reserved word. Please do one of the following: - Disable version with `yargs.version(false)` if using "version" as an option - Use the built-in `yargs.version` method instead (if applicable) - Use a different option key https://yargs.js.org/docs/#api-reference-version (Use `node --trace-warnings ...` to show where the warning was created) --- stdout --- > mobileapps@0.3.0 test > PREQ_CONNECT_TIMEOUT=15 mocha 'test/{,!(diff)/**}/*.js' && npm run lint express app ✔ should get robots.txt ✔ should set CORS headers ✔ should set CSP headers ✔ should not follow redirects (2312ms) Swagger spec ✔ get the spec (53ms) ✔ spec validation validate responses against schema ✔ summary response should conform to schema (7305ms) ✔ media-list response should conform to schema (638ms) validate spec examples Expected: true Result: false - Should validate tests Expected: 200 Result: undefined Cache config ✔ should parse config and adapt ca value Cached endpoints ✔ should call cache get for cached summary output ✔ should call cache set for non-cached summary page (511ms) ✔ should call cache get for cached mobile-html output ✔ should call cache set for non-cached mobile-html page (766ms) Caching events ✔ should generate resource change and purge events Caching hooks ✔ should call hit hook on content hit ✔ should call update hook on content update (690ms) definition ✔ missing definitions (60ms) ✔ non-term page (263ms) ✔ unsupported language (118ms) ✔ non-English term on English Wiktionary returns valid results (2138ms) ✔ translingual term (834ms) ✔ sets content-language header (778ms) description ✔ delete local description GET ✔ missing description, enwiki (114ms) ✔ missing description, other wiki (108ms) ✔ ok description, enwiki (144ms) ✔ ok description, ru wiki (180ms) PUT ✔ failed fetching token, central ✔ failed fetching token, local ✔ failed fetching page, local ✔ missing required parameter ✔ set central description: fail ✔ set central description ✔ set central description, variant ✔ set local description DELETE ✔ failed fetching token, central ✔ failed fetching token, local ✔ failed fetching page, local ✔ delete description service information ✔ should get the service name ✔ should get the service version ✔ should redirect to the service home page ✔ should get the service info media ✔ Media-list resources should be the same on mobile-html (385ms) transform/html/to/mobile-html ✔ simple html convertion should work properly (174ms) ✔ single html convertion should work properly (130ms) ✔ empty section with id=0 convertion should work properly (153ms) mobile-html-offline-resources ✔ Response should be array with JS and CSS resources mobile-html ✔ HTML should be sectioned (767ms) ✔ mobile-html headers not compatible with restbase output (213ms) ✔ mobile-html headers compatible with restbase output (203ms) ✔ mobile-html should have css links + viewport set (223ms) ✔ mobile-html should have lead paragraph moved up (8964ms) ✔ mobile-html should not have navboxes (572ms) ✔ mobile-html should have meta tags indicating page protection (1059ms) ✔ mobile-html from parse should have meta tags indicating page protection (358ms) ✔ mobile-html should not enable edit talk page button by default (653ms) mobile-sections-lead ✔ Sections/deep page should have a lead object with expected properties (923ms) ✔ en San Francisco should have a lead object with a geo property (1060ms) ✔ es Savonlinna should have a lead object with a geo property (338ms) ✔ Wikivoyage en Paris should have a lead object with a geo property (489ms) ✔ Mare Tranquillitatis (lunar sea) should not have a geo property (166ms) ✔ Barack Obama should have a pronunciation (1294ms) ✔ Barack Obama infobox is part of the html (1078ms) ✔ Enwiki Uranus loads successfully (no pronunciation parsing TypeErrors) (571ms) - Enwiki Odisha loads successfully (no pronunciation parsing TypeErrors) ✔ Enwiki Yazidis loads successfully (no pronunciation parsing TypeErrors) (618ms) ✔ ' in pronunciation file name does not cause parsing error) (315ms) ✔ Enwiki Lead_paragraph_move has the infobox moved after the lead paragraph (127ms) ✔ Enwiki hatnotes are promoted to the lead object (1133ms) ✔ Enwiki Multiple page issues are promoted to lead (137ms) ✔ Enwiki Pages with single issue have issue promoted to lead (115ms) ✔ Disambiguation pages are flagged. (119ms) - Content model present in response for non-wikitext content mobile-sections ✔ Mismatched title and revision id give 404 (3036ms) ✔ Malformed revision id gives bad request (50ms) ✔ Missing title should respond with 404 (822ms) ✔ Sections/deep page should have a lead object with expected properties (998ms) ✔ en Main page should have a lead object with expected properties (374ms) ✔ Description from local wiki should be used (804ms) ✔ Titles with special chars should not error out when parsing pronunciation files (336ms) ✔ Page with known past 'text-decoration' error should load successfully (1059ms) ✔ Page with irregular Spoken Wikipedia template usage should load correctly (469ms) ✔ Internal links should have title attribute (181ms) - Any sections that contain references should have a reference flag ✔ The last section can be marked as a reference section (131ms) ✔ Page with math formulas should load without error (309ms) summary ✔ should respond with expected properties in payload (823ms) ✔ should respond with content-language header (390ms) ✔ empty summary should be sent for empty page (1810ms) ✔ main page should return empty summary and type should be 'mainpage' (277ms) ✔ main page in non-mainspace should also return type: 'mainpage' (1045ms) ✔ summary should come from first real content paragraph (2746ms) ✔ Empty extracts should be returned for a file page ✔ Empty extracts should be returned for a talk page ✔ Empty extracts should be returned for a redirected page Expected: "no-extract" Result: "standard" ✔ timestamp should refer to the requested revision, not the latest revision (2086ms) ✔ 404 for a page that doesn't exist (281ms) - 404 for a page with invalid title ✔ Description from local wiki should be used (1747ms) ✔ Summary URLs do not contain un-encoded special characters (T216739) (317ms) ✔ Stray leading citation and template are stripped before parsing intro (T225474) (1026ms) ✔ Non wikitext content model should have timestamp in summary (217ms) lib:apiUtil ✔ checkForQueryPagesInResponse should return 504 when query.pages are absent ✔ batching works correctly ✔ order is preserved when Array.reduce is called on resolved BBPromise.all batches ✔ MW API request expanded from template includes Accept-Language header ✔ Checks header for explicit parsoid backend exists and its false ✔ Checks header for explicit parsoid backend exists and its true ✔ Checks header for explicit parsoid backend true (case insensitive) ✔ Checks header for explicit parsoid backend doesnt exist lib:core-api-compat unit tests ✔ should create a HTTPTitleRedirectError ✔ redirect middleware should redirect if configured ✔ redirect middleware should not redirect if error not matching ✔ redirect middleware should not redirect if not reverse url defined PCS configured to redirect ✔ mobile-html should redirect to the resolved page (413ms) ✔ mobile-html should redirect to the resolved page when using action=parse (371ms) ✔ mobile-html-offline-resources should not redirect to the resolved page PCS configured to redirect with absolute URLs ✔ mobile-html should redirect to the resolved page (1263ms) PCS configured to not redirect ✔ mobile-html should not redirect and should parse the resolved response (902ms) ✔ should fixup missing content-language header (358ms) lib:dateUtil ✔ getRequestedDate(2016-04-15) should return a valid Date object ✔ iso8601DateFromYYYYMMDD ✔ addDays positive ✔ addDays zero ✔ addDays negative ✔ addDays immutable ✔ formatYYYYMMDD ✔ isWithinLast3Days ✔ date format validation should reject invalid formats lib:definitions Level 2 headers ✔ extracts them to language code keys parts of speech ✔ is set language ✔ is set on each entry examples parsed formatted with MediaWiki markup (#:/#::) ✔ extracts usage examples formatted with microformats ✔ extracts usage examples unparsed/old format formatted with MediaWiki markup (#:/#::) ✔ extracts usage examples formatted with microformats ✔ extracts usage examples lib:definitions:parseExamples formatted with microformats ✔ extracts usage examples formatted with plain MediaWiki markup ✔ extracts usage examples lib:definitions:parseMicroformats ✔ parses a simple microformat ✔ filters specific formats Local description template editing ✔ Simple param, only template ✔ Simple param, in the beginning ✔ Simple param, in the middle ✔ Named param ✔ Unnamed param, multiple params, unnamed ✔ Unnamed param, multiple params, named ✔ named param, multiple params, unnamed ✔ named param, multiple params, named ✔ Empty wikitext ✔ Respects lowercase ✔ no template lib:domUtil isRTL ✔ isRTL should return false for LTR doc (97ms) ✔ isRTL should return true for RTL doc getBaseUri() ✔ returns URL without protocol getHttpsBaseUri() ✔ returns URL with https protocol getParsoidPlainTitle ✔ getParsoidPlainTitle should return normalized title getParsoidLinkTitle ✔ getParsoidLinkTitle should return DB title ✔ getParsoidLinkTitle should percent-decode title lib:media expected items are included or excluded ✔ items should be found for expected selectors ✔ items should not be found for other selectors ✔ false positives should be filtered lib:media metadata is correctly parsed from HTML ✔ all expected captions are present ✔ all expected data-mw properties are present ✔ all expected derivative properties are present ✔ media file derivative with no codecs in type attribute is parsed correctly ✔ spoken Wikipedia file is correctly identified - pronunciation audio file is correctly identified ✔ section is correctly identified ✔ titles are decoded after parsing from HTML - pronunciation titles are decoded after parsing from HTML ✔ items without imageinfo properties (e.g., deleted items) are filtered lib:media parse structured artist info ✔ all info is parsed from common HTML structure ✔ 'html' and 'name' fields are returned from plain text input ✔ only html returned for site other than Commons ✔ only html returned if additional text is present ✔ only html returned if non-namespace portion of the title !== html.textContent ✔ parses html with lang from metadata object ✔ parses html with lang (non-English) from metadata object ✔ undefined result if input is an empty string lib:media:getCodecs ✔ codecs are parsed from type attributes without errors lib:media:getStructuredSrcSet ✔ should return structured srcset values ✔ should return structured srcset and src values ✔ should return 1x if no scale is present in the srcset values ✔ should return empty array if srcset is empty lib:metadata buildTableOfContents ✔ should have same form as MediaWiki parser-generated TOC lib:metadata ✔ augmentCategories handles undefined categories augmentLangLinks ✔ handles undefined langlinks ✔ bails out if an empty title is found ✔ bails out if an empty title is found (and nonempty title exists) ✔ creates augmented langlink if input is good metadata:preprocessing ✔ strips comments ✔ strips span[typeof=mw:FallbackId] ✔ strips span:empty lib:mobile-util ✔ mwApiTrue handles formatversions 1 and 2 ✔ domainForLangCode swaps in lang code if domain has >2 levels ✔ createDocument should accept an empty string ✔ createDocument should not block the event loop (413ms) setLanguageHeaders ✔ passes through headers (lower-case names in original) ✔ passes through headers (upper-case names in original) ✔ strips 'accept' from vary value with other values present ✔ strips 'Accept' from vary value with other values present ✔ strips vary header if set to 'Accept' only ✔ strips vary header if set to 'accept' only lib:mobile/mobile-request-util ✔ getOutputMode should return defaults when provided nonsense string ✔ getOutputMode should return defaults when provided undefined ✔ getOutputMode should return defaults when provided null ✔ getOutputMode should return the requested item when it is the first member of the array ✔ getOutputMode should return the requested item when it is a non-first member of the array lib:MobileHTML ✔ does not block the event loop (645ms) ✔ detects mwids ✔ detects https ✔ detects header tags ✔ detects single bracket spans ✔ detects inline background styles ✔ detects infobox classes ✔ detects infobox exclusion classes ✔ detects new class ✔ detects images to exclude from widening class ✔ detects reference text ✔ detects forbidden element classes ✔ detects forbidden element class substrings ✔ detects forbidden div classes ✔ detects forbidden span classes ✔ detects forbidden element ids ✔ detects style overriding classes ✔ was worth it to write these regexes (300ms) ✔ truncates reference links properly ✔ detects text under divs with about attribute ✔ detects specific HTML structure when "notheme" class adding is to be skipped from <span> inside <th> ✔ detects all elements inside <div> with class "equation-box-elem" lib:mobileview-html buildSection ✔ section 0 ✔ section 1 ✔ Chinese heading rewriteWikiLinks ✔ single link wrapImagesInSpanElements ✔ single image lib:mwapi:getFlaggedOrLatestRevision ✔ Test de.wikipedia.org with flagged revision extension (89ms) ✔ Test pt.wikipedia.org without flagged revision extension ✔ Test ta.wikinews.org with flagged revision extension (103ms) ✔ Test pl.wikinews.org without flagged revision extension ✔ Test de.wikiquote.org with flagged revision extension (97ms) ✔ Test pl.wikiquote.org without flagged revision extension ✔ Test pl.wikisource.org with flagged revision extension (110ms) ✔ Test en.wikisource.org without flagged revision extension ✔ Test is.wiktionary.org with flagged revision extension (93ms) ✔ Test en.wiktionary.org without flagged revision extension ✔ Test en.wikibooks.org with flagged revision extension (84ms) ✔ Test de.wikibooks.org without flagged revision extension ✔ Test non-flagged article from test2.wikipedia.org (237ms) ✔ Test pending change article from test2.wikipedia.org (236ms) lib:mwapi:getPrimaryEarthCoordinates ✔ gets primary earth coordinates (single coordinate input) ✔ gets primary earth coordinates (multiple coordinate input) ✔ secondary coordinates are ignored ✔ non-earth coordinates are ignored lib:mwapi ✔ scaled thumb URL returned if initial URL is a thumb URL and original width > desired width lib:mwapi buildLeadImageUrls ✔ 2000px thumb should be resized for all widths ✔ 555px thumb should return 320 and 555 for rest ✔ 750px thumb should return 320, 640, and 750 for rest ✔ 200px thumb should return 200px URL for all thumb sizes ✔ should ignore non-thumbnail URLs ✔ should ignore 'thumb' when not a path segment ✔ should create thumb URLs correctly if width regex pattern is in original filename ✔ should handle edge case thumb filename patterns ✔ should handle edge case thumb filename patterns with width regex in original name lib:mwapi:queryForMetadata ✔ ensure that displaytitle is always requested (181ms) lib:mwapi:simplifyProtectionObject ✔ simplifyProtectionObject should simplify ✔ simplifyProtectionObject should remove duplicates ✔ simplifyProtectionObject should keep non-duplicates ✔ simplifyProtectionObject should return empty object for empty list lib:parsePronunciation ✔ has pronunciation file v1 ✔ has pronunciation file v2 ✔ no pronunciation file lib:parseSpokenWikipedia ✔ one spoken file ✔ multiple spoken files ✔ no spoken files lib:parsoid-access etag handling correctly parses and handles etags ✔ gets strong etag with no quotes ✔ strips prefix from weak etags ✔ gets revision from etag ✔ gets revision and tid from etag ✔ getEtagFromHeaders handles undefined input ✔ getRevisionFromEtag handles undefined input ✔ getRevAndTidFromEtag handles undefined input parses modified timestamp ✔ parses timestamp from domino Document lib:parsoid-sections (section elements) ✔ getSectionsText(empty) should produce an empty lead section ✔ getSectionsText() with just text should produce a lead section ✔ getSectionsText() with one h2 should produce two sections ✔ getSectionsText() with one h2 and h3 should produce three sections ✔ getSectionsText() with h2 inside lead should produce one section ✔ getSectionsText() with one h2 inside div should not produce another section ✔ getSectionsText() with one h3 inside div should not produce another section ✔ section inside lead section should not be part of lead section ✔ div/section inside lead section should be part of lead section ✔ should not warn for page containing only a lead section ✔ should warn for non-lead section without heading properties ✔ should not warn if id & anchor are found for all sections after the lead section ✔ should not warn for non-lead non-editable section without heading properties ✔ should not warn if a non-editable section precedes the true lead section ✔ should throw if sectionObj is invalid ✔ validatePreviousSection should log a warning if appropriate ✔ non-editable sections are flagged justLeadSection ✔ should just return the first section ✔ should skip non-editable section ✔ should return empty string if no lead section exists ✔ should skip malformed section tag with no data-mw-section-id ✔ should ignore data-mw-section-id multiples of 10 lib:summary buildExtracts ✔ Applies stripUnneededMarkup ✔ Don't select scribunto errors. getSummaryType ✔ identifies main page ✔ identifies disambig page ✔ defaults to "standard" ✔ type for ns > 0 is no-extract ✔ type for non-wikitext content model is no-extract ✔ type for redirect is no-extract lib:talk parseUserTalkPageDocIntoTopicsWithReplies ✔ two h2 topics return first topic ID 1 ✔ text before first h2 returns separate topic ID 0 ✔ h3 section is given it's own topic ✔ empty h2 with title returns separate topic ✔ empty h2 without title is filtered out ✔ handles empty links ✔ removes figures ✔ does not block the event loop (69ms) lib:escape + unescape parentheses Latin parentheses escaping ✔ properly escapes Latin parentheses ✔ properly unescapes Latin parentheses Non-Latin parentheses escaping ✔ properly escapes non-Latin parentheses ✔ properly unescapes non-Latin parentheses lib:flattenElements ✔ replaces a with span, keeps class attribute ✔ replaces a with span, keeps style attribute ✔ replaces a tag with plain text if no attributes to keep ✔ retains HTML inside elements ✔ does not change the text content of the node ✔ drops `mw-redirect` class ✔ drops `new` class ✔ keeps `foo` class extractHatnotes ✔ .hatnote element ✔ .dablink element ✔ hatnote not in lead section ✔ multiple hatnotes ✔ no hatnotes ✔ dewiki hatnotes extractLeadIntroduction ✔ isEmptyChild ✔ matches the spec ✔ Trailing text content is escaped extractPageIssues ✔ single issue ✔ multiple issues ✔ issue in non-lead section ✔ no issues lib:addPageHeader ✔ addPageHeader should add header element with description (111ms) ✔ addPageHeader handles documents with no section elements lib:pcsHideRedLinks ✔ hideRedLinks should drop <a> elements with class="new" (212ms) lib:moveReferenceListStyles ✔ empty document ✔ one list, one template style ✔ style outside ref list stays ✔ one list, two template styles; +basic deduplication ✔ two lists, two template styles; +basic deduplication lib:sanitizeSummary regular expressions ✔ ANY_REGEX matches ✔ ANY_REGEX does not match ✔ DECIMAL_REGEX matches ✔ DECIMAL_REGEX does not match ✔ CSS_SIZE_REGEX matches ✔ CSS_SIZE_REGEX does not match ✔ SINGLE_STRING_REGEX matches ✔ SINGLE_STRING_REGEX does not match ✔ HEX_REGEX matches ✔ HEX_REGEX does not match ✔ RGB_REGEX matches ✔ RGB_REGEX does not match ✔ HSL_REGEX matches ✔ HSL_REGEX does not match via sanitize-html ✔ removes anchor tags but keeps content (not in allowedTags list) ✔ removes script tags (in nonTextTags list) ✔ keeps blockquote ✔ but removes blockquote.cite attribute ✔ keeps abbr with .alt .aria-hidden and .class ✔ keeps span.style border ✔ removes audio tags ✔ removes video tags ✔ keeps img.src, .srcset, .width and .height attributes ✔ removes disallowed schemes ✔ removes background url" lib:stripGermanIPA ✔ removes German IPA text (outer text) ✔ removes German IPA text (outer text, Placeholder) ✔ removes German IPA text (outer span) lib:summarize follows spec ✔ keeps spaces before closing spans ✔ removes really all double spaces, even the ones caused due to unmatched tags ✔ removes spaces before commas ✔ flattens spans with ` ` -- removes extra spaces around it, too. ✔ flattens spans with multiple ` ` -- removes extra spaces around it, too. ✔ flattening spans before the `(` enables this parenthetical to be removed ✔ removes audio, video, and track tags ✔ ignores parens inside attributes by escaping them earlier ✔ ignores parens inside attributes by escaping them earlier (non-latin parentheses) ✔ reduces multiple spaces to single space ✔ removes problematic elements including their content ✔ removes unwanted attributes ✔ keeps white-listed attributes ✔ removes comments ✔ flattens empty nodes ✔ flattens links ✔ removes .noexcerpt elements ✔ removes .noprint elements ✔ keeps sup elements ✔ removes .mw-ref elements ✔ removes .reference elements - T176519 ✔ removes math elements but any math images are shown ✔ keeps elements with style="display:none;" ✔ removes parentheticals ✔ removes multiple parentheticals ✔ keeps parentheticals without spaces ✔ keeps parentheticals without spaces even if there are spaces in the HTML syntax ✔ keeps parentheticals when they contain more complex formulas or links ✔ keeps all parentheticals when they contain complex formulas or links ✔ removes empty parentheticals also when nested parenthetical stripping is suspended ✔ keeps some nested parentheticals with formulas intact ✔ removes nested parentheticals without spaces ✔ removes nested parentheticals without other characters between the () ✔ removes nested parentheticals with leading (or space) ✔ removes trailing spaces after punctuation before closing tag ✔ flattens nested empty spans ✔ removes some IPAs in nested partentheses ✔ ignores parentheticals inside a data-mw attribute ✔ removes content in parentheticals + double spaces ✔ removes birth and death dates inside parentheticals ✔ removes parentheticals contain '*' symbols ✔ removes content inside Chinese parentheticals ✔ removes content inside Japanese parentheticals ✔ removes content inside Cantonese parentheticals ✔ removes content inside parentheticals written in `wuu` language variant ✔ removes content inside parentheticals written in `gan` language variant ✔ keeps parentheticals if it doesn't include any spaces ✔ keeps parentheticals with single word and leading space inside and out ✔ removes parentheticals with multiple words and leading space inside and out ✔ removes empty parentheticals with leading comma ✔ removes parentheticals beginning and ending with spaces ✔ removes nested parentheticals for non-Latin parens ✔ removes parentheticals with multiple words and leading ✔ parentheticals stripping is not greedy ✔ full stops do not impact the summary length (T173640) ✔ keeps bold elements ✔ reduces multiple spaces to single space ✔ strip space before punctuation followed by tags ✔ keeps bold elementsa and regular text that contain parentheses ✔ keeps bold elements that contain parentheses ✔ keeps bold elements that contain parentheses and single quotes and spaces lib:summarize regex fun ✔ detects complex chemical formulas ✔ detects single character with italic symbols inside parentheses ✔ but skips areas lib:wrapSections ✔ should expand into multiple sections when action=parse (en) (95ms) ✔ should expand into multiple sections when action=parse (zh) (86ms) lib:app-transforms ✔ fixVideoAnchor should skip video tags just holding audio ✔ fixVideoAnchor should transform actual videos lib:size-transforms ✔ rmBracketSpans should remove the spans around brackets ✔ rmElements should remove the spans with style="display:none" lib:transforms ✔ shortenPageInternalLinks should remove the title in the href ✔ shortenPageInternalLinks with single quote and space ✔ shortenPageInternalLinks with colon and single quote ✔ shortenPageInternalLinks with special chars ✔ shortenPageInternalLinks with double quote ✔ shortenPageInternalLinks with single quote and startsWith ./ summary:preprocessing ✔ removes IPA speaker symbols (de): IPA in span ✔ removes IPA speaker symbols (en): IPAc-en in span ✔ removes spans with style display:none rmMwIdAttributes ✔ removes id attribute with - ✔ removes id attribute with _ ✔ does not remove id attribute with id not starting with mw ✔ does not remove id attribute with id too long lib:wikiLanguage ✔ parses accept language headers ✔ parses accept language headers without spaces ✔ parses accept language headers with inconsistent spaces ✔ returns relevant srwiki language codes ✔ returns relevant zhwiki language codes ✔ falls back on the provided language code ✔ removes duplicates ✔ handles invalid input ✔ handles legacy input ✔ identifies languages with variants ✔ parses the language code from a domain ✔ returns the right language variant from request object ✔ falls back to language code when accept-language invalid ✔ falls back to language code when no accept-language header sent 473 passing (1m) 7 pending > mobileapps@0.3.0 lint > eslint . /src/repo/app.js 91:34 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 195:18 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/lib/caching.js 34:18 warning The 'structuredClone' is still an experimental feature and is not supported until Node.js 17.0.0. The configured version range is '>=16.0.0' n/no-unsupported-features/node-builtins /src/repo/lib/description-util.js 36:1 warning This line has a length of 117. Maximum allowed is 100 max-len /src/repo/lib/mobile/Localizer.js 83:4 warning Found readFile from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/lib/mwapi.js 118:23 warning Unsafe Regular Expression security/detect-unsafe-regex /src/repo/lib/spec.js 38:2 warning Found readdirSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 40:23 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 47:22 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/lib/talk/TalkPageTopicUtilities.js 82:22 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/lib/transformations/escapeParens.js 28:25 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 29:28 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 32:23 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/lib/wikiLanguage.js 118:1 warning This line has a length of 125. Maximum allowed is 100 max-len 133:2 warning Mixed spaces and tabs no-mixed-spaces-and-tabs 133:4 warning Expected no linebreak before this expression implicit-arrow-linebreak /src/repo/routes/page/media.js 32:1 warning This line has a length of 129. Maximum allowed is 100 max-len /src/repo/scripts/compare-extracts.js 275:17 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 276:17 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 277:22 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 296:13 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/scripts/compare-sections.js 74:1 warning Expected this semicolon to be at the end of the previous line semi-style 84:15 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 121:13 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/scripts/measure-payloads.js 33:18 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 38:18 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 40:4 warning Found unlinkSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/spec/base.yaml 25:1 warning This line has a length of 182. Maximum allowed is 100 max-len /src/repo/spec/components/schemas.yaml 164:1 warning This line has a length of 146. Maximum allowed is 100 max-len /src/repo/spec/data/css-mobile-site.yaml 7:1 warning This line has a length of 101. Maximum allowed is 100 max-len /src/repo/spec/page/media-list.yaml 61:1 warning This line has a length of 131. Maximum allowed is 100 max-len /src/repo/spec/page/mobile-html-offline-resources.yaml 7:1 warning This line has a length of 110. Maximum allowed is 100 max-len 35:1 warning This line has a length of 110. Maximum allowed is 100 max-len /src/repo/spec/page/mobile-html.yaml 46:1 warning This line has a length of 164. Maximum allowed is 100 max-len 47:1 warning This line has a length of 166. Maximum allowed is 100 max-len /src/repo/spec/transform/html-to-mobile-html.yaml 10:1 warning This line has a length of 101. Maximum allowed is 100 max-len 11:1 warning This line has a length of 104. Maximum allowed is 100 max-len /src/repo/test/diff/diff.js 33:25 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 41:3 warning Found writeFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 45:19 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/diff/html-debug.js 14:2 warning Found writeFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/features/app/spec.js 185:7 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/test/lib/api-util/api-util-test.js 40:1 warning This line has a length of 142. Maximum allowed is 100 max-len /src/repo/test/lib/definitions/parseDefinitions-unit.js 11:15 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/utils/fixtures.js 14:36 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 30:19 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/utils/server.js 39:7 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp ✖ 47 problems (0 errors, 47 warnings) --- end --- {"1099520": {"source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": ["CWE-405"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.20.3"}} Upgrading n:body-parser from 1.20.2 -> 1.20.3 {"1100530": {"source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<4.20.0"}, "1099520": {"source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": ["CWE-405"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<1.20.3"}, "1099558": {"source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <6.3.0"}, "1099562": {"source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.10"}, "1100526": {"source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<0.19.0"}, "1100528": {"source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<1.16.0"}} Upgrading n:express from 4.19.2 -> 4.21.1 {"1099558": {"source": 1099558, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": ">=4.0.0 <6.3.0"}, "1099562": {"source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": ["CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<0.1.10"}} Upgrading n:path-to-regexp from 0.1.7, 6.2.2 -> 0.1.10, 6.3.0 {"1100526": {"source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<0.19.0"}} Upgrading n:send from 0.16.2, 0.18.0 -> 0.16.2, 0.19.0 {"1100528": {"source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<1.16.0"}, "1100526": {"source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": ["CWE-79"], "cvss": {"score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}, "range": "<0.19.0"}} Upgrading n:serve-static from 1.15.0 -> 1.16.2 $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- build: Updating npm dependencies * body-parser: 1.20.2 → 1.20.3 * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * express: 4.19.2 → 4.21.1 * https://github.com/advisories/GHSA-9wv6-86v2-598j * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * https://github.com/advisories/GHSA-qw6h-vgh9-j6wx * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * path-to-regexp: 0.1.7, 6.2.2 → 0.1.10, 6.3.0 * https://github.com/advisories/GHSA-9wv6-86v2-598j * send: 0.16.2, 0.18.0 → 0.16.2, 0.19.0 * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * serve-static: 1.15.0 → 1.16.2 * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg $ git add . --- stdout --- --- end --- $ git commit -F /tmp/tmp_67sr9u9 --- stderr --- /src/repo/app.js 91:34 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 195:18 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/lib/caching.js 34:18 warning The 'structuredClone' is still an experimental feature and is not supported until Node.js 17.0.0. The configured version range is '>=16.0.0' n/no-unsupported-features/node-builtins /src/repo/lib/description-util.js 36:1 warning This line has a length of 117. Maximum allowed is 100 max-len /src/repo/lib/mobile/Localizer.js 83:4 warning Found readFile from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/lib/mwapi.js 118:23 warning Unsafe Regular Expression security/detect-unsafe-regex /src/repo/lib/spec.js 38:2 warning Found readdirSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 40:23 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 47:22 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/lib/talk/TalkPageTopicUtilities.js 82:22 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/lib/transformations/escapeParens.js 28:25 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 29:28 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp 32:23 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/lib/wikiLanguage.js 118:1 warning This line has a length of 125. Maximum allowed is 100 max-len 133:2 warning Mixed spaces and tabs no-mixed-spaces-and-tabs 133:4 warning Expected no linebreak before this expression implicit-arrow-linebreak /src/repo/routes/page/media.js 32:1 warning This line has a length of 129. Maximum allowed is 100 max-len /src/repo/scripts/compare-extracts.js 275:17 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 276:17 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 277:22 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 296:13 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/scripts/compare-sections.js 74:1 warning Expected this semicolon to be at the end of the previous line semi-style 84:15 warning Found createWriteStream from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 121:13 warning Found non-literal argument in require security/detect-non-literal-require /src/repo/scripts/measure-payloads.js 33:18 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 38:18 warning Found statSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 40:4 warning Found unlinkSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/spec/base.yaml 25:1 warning This line has a length of 182. Maximum allowed is 100 max-len /src/repo/spec/components/schemas.yaml 164:1 warning This line has a length of 146. Maximum allowed is 100 max-len /src/repo/spec/data/css-mobile-site.yaml 7:1 warning This line has a length of 101. Maximum allowed is 100 max-len /src/repo/spec/page/media-list.yaml 61:1 warning This line has a length of 131. Maximum allowed is 100 max-len /src/repo/spec/page/mobile-html-offline-resources.yaml 7:1 warning This line has a length of 110. Maximum allowed is 100 max-len 35:1 warning This line has a length of 110. Maximum allowed is 100 max-len /src/repo/spec/page/mobile-html.yaml 46:1 warning This line has a length of 164. Maximum allowed is 100 max-len 47:1 warning This line has a length of 166. Maximum allowed is 100 max-len /src/repo/spec/transform/html-to-mobile-html.yaml 10:1 warning This line has a length of 101. Maximum allowed is 100 max-len 11:1 warning This line has a length of 104. Maximum allowed is 100 max-len /src/repo/test/diff/diff.js 33:25 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 41:3 warning Found writeFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 45:19 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/diff/html-debug.js 14:2 warning Found writeFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/features/app/spec.js 185:7 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp /src/repo/test/lib/api-util/api-util-test.js 40:1 warning This line has a length of 142. Maximum allowed is 100 max-len /src/repo/test/lib/definitions/parseDefinitions-unit.js 11:15 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/utils/fixtures.js 14:36 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename 30:19 warning Found readFileSync from package "fs" with non literal argument at index 0 security/detect-non-literal-fs-filename /src/repo/test/utils/server.js 39:7 warning Found non-literal argument to RegExp Constructor security/detect-non-literal-regexp ✖ 47 problems (0 errors, 47 warnings) --- stdout --- [master f00ffef] build: Updating npm dependencies 1 file changed, 74 insertions(+), 47 deletions(-) --- end --- $ git format-patch HEAD~1 --stdout --- stdout --- From f00ffef32cec3208f6b647d01cb9b5452aa2f327 Mon Sep 17 00:00:00 2001 From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org> Date: Tue, 19 Nov 2024 08:36:51 +0000 Subject: [PATCH] build: Updating npm dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * body-parser: 1.20.2 → 1.20.3 * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * express: 4.19.2 → 4.21.1 * https://github.com/advisories/GHSA-9wv6-86v2-598j * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * https://github.com/advisories/GHSA-qw6h-vgh9-j6wx * https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 * path-to-regexp: 0.1.7, 6.2.2 → 0.1.10, 6.3.0 * https://github.com/advisories/GHSA-9wv6-86v2-598j * send: 0.16.2, 0.18.0 → 0.16.2, 0.19.0 * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg * serve-static: 1.15.0 → 1.16.2 * https://github.com/advisories/GHSA-cm22-4g7w-348p * https://github.com/advisories/GHSA-m6fv-jmcg-4jfg Change-Id: I01a6331070e18edccbfb1e75a28b7c94f98b4316 --- package-lock.json | 121 ++++++++++++++++++++++++++++------------------ 1 file changed, 74 insertions(+), 47 deletions(-) diff --git a/package-lock.json b/package-lock.json index fd1ff06..d298134 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1961,9 +1961,9 @@ "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" }, "node_modules/body-parser": { - "version": "1.20.2", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz", - "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==", + "version": "1.20.3", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz", + "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==", "dependencies": { "bytes": "3.1.2", "content-type": "~1.0.5", @@ -1973,7 +1973,7 @@ "http-errors": "2.0.0", "iconv-lite": "0.4.24", "on-finished": "2.4.1", - "qs": "6.11.0", + "qs": "6.13.0", "raw-body": "2.5.2", "type-is": "~1.6.18", "unpipe": "1.0.0" @@ -2670,9 +2670,9 @@ "dev": true }, "node_modules/cookie": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", - "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", "engines": { "node": ">= 0.6" } @@ -2713,9 +2713,9 @@ "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dev": true, "dependencies": { "path-key": "^3.1.0", @@ -3994,36 +3994,36 @@ } }, "node_modules/express": { - "version": "4.19.2", - "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz", - "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==", + "version": "4.21.1", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", + "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", - "finalhandler": "1.2.0", + "finalhandler": "1.3.1", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", - "qs": "6.11.0", + "qs": "6.13.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", - "serve-static": "1.15.0", + "send": "0.19.0", + "serve-static": "1.16.2", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", @@ -4042,6 +4042,14 @@ "ms": "2.0.0" } }, + "node_modules/express/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/express/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", @@ -4169,12 +4177,12 @@ } }, "node_modules/finalhandler": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz", - "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz", + "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==", "dependencies": { "debug": "2.6.9", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "on-finished": "2.4.1", "parseurl": "~1.3.3", @@ -4193,6 +4201,14 @@ "ms": "2.0.0" } }, + "node_modules/finalhandler/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/finalhandler/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", @@ -5807,9 +5823,12 @@ "integrity": "sha512-csC7Gt/z03tvtlicXqT2OMNc8wHk2rd7KSL4a/ZQxhY9YRyPPq3cSysg0ToskyGld89btn+zS8TdK0iaQp3M2g==" }, "node_modules/merge-descriptors": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz", - "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==" + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz", + "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==", + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } }, "node_modules/merge2": { "version": "1.4.1", @@ -6464,9 +6483,9 @@ } }, "node_modules/nise/node_modules/path-to-regexp": { - "version": "6.2.2", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.2.tgz", - "integrity": "sha512-GQX3SSMokngb36+whdpRXE+3f9V8UzyAorlYvOGx87ufGHehNTn5lCxrKtLyZ4Yl/wEKnNnr98ZzOwwDZV5ogw==", + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz", + "integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ==", "dev": true }, "node_modules/nock": { @@ -7164,9 +7183,9 @@ "dev": true }, "node_modules/path-to-regexp": { - "version": "0.1.7", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz", - "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==" + "version": "0.1.10", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", + "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==" }, "node_modules/performance-now": { "version": "2.1.0", @@ -7509,11 +7528,11 @@ } }, "node_modules/qs": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", - "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "version": "6.13.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", + "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", "dependencies": { - "side-channel": "^1.0.4" + "side-channel": "^1.0.6" }, "engines": { "node": ">=0.6" @@ -8055,9 +8074,9 @@ } }, "node_modules/send": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", - "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", + "version": "0.19.0", + "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz", + "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==", "dependencies": { "debug": "2.6.9", "depd": "2.0.0", @@ -8117,19 +8136,27 @@ } }, "node_modules/serve-static": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz", - "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==", + "version": "1.16.2", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz", + "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==", "dependencies": { - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "0.18.0" + "send": "0.19.0" }, "engines": { "node": ">= 0.8.0" } }, + "node_modules/serve-static/node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/service-runner": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/service-runner/-/service-runner-5.0.0.tgz", -- 2.39.2 --- end ---