This run took 26 seconds.
$ date --- stdout --- Thu Nov 21 15:25:00 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-extensions-MobileFrontend.git repo --depth=1 -b REL1_39 --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/REL1_39 --- stdout --- cd6ba5dc5e916e972d2fb362ed4faa388fc7f853 refs/heads/REL1_39 --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@storybook/builder-webpack4": { "name": "@storybook/builder-webpack4", "severity": "high", "isDirect": false, "via": [ "@storybook/core-common", "@storybook/ui", "autoprefixer", "css-loader", "fork-ts-checker-webpack-plugin", "postcss", "postcss-flexbugs-fixes", "react-dev-utils", "webpack", "webpack-dev-middleware" ], "effects": [], "range": "*", "nodes": [ "node_modules/@storybook/builder-webpack4" ], "fixAvailable": true }, "@storybook/core": { "name": "@storybook/core", "severity": "high", "isDirect": false, "via": [ "@storybook/core-client", "@storybook/core-server" ], "effects": [ "@storybook/html" ], "range": "6.2.0-alpha.0 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-client": { "name": "@storybook/core-client", "severity": "moderate", "isDirect": false, "via": [ "@storybook/ui" ], "effects": [ "@storybook/core", "@storybook/core-server" ], "range": "<=6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core-client" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-common": { "name": "@storybook/core-common", "severity": "moderate", "isDirect": false, "via": [ "webpack" ], "effects": [ "@storybook/html" ], "range": "<=6.5.17-alpha.0", "nodes": [ "node_modules/@storybook/core-common" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-server": { "name": "@storybook/core-server", "severity": "high", "isDirect": false, "via": [ "@storybook/builder-webpack4", "@storybook/core-client", "@storybook/core-common", "@storybook/ui", "cpy", "css-loader", "webpack", "webpack-dev-middleware" ], "effects": [ "@storybook/core" ], "range": "<=7.0.0-rc.11", "nodes": [ "node_modules/@storybook/core-server" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/html": { "name": "@storybook/html", "severity": "high", "isDirect": true, "via": [ "@storybook/core", "@storybook/core-common" ], "effects": [], "range": "6.2.0-alpha.0 - 6.5.17-alpha.0", "nodes": [ "node_modules/@storybook/html" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/ui": { "name": "@storybook/ui", "severity": "moderate", "isDirect": false, "via": [ "markdown-to-jsx" ], "effects": [ "@storybook/builder-webpack4", "@storybook/core-client" ], "range": "4.2.0-alpha.1 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/ui" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom", "qunit" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" } ], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex", "node_modules/webpack-cli/node_modules/ansi-regex" ], "fixAvailable": true }, "anymatch": { "name": "anymatch", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "chokidar", "sane" ], "range": "1.2.0 - 2.0.0", "nodes": [ "node_modules/sane/node_modules/anymatch", "node_modules/watchpack-chokidar2/node_modules/anymatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "axios": { "name": "axios", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097679, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, "range": ">=0.8.1 <0.28.0" } ], "effects": [ "bundlesize", "github-build" ], "range": "0.8.1 - 0.27.2", "nodes": [ "node_modules/axios", "node_modules/github-build/node_modules/axios" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" }, "qs" ], "effects": [ "express" ], "range": "<=1.20.2", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "chokidar", "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/braces", "node_modules/braces", "node_modules/fast-glob/node_modules/braces", "node_modules/findup-sync/node_modules/braces", "node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces", "node_modules/sane/node_modules/braces", "node_modules/watchpack-chokidar2/node_modules/braces", "node_modules/webpack-cli/node_modules/braces", "node_modules/webpack/node_modules/braces" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "browserify-sign": { "name": "browserify-sign", "severity": "high", "isDirect": false, "via": [ { "source": 1096644, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": ">=2.6.0 <=4.2.1" } ], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [ "node_modules/browserify-sign" ], "fixAvailable": true }, "browserslist": { "name": "browserslist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1093035, "name": "browserslist", "dependency": "browserslist", "title": "Regular Expression Denial of Service in browserslist", "url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.16.5" } ], "effects": [ "react-dev-utils" ], "range": "4.0.0 - 4.16.4", "nodes": [ "node_modules/react-dev-utils/node_modules/browserslist" ], "fixAvailable": true }, "bundlesize": { "name": "bundlesize", "severity": "moderate", "isDirect": true, "via": [ "axios" ], "effects": [], "range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1", "nodes": [ "node_modules/bundlesize" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "chokidar": { "name": "chokidar", "severity": "high", "isDirect": false, "via": [ "anymatch", "braces", "readdirp" ], "effects": [ "watchpack-chokidar2" ], "range": "1.3.0 - 2.1.8", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/chokidar" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "core-js-compat": { "name": "core-js-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "cpy": { "name": "cpy", "severity": "moderate", "isDirect": false, "via": [ "globby" ], "effects": [ "@storybook/core-server" ], "range": "7.0.0 - 8.1.2", "nodes": [ "node_modules/cpy" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100562, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.0.6" }, { "source": 1100563, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.0.5" } ], "effects": [ "pre-commit", "react-dev-utils", "webpack-cli" ], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": [ "node_modules/cross-spawn", "node_modules/eslint/node_modules/cross-spawn", "node_modules/foreground-child/node_modules/cross-spawn", "node_modules/istanbul-lib-processinfo/node_modules/cross-spawn", "node_modules/pre-commit/node_modules/cross-spawn", "node_modules/react-dev-utils/node_modules/cross-spawn" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "css-loader": { "name": "css-loader", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values" ], "effects": [], "range": "0.15.0 - 4.3.0", "nodes": [ "node_modules/css-loader" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "elliptic": { "name": "elliptic", "severity": "low", "isDirect": false, "via": [ { "source": 1098593, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's EDDSA missing signature length check", "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=4.0.0 <=6.5.6" }, { "source": 1098594, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero", "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw", "severity": "low", "cwe": [ "CWE-130" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=2.0.0 <=6.5.6" }, { "source": 1098595, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic allows BER-encoded signatures", "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=5.2.1 <=6.5.6" }, { "source": 1100075, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's verify function omits uniqueness validation", "url": "https://github.com/advisories/GHSA-434g-2637-qmqr", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<6.5.6" }, { "source": 1100394, "name": "elliptic", "dependency": "elliptic", "title": "Valid ECDSA signatures erroneously rejected in Elliptic", "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": "<6.6.0" } ], "effects": [], "range": "<=6.5.7", "nodes": [ "node_modules/elliptic" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "qs", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-glob": { "name": "fast-glob", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "globby" ], "range": "<=2.2.7", "nodes": [ "node_modules/fast-glob" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "findup-sync": { "name": "findup-sync", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "qunit", "webpack-cli" ], "range": "0.4.0 - 3.0.0", "nodes": [ "node_modules/findup-sync", "node_modules/webpack-cli/node_modules/findup-sync" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "follow-redirects": { "name": "follow-redirects", "severity": "high", "isDirect": false, "via": [ { "source": 1092623, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "severity": "moderate", "cwe": [ "CWE-200", "CWE-212" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<1.14.8" }, { "source": 1095014, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of sensitive information in follow-redirects", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "severity": "high", "cwe": [ "CWE-359" ], "cvss": { "score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "range": "<1.14.7" }, { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "fork-ts-checker-webpack-plugin": { "name": "fork-ts-checker-webpack-plugin", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "react-dev-utils" ], "range": "0.4.14 - 4.1.6", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin", "node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin" ], "fixAvailable": true }, "github-build": { "name": "github-build", "severity": "moderate", "isDirect": false, "via": [ "axios" ], "effects": [], "range": "<=1.2.3", "nodes": [ "node_modules/github-build" ], "fixAvailable": true }, "globby": { "name": "globby", "severity": "moderate", "isDirect": false, "via": [ "fast-glob" ], "effects": [ "cpy" ], "range": "8.0.0 - 9.2.0", "nodes": [ "node_modules/globby" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "icss-utils": { "name": "icss-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "css-loader", "postcss-modules-local-by-default", "postcss-modules-values" ], "range": "<=4.1.1", "nodes": [ "node_modules/icss-utils" ], "fixAvailable": true }, "immer": { "name": "immer", "severity": "critical", "isDirect": false, "via": [ { "source": 1097196, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx", "severity": "high", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <9.0.6" }, { "source": 1097209, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-33f9-j839-rf8h", "severity": "critical", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=7.0.0 <9.0.6" } ], "effects": [], "range": "7.0.0 - 9.0.5", "nodes": [ "node_modules/immer" ], "fixAvailable": true }, "ip": { "name": "ip", "severity": "high", "isDirect": false, "via": [ { "source": 1097720, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" }, { "source": 1099357, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=2.0.1" } ], "effects": [], "range": "*", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jsdoc": { "name": "jsdoc", "severity": "high", "isDirect": true, "via": [ "markdown-it", "marked", "taffydb" ], "effects": [], "range": "3.2.0-dev - 3.6.11", "nodes": [ "node_modules/jsdoc" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": true, "via": [ "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "0.1.20 || 0.2.0 - 16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5", "node_modules/webpack-cli/node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "less": { "name": "less", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3", "nodes": [ "node_modules/less" ], "fixAvailable": { "name": "less", "version": "3.13.1", "isSemVerMajor": false } }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1097142, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1097143, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [ "react-dev-utils", "webpack-cli" ], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/file-loader/node_modules/loader-utils", "node_modules/html-loader/node_modules/loader-utils", "node_modules/loader-utils", "node_modules/postcss-loader/node_modules/loader-utils", "node_modules/raw-loader/node_modules/loader-utils", "node_modules/react-dev-utils/node_modules/loader-utils", "node_modules/style-loader/node_modules/loader-utils", "node_modules/url-loader/node_modules/loader-utils", "node_modules/webpack-cli/node_modules/loader-utils" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "markdown-it": { "name": "markdown-it", "severity": "moderate", "isDirect": false, "via": [ { "source": 1092663, "name": "markdown-it", "dependency": "markdown-it", "title": "Uncontrolled Resource Consumption in markdown-it", "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<12.3.2" } ], "effects": [ "jsdoc" ], "range": "<12.3.2", "nodes": [ "node_modules/markdown-it" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "markdown-to-jsx": { "name": "markdown-to-jsx", "severity": "moderate", "isDirect": false, "via": [ { "source": 1100074, "name": "markdown-to-jsx", "dependency": "markdown-to-jsx", "title": "Cross site scripting in markdown-to-jsx", "url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<7.4.0" } ], "effects": [ "@storybook/ui" ], "range": "<7.4.0", "nodes": [ "node_modules/@storybook/ui/node_modules/markdown-to-jsx", "node_modules/markdown-to-jsx" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "jsdoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" }, "braces" ], "effects": [ "anymatch", "fast-glob", "findup-sync", "fork-ts-checker-webpack-plugin", "readdirp", "sane", "webpack" ], "range": "<=4.0.7", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/micromatch", "node_modules/fast-glob/node_modules/micromatch", "node_modules/findup-sync/node_modules/micromatch", "node_modules/micromatch", "node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch", "node_modules/react-dev-utils/node_modules/micromatch", "node_modules/sane/node_modules/micromatch", "node_modules/watchpack-chokidar2/node_modules/micromatch", "node_modules/webpack-cli/node_modules/micromatch", "node_modules/webpack/node_modules/micromatch" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": true }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "node-fetch": { "name": "node-fetch", "severity": "high", "isDirect": false, "via": [ { "source": 1095073, "name": "node-fetch", "dependency": "node-fetch", "title": "node-fetch forwards secure headers to untrusted sites", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g", "severity": "high", "cwe": [ "CWE-173", "CWE-200", "CWE-601" ], "cvss": { "score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "range": "<2.6.7" } ], "effects": [], "range": "<2.6.7", "nodes": [ "node_modules/node-fetch" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099561, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.2.0 <1.9.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 0.2.0 - 1.8.0", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@storybook/builder-webpack4", "autoprefixer", "css-loader", "icss-utils", "postcss-flexbugs-fixes", "postcss-less", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-flexbugs-fixes": { "name": "postcss-flexbugs-fixes", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=4.2.1", "nodes": [ "node_modules/postcss-flexbugs-fixes" ], "fixAvailable": true }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-modules-extract-imports": { "name": "postcss-modules-extract-imports", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/postcss-modules-extract-imports" ], "fixAvailable": true }, "postcss-modules-local-by-default": { "name": "postcss-modules-local-by-default", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [], "range": "<=4.0.0-rc.4", "nodes": [ "node_modules/postcss-modules-local-by-default" ], "fixAvailable": true }, "postcss-modules-scope": { "name": "postcss-modules-scope", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.2.0", "nodes": [ "node_modules/postcss-modules-scope" ], "fixAvailable": true }, "postcss-modules-values": { "name": "postcss-modules-values", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [ "css-loader" ], "range": "<=4.0.0-rc.5", "nodes": [ "node_modules/postcss-modules-values" ], "fixAvailable": true }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "pre-commit": { "name": "pre-commit", "severity": "high", "isDirect": true, "via": [ "cross-spawn" ], "effects": [], "range": ">=1.1.0", "nodes": [ "node_modules/pre-commit" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [ "refractor" ], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" }, { "source": 1096472, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.7.0 <6.7.3" }, { "source": 1096475, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.10.0 <6.10.3" } ], "effects": [ "body-parser", "express" ], "range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2", "nodes": [ "node_modules/body-parser/node_modules/qs", "node_modules/express/node_modules/qs", "node_modules/qs", "node_modules/request/node_modules/qs" ], "fixAvailable": true }, "qunit": { "name": "qunit", "severity": "moderate", "isDirect": false, "via": [ "findup-sync", "sane" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "2.4.1 - 2.8.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "react-dev-utils": { "name": "react-dev-utils", "severity": "critical", "isDirect": false, "via": [ "browserslist", "cross-spawn", "fork-ts-checker-webpack-plugin", "immer", "loader-utils", "recursive-readdir", "shell-quote" ], "effects": [ "@storybook/builder-webpack4" ], "range": "0.5.2 - 12.0.0-next.60", "nodes": [ "node_modules/react-dev-utils" ], "fixAvailable": true }, "readdirp": { "name": "readdirp", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "chokidar" ], "range": "2.2.0 - 2.2.1", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/readdirp" ], "fixAvailable": true }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [ "react-dev-utils" ], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": true }, "refractor": { "name": "refractor", "severity": "high", "isDirect": false, "via": [ "prismjs" ], "effects": [], "range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0", "nodes": [ "node_modules/refractor" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "less" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "sane": { "name": "sane", "severity": "moderate", "isDirect": false, "via": [ "anymatch", "micromatch" ], "effects": [ "qunit" ], "range": "1.5.0 - 4.1.0", "nodes": [ "node_modules/sane" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@npmcli/fs/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver", "node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver", "node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver", "node_modules/@storybook/core-common/node_modules/semver", "node_modules/@storybook/core-server/node_modules/semver", "node_modules/@stylelint/postcss-css-in-js/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs2/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs3/node_modules/semver", "node_modules/babel-plugin-polyfill-regenerator/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-mediawiki/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint-template-visitor/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/fork-ts-checker-webpack-plugin/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/nyc/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "shell-quote": { "name": "shell-quote", "severity": "critical", "isDirect": false, "via": [ { "source": 1096375, "name": "shell-quote", "dependency": "shell-quote", "title": "Improper Neutralization of Special Elements used in a Command in Shell-quote", "url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7", "severity": "critical", "cwe": [ "CWE-77" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.7.2" } ], "effects": [ "react-dev-utils" ], "range": "<=1.7.2", "nodes": [ "node_modules/shell-quote" ], "fixAvailable": true }, "simple-get": { "name": "simple-get", "severity": "high", "isDirect": false, "via": [ { "source": 1090445, "name": "simple-get", "dependency": "simple-get", "title": "Exposure of Sensitive Information in simple-get", "url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.1" } ], "effects": [], "range": "3.0.0 - 3.1.0", "nodes": [ "node_modules/simple-get" ], "fixAvailable": true }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "taffydb": { "name": "taffydb", "severity": "high", "isDirect": false, "via": [ { "source": 1089386, "name": "taffydb", "dependency": "taffydb", "title": "TaffyDB can allow access to any data items in the DB", "url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6", "severity": "high", "cwe": [ "CWE-20", "CWE-668" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=2.7.3" } ], "effects": [ "jsdoc" ], "range": "*", "nodes": [ "node_modules/taffydb" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "tar": { "name": "tar", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<6.2.1", "nodes": [ "node_modules/tar" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091691, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.8.1" } ], "effects": [], "range": "<4.8.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "watchpack": { "name": "watchpack", "severity": "high", "isDirect": false, "via": [ "watchpack-chokidar2" ], "effects": [], "range": "1.7.2 - 1.7.5", "nodes": [ "node_modules/watchpack" ], "fixAvailable": true }, "watchpack-chokidar2": { "name": "watchpack-chokidar2", "severity": "high", "isDirect": false, "via": [ "chokidar" ], "effects": [ "watchpack" ], "range": "*", "nodes": [ "node_modules/watchpack-chokidar2" ], "fixAvailable": true }, "webpack": { "name": "webpack", "severity": "moderate", "isDirect": true, "via": [ "micromatch" ], "effects": [ "@storybook/core-common", "@storybook/core-server" ], "range": "4.0.0-alpha.0 - 5.0.0-rc.6", "nodes": [ "node_modules/webpack" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "webpack-cli": { "name": "webpack-cli", "severity": "high", "isDirect": true, "via": [ "cross-spawn", "findup-sync", "loader-utils" ], "effects": [], "range": "1.3.0 - 2.0.9 || 3.2.0 - 3.3.12", "nodes": [ "node_modules/webpack-cli" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [ "@storybook/core-server" ], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098394, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.2.3" } ], "effects": [], "range": "6.0.0 - 6.2.2", "nodes": [ "node_modules/ws" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 44, "high": 38, "critical": 8, "total": 94 }, "dependencies": { "prod": 1, "dev": 2059, "optional": 31, "peer": 0, "peerOptional": 0, "total": 2059 } } } --- end --- $ /usr/bin/composer install --- stderr --- No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information. Loading composer repositories with package information Updating dependencies Lock file operations: 36 installs, 0 updates, 0 removals - Locking composer/pcre (1.0.1) - Locking composer/semver (3.4.3) - Locking composer/spdx-licenses (1.5.8) - Locking composer/xdebug-handler (2.0.5) - Locking doctrine/deprecations (1.1.3) - Locking felixfbecker/advanced-json-rpc (v3.2.1) - Locking mediawiki/mediawiki-codesniffer (v38.0.0) - Locking mediawiki/mediawiki-phan-config (0.11.1) - Locking mediawiki/minus-x (1.1.1) - Locking mediawiki/phan-taint-check-plugin (3.3.2) - Locking microsoft/tolerant-php-parser (v0.1.2) - Locking netresearch/jsonmapper (v4.5.0) - Locking phan/phan (5.2.0) - Locking php-parallel-lint/php-console-color (v0.3) - Locking php-parallel-lint/php-console-highlighter (v0.5) - Locking php-parallel-lint/php-parallel-lint (v1.3.1) - Locking phpdocumentor/reflection-common (2.2.0) - Locking phpdocumentor/reflection-docblock (5.6.0) - Locking phpdocumentor/type-resolver (1.10.0) - Locking phpstan/phpdoc-parser (2.0.0) - Locking psr/container (2.0.2) - Locking psr/log (2.0.0) - Locking sabre/event (5.1.7) - Locking squizlabs/php_codesniffer (3.6.1) - Locking symfony/console (v5.4.47) - Locking symfony/deprecation-contracts (v3.5.0) - Locking symfony/polyfill-ctype (v1.31.0) - Locking symfony/polyfill-intl-grapheme (v1.31.0) - Locking symfony/polyfill-intl-normalizer (v1.31.0) - Locking symfony/polyfill-mbstring (v1.31.0) - Locking symfony/polyfill-php73 (v1.31.0) - Locking symfony/polyfill-php80 (v1.31.0) - Locking symfony/service-contracts (v3.5.0) - Locking symfony/string (v6.4.15) - Locking tysonandre/var_representation_polyfill (0.1.3) - Locking webmozart/assert (1.11.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 36 installs, 0 updates, 0 removals 0 [>---------------------------] 0 [->--------------------------] - Installing composer/pcre (1.0.1): Extracting archive - Installing squizlabs/php_codesniffer (3.6.1): Extracting archive - Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive - Installing composer/spdx-licenses (1.5.8): Extracting archive - Installing composer/semver (3.4.3): Extracting archive - Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive - Installing symfony/polyfill-php80 (v1.31.0): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive - Installing symfony/polyfill-ctype (v1.31.0): Extracting archive - Installing symfony/string (v6.4.15): Extracting archive - Installing symfony/deprecation-contracts (v3.5.0): Extracting archive - Installing psr/container (2.0.2): Extracting archive - Installing symfony/service-contracts (v3.5.0): Extracting archive - Installing symfony/polyfill-php73 (v1.31.0): Extracting archive - Installing symfony/console (v5.4.47): Extracting archive - Installing sabre/event (5.1.7): Extracting archive - Installing netresearch/jsonmapper (v4.5.0): Extracting archive - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive - Installing webmozart/assert (1.11.0): Extracting archive - Installing phpstan/phpdoc-parser (2.0.0): Extracting archive - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive - Installing doctrine/deprecations (1.1.3): Extracting archive - Installing phpdocumentor/type-resolver (1.10.0): Extracting archive - Installing phpdocumentor/reflection-docblock (5.6.0): Extracting archive - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive - Installing psr/log (2.0.0): Extracting archive - Installing composer/xdebug-handler (2.0.5): Extracting archive - Installing phan/phan (5.2.0): Extracting archive - Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive - Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive - Installing mediawiki/minus-x (1.1.1): Extracting archive - Installing php-parallel-lint/php-console-color (v0.3): Extracting archive - Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive - Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive 0/36 [>---------------------------] 0% 20/36 [===============>------------] 55% 35/36 [===========================>] 97% 36/36 [============================] 100% 3 package suggestions were added by new dependencies, use `composer suggest` to see details. Generating autoload files 15 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@storybook/builder-webpack4": { "name": "@storybook/builder-webpack4", "severity": "high", "isDirect": false, "via": [ "@storybook/core-common", "@storybook/ui", "autoprefixer", "css-loader", "fork-ts-checker-webpack-plugin", "postcss", "postcss-flexbugs-fixes", "react-dev-utils", "webpack", "webpack-dev-middleware" ], "effects": [], "range": "*", "nodes": [ "node_modules/@storybook/builder-webpack4" ], "fixAvailable": true }, "@storybook/core": { "name": "@storybook/core", "severity": "high", "isDirect": false, "via": [ "@storybook/core-client", "@storybook/core-server" ], "effects": [ "@storybook/html" ], "range": "6.2.0-alpha.0 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-client": { "name": "@storybook/core-client", "severity": "moderate", "isDirect": false, "via": [ "@storybook/ui" ], "effects": [ "@storybook/core", "@storybook/core-server" ], "range": "<=6.4.0-rc.11", "nodes": [ "node_modules/@storybook/core-client" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-common": { "name": "@storybook/core-common", "severity": "moderate", "isDirect": false, "via": [ "webpack" ], "effects": [ "@storybook/html" ], "range": "<=6.5.17-alpha.0", "nodes": [ "node_modules/@storybook/core-common" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/core-server": { "name": "@storybook/core-server", "severity": "high", "isDirect": false, "via": [ "@storybook/builder-webpack4", "@storybook/core-client", "@storybook/core-common", "@storybook/ui", "cpy", "css-loader", "webpack", "webpack-dev-middleware" ], "effects": [ "@storybook/core" ], "range": "<=7.0.0-rc.11", "nodes": [ "node_modules/@storybook/core-server" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/html": { "name": "@storybook/html", "severity": "high", "isDirect": true, "via": [ "@storybook/core", "@storybook/core-common" ], "effects": [], "range": "6.2.0-alpha.0 - 6.5.17-alpha.0", "nodes": [ "node_modules/@storybook/html" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@storybook/ui": { "name": "@storybook/ui", "severity": "moderate", "isDirect": false, "via": [ "markdown-to-jsx" ], "effects": [ "@storybook/builder-webpack4", "@storybook/core-client" ], "range": "4.2.0-alpha.1 - 6.4.0-rc.11", "nodes": [ "node_modules/@storybook/ui" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom", "qunit" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ansi-regex": { "name": "ansi-regex", "severity": "high", "isDirect": false, "via": [ { "source": 1094091, "name": "ansi-regex", "dependency": "ansi-regex", "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", "severity": "high", "cwe": [ "CWE-697", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.1.1" } ], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex", "node_modules/webpack-cli/node_modules/ansi-regex" ], "fixAvailable": true }, "anymatch": { "name": "anymatch", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "chokidar", "sane" ], "range": "1.2.0 - 2.0.0", "nodes": [ "node_modules/sane/node_modules/anymatch", "node_modules/watchpack-chokidar2/node_modules/anymatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "axios": { "name": "axios", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097679, "name": "axios", "dependency": "axios", "title": "Axios Cross-Site Request Forgery Vulnerability", "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, "range": ">=0.8.1 <0.28.0" } ], "effects": [ "bundlesize", "github-build" ], "range": "0.8.1 - 0.27.2", "nodes": [ "node_modules/axios", "node_modules/github-build/node_modules/axios" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" }, "qs" ], "effects": [ "express" ], "range": "<=1.20.2", "nodes": [ "node_modules/body-parser" ], "fixAvailable": true }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "chokidar", "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/braces", "node_modules/braces", "node_modules/fast-glob/node_modules/braces", "node_modules/findup-sync/node_modules/braces", "node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces", "node_modules/sane/node_modules/braces", "node_modules/watchpack-chokidar2/node_modules/braces", "node_modules/webpack-cli/node_modules/braces", "node_modules/webpack/node_modules/braces" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "browserify-sign": { "name": "browserify-sign", "severity": "high", "isDirect": false, "via": [ { "source": 1096644, "name": "browserify-sign", "dependency": "browserify-sign", "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", "severity": "high", "cwe": [ "CWE-347" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, "range": ">=2.6.0 <=4.2.1" } ], "effects": [], "range": "2.6.0 - 4.2.1", "nodes": [ "node_modules/browserify-sign" ], "fixAvailable": true }, "browserslist": { "name": "browserslist", "severity": "moderate", "isDirect": false, "via": [ { "source": 1093035, "name": "browserslist", "dependency": "browserslist", "title": "Regular Expression Denial of Service in browserslist", "url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=4.0.0 <4.16.5" } ], "effects": [ "react-dev-utils" ], "range": "4.0.0 - 4.16.4", "nodes": [ "node_modules/react-dev-utils/node_modules/browserslist" ], "fixAvailable": true }, "bundlesize": { "name": "bundlesize", "severity": "moderate", "isDirect": true, "via": [ "axios" ], "effects": [], "range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1", "nodes": [ "node_modules/bundlesize" ], "fixAvailable": { "name": "bundlesize", "version": "0.18.2", "isSemVerMajor": false } }, "chokidar": { "name": "chokidar", "severity": "high", "isDirect": false, "via": [ "anymatch", "braces", "readdirp" ], "effects": [ "watchpack-chokidar2" ], "range": "1.3.0 - 2.1.8", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/chokidar" ], "fixAvailable": true }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express" ], "range": "<0.7.0", "nodes": [ "node_modules/cookie" ], "fixAvailable": true }, "core-js-compat": { "name": "core-js-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [], "range": "3.6.0 - 3.25.0", "nodes": [ "node_modules/core-js-compat" ], "fixAvailable": true }, "cpy": { "name": "cpy", "severity": "moderate", "isDirect": false, "via": [ "globby" ], "effects": [ "@storybook/core-server" ], "range": "7.0.0 - 8.1.2", "nodes": [ "node_modules/cpy" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100562, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.0.6" }, { "source": 1100563, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.0.5" } ], "effects": [ "pre-commit", "react-dev-utils", "webpack-cli" ], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": [ "node_modules/cross-spawn", "node_modules/eslint/node_modules/cross-spawn", "node_modules/foreground-child/node_modules/cross-spawn", "node_modules/istanbul-lib-processinfo/node_modules/cross-spawn", "node_modules/pre-commit/node_modules/cross-spawn", "node_modules/react-dev-utils/node_modules/cross-spawn" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "css-loader": { "name": "css-loader", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values" ], "effects": [], "range": "0.15.0 - 4.3.0", "nodes": [ "node_modules/css-loader" ], "fixAvailable": true }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "elliptic": { "name": "elliptic", "severity": "low", "isDirect": false, "via": [ { "source": 1098593, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's EDDSA missing signature length check", "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=4.0.0 <=6.5.6" }, { "source": 1098594, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero", "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw", "severity": "low", "cwe": [ "CWE-130" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=2.0.0 <=6.5.6" }, { "source": 1098595, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic allows BER-encoded signatures", "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=5.2.1 <=6.5.6" }, { "source": 1100075, "name": "elliptic", "dependency": "elliptic", "title": "Elliptic's verify function omits uniqueness validation", "url": "https://github.com/advisories/GHSA-434g-2637-qmqr", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<6.5.6" }, { "source": 1100394, "name": "elliptic", "dependency": "elliptic", "title": "Valid ECDSA signatures erroneously rejected in Elliptic", "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747", "severity": "low", "cwe": [ "CWE-347" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": "<6.6.0" } ], "effects": [], "range": "<=6.5.7", "nodes": [ "node_modules/elliptic" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1096820, "name": "express", "dependency": "express", "title": "Express.js Open Redirect in malformed URLs", "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc", "severity": "moderate", "cwe": [ "CWE-601", "CWE-1286" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<4.19.2" }, { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "qs", "send", "serve-static" ], "effects": [], "range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/express" ], "fixAvailable": true }, "fast-glob": { "name": "fast-glob", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "globby" ], "range": "<=2.2.7", "nodes": [ "node_modules/fast-glob" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "findup-sync": { "name": "findup-sync", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "qunit", "webpack-cli" ], "range": "0.4.0 - 3.0.0", "nodes": [ "node_modules/findup-sync", "node_modules/webpack-cli/node_modules/findup-sync" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "follow-redirects": { "name": "follow-redirects", "severity": "high", "isDirect": false, "via": [ { "source": 1092623, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "severity": "moderate", "cwe": [ "CWE-200", "CWE-212" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<1.14.8" }, { "source": 1095014, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Exposure of sensitive information in follow-redirects", "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "severity": "high", "cwe": [ "CWE-359" ], "cvss": { "score": 8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "range": "<1.14.7" }, { "source": 1096353, "name": "follow-redirects", "dependency": "follow-redirects", "title": "Follow Redirects improperly handles URLs in the url.parse() function", "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", "severity": "moderate", "cwe": [ "CWE-20", "CWE-601" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<1.15.4" }, { "source": 1096856, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects' Proxy-Authorization header kept across hosts", "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=1.15.5" } ], "effects": [], "range": "<=1.15.5", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "fork-ts-checker-webpack-plugin": { "name": "fork-ts-checker-webpack-plugin", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "react-dev-utils" ], "range": "0.4.14 - 4.1.6", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin", "node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin" ], "fixAvailable": true }, "github-build": { "name": "github-build", "severity": "moderate", "isDirect": false, "via": [ "axios" ], "effects": [], "range": "<=1.2.3", "nodes": [ "node_modules/github-build" ], "fixAvailable": true }, "globby": { "name": "globby", "severity": "moderate", "isDirect": false, "via": [ "fast-glob" ], "effects": [ "cpy" ], "range": "8.0.0 - 9.2.0", "nodes": [ "node_modules/globby" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "icss-utils": { "name": "icss-utils", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "css-loader", "postcss-modules-local-by-default", "postcss-modules-values" ], "range": "<=4.1.1", "nodes": [ "node_modules/icss-utils" ], "fixAvailable": true }, "immer": { "name": "immer", "severity": "critical", "isDirect": false, "via": [ { "source": 1097196, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx", "severity": "high", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <9.0.6" }, { "source": 1097209, "name": "immer", "dependency": "immer", "title": "Prototype Pollution in immer", "url": "https://github.com/advisories/GHSA-33f9-j839-rf8h", "severity": "critical", "cwe": [ "CWE-843", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=7.0.0 <9.0.6" } ], "effects": [], "range": "7.0.0 - 9.0.5", "nodes": [ "node_modules/immer" ], "fixAvailable": true }, "ip": { "name": "ip", "severity": "high", "isDirect": false, "via": [ { "source": 1097720, "name": "ip", "dependency": "ip", "title": "NPM IP package incorrectly identifies some private IP addresses as public", "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", "severity": "low", "cwe": [ "CWE-918" ], "cvss": { "score": 0, "vectorString": null }, "range": "<1.1.9" }, { "source": 1099357, "name": "ip", "dependency": "ip", "title": "ip SSRF improper categorization in isPublic", "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", "severity": "high", "cwe": [ "CWE-918" ], "cvss": { "score": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=2.0.1" } ], "effects": [], "range": "*", "nodes": [ "node_modules/ip" ], "fixAvailable": true }, "jsdoc": { "name": "jsdoc", "severity": "high", "isDirect": true, "via": [ "markdown-it", "marked", "taffydb" ], "effects": [], "range": "3.2.0-dev - 3.6.11", "nodes": [ "node_modules/jsdoc" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": true, "via": [ "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "0.1.20 || 0.2.0 - 16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "json-schema": { "name": "json-schema", "severity": "critical", "isDirect": false, "via": [ { "source": 1095057, "name": "json-schema", "dependency": "json-schema", "title": "json-schema is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", "severity": "critical", "cwe": [ "CWE-915", "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<0.4.0" } ], "effects": [ "jsprim" ], "range": "<0.4.0", "nodes": [ "node_modules/json-schema" ], "fixAvailable": true }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096543, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/json5", "node_modules/loader-utils/node_modules/json5", "node_modules/webpack-cli/node_modules/json5" ], "fixAvailable": true }, "jsprim": { "name": "jsprim", "severity": "critical", "isDirect": false, "via": [ "json-schema" ], "effects": [], "range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/jsprim" ], "fixAvailable": true }, "less": { "name": "less", "severity": "moderate", "isDirect": true, "via": [ "request" ], "effects": [], "range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3", "nodes": [ "node_modules/less" ], "fixAvailable": { "name": "less", "version": "3.13.1", "isSemVerMajor": false } }, "loader-utils": { "name": "loader-utils", "severity": "critical", "isDirect": false, "via": [ { "source": 1094088, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<1.4.1" }, { "source": 1094089, "name": "loader-utils", "dependency": "loader-utils", "title": "Prototype pollution in webpack loader-utils", "url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=2.0.0 <2.0.3" }, { "source": 1095054, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1095055, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable", "url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" }, { "source": 1097142, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.4" }, { "source": 1097143, "name": "loader-utils", "dependency": "loader-utils", "title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <1.4.2" } ], "effects": [ "react-dev-utils", "webpack-cli" ], "range": "<=1.4.1 || 2.0.0 - 2.0.3", "nodes": [ "node_modules/file-loader/node_modules/loader-utils", "node_modules/html-loader/node_modules/loader-utils", "node_modules/loader-utils", "node_modules/postcss-loader/node_modules/loader-utils", "node_modules/raw-loader/node_modules/loader-utils", "node_modules/react-dev-utils/node_modules/loader-utils", "node_modules/style-loader/node_modules/loader-utils", "node_modules/url-loader/node_modules/loader-utils", "node_modules/webpack-cli/node_modules/loader-utils" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "markdown-it": { "name": "markdown-it", "severity": "moderate", "isDirect": false, "via": [ { "source": 1092663, "name": "markdown-it", "dependency": "markdown-it", "title": "Uncontrolled Resource Consumption in markdown-it", "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<12.3.2" } ], "effects": [ "jsdoc" ], "range": "<12.3.2", "nodes": [ "node_modules/markdown-it" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "markdown-to-jsx": { "name": "markdown-to-jsx", "severity": "moderate", "isDirect": false, "via": [ { "source": 1100074, "name": "markdown-to-jsx", "dependency": "markdown-to-jsx", "title": "Cross site scripting in markdown-to-jsx", "url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<7.4.0" } ], "effects": [ "@storybook/ui" ], "range": "<7.4.0", "nodes": [ "node_modules/@storybook/ui/node_modules/markdown-to-jsx", "node_modules/markdown-to-jsx" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "marked": { "name": "marked", "severity": "high", "isDirect": false, "via": [ { "source": 1095051, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" }, { "source": 1095052, "name": "marked", "dependency": "marked", "title": "Inefficient Regular Expression Complexity in marked", "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.0.10" } ], "effects": [ "jsdoc" ], "range": "<=4.0.9", "nodes": [ "node_modules/marked" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" }, "braces" ], "effects": [ "anymatch", "fast-glob", "findup-sync", "fork-ts-checker-webpack-plugin", "readdirp", "sane", "webpack" ], "range": "<=4.0.7", "nodes": [ "node_modules/@storybook/builder-webpack4/node_modules/micromatch", "node_modules/fast-glob/node_modules/micromatch", "node_modules/findup-sync/node_modules/micromatch", "node_modules/micromatch", "node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch", "node_modules/react-dev-utils/node_modules/micromatch", "node_modules/sane/node_modules/micromatch", "node_modules/watchpack-chokidar2/node_modules/micromatch", "node_modules/webpack-cli/node_modules/micromatch", "node_modules/webpack/node_modules/micromatch" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": true }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "node-fetch": { "name": "node-fetch", "severity": "high", "isDirect": false, "via": [ { "source": 1095073, "name": "node-fetch", "dependency": "node-fetch", "title": "node-fetch forwards secure headers to untrusted sites", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g", "severity": "high", "cwe": [ "CWE-173", "CWE-200", "CWE-601" ], "cvss": { "score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "range": "<2.6.7" } ], "effects": [], "range": "<2.6.7", "nodes": [ "node_modules/node-fetch" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099561, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.2.0 <1.9.0" }, { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" } ], "effects": [ "express" ], "range": "<=0.1.9 || 0.2.0 - 1.8.0", "nodes": [ "node_modules/nise/node_modules/path-to-regexp", "node_modules/path-to-regexp" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "@storybook/builder-webpack4", "autoprefixer", "css-loader", "icss-utils", "postcss-flexbugs-fixes", "postcss-less", "postcss-modules-extract-imports", "postcss-modules-local-by-default", "postcss-modules-scope", "postcss-modules-values", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-flexbugs-fixes": { "name": "postcss-flexbugs-fixes", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=4.2.1", "nodes": [ "node_modules/postcss-flexbugs-fixes" ], "fixAvailable": true }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-modules-extract-imports": { "name": "postcss-modules-extract-imports", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/postcss-modules-extract-imports" ], "fixAvailable": true }, "postcss-modules-local-by-default": { "name": "postcss-modules-local-by-default", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [], "range": "<=4.0.0-rc.4", "nodes": [ "node_modules/postcss-modules-local-by-default" ], "fixAvailable": true }, "postcss-modules-scope": { "name": "postcss-modules-scope", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.2.0", "nodes": [ "node_modules/postcss-modules-scope" ], "fixAvailable": true }, "postcss-modules-values": { "name": "postcss-modules-values", "severity": "moderate", "isDirect": false, "via": [ "icss-utils", "postcss" ], "effects": [ "css-loader" ], "range": "<=4.0.0-rc.5", "nodes": [ "node_modules/postcss-modules-values" ], "fixAvailable": true }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "pre-commit": { "name": "pre-commit", "severity": "high", "isDirect": true, "via": [ "cross-spawn" ], "effects": [], "range": ">=1.1.0", "nodes": [ "node_modules/pre-commit" ], "fixAvailable": { "name": "pre-commit", "version": "1.0.10", "isSemVerMajor": true } }, "prismjs": { "name": "prismjs", "severity": "high", "isDirect": false, "via": [ { "source": 1090424, "name": "prismjs", "dependency": "prismjs", "title": "Cross-site Scripting in Prism", "url": "https://github.com/advisories/GHSA-3949-f494-cm99", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L" }, "range": ">=1.14.0 <1.27.0" } ], "effects": [ "refractor" ], "range": "1.14.0 - 1.26.0", "nodes": [ "node_modules/prismjs" ], "fixAvailable": true }, "qs": { "name": "qs", "severity": "high", "isDirect": false, "via": [ { "source": 1096470, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.5.0 <6.5.3" }, { "source": 1096472, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.7.0 <6.7.3" }, { "source": 1096475, "name": "qs", "dependency": "qs", "title": "qs vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.10.0 <6.10.3" } ], "effects": [ "body-parser", "express" ], "range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2", "nodes": [ "node_modules/body-parser/node_modules/qs", "node_modules/express/node_modules/qs", "node_modules/qs", "node_modules/request/node_modules/qs" ], "fixAvailable": true }, "qunit": { "name": "qunit", "severity": "moderate", "isDirect": false, "via": [ "findup-sync", "sane" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "2.4.1 - 2.8.0", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "react-dev-utils": { "name": "react-dev-utils", "severity": "critical", "isDirect": false, "via": [ "browserslist", "cross-spawn", "fork-ts-checker-webpack-plugin", "immer", "loader-utils", "recursive-readdir", "shell-quote" ], "effects": [ "@storybook/builder-webpack4" ], "range": "0.5.2 - 12.0.0-next.60", "nodes": [ "node_modules/react-dev-utils" ], "fixAvailable": true }, "readdirp": { "name": "readdirp", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "chokidar" ], "range": "2.2.0 - 2.2.1", "nodes": [ "node_modules/watchpack-chokidar2/node_modules/readdirp" ], "fixAvailable": true }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [ "react-dev-utils" ], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": true }, "refractor": { "name": "refractor", "severity": "high", "isDirect": false, "via": [ "prismjs" ], "effects": [], "range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0", "nodes": [ "node_modules/refractor" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "less" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "sane": { "name": "sane", "severity": "moderate", "isDirect": false, "via": [ "anymatch", "micromatch" ], "effects": [ "qunit" ], "range": "1.5.0 - 4.1.0", "nodes": [ "node_modules/sane" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "core-js-compat", "eslint-plugin-compat" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@npmcli/fs/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver", "node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver", "node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver", "node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver", "node_modules/@storybook/core-common/node_modules/semver", "node_modules/@storybook/core-server/node_modules/semver", "node_modules/@stylelint/postcss-css-in-js/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs2/node_modules/semver", "node_modules/babel-plugin-polyfill-corejs3/node_modules/semver", "node_modules/babel-plugin-polyfill-regenerator/node_modules/semver", "node_modules/core-js-compat/node_modules/semver", "node_modules/css-loader/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-mediawiki/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-unicorn/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint-template-visitor/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/fork-ts-checker-webpack-plugin/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/make-dir/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/nyc/node_modules/semver", "node_modules/postcss-loader/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/send" ], "fixAvailable": true }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [], "range": "<=1.16.0", "nodes": [ "node_modules/serve-static" ], "fixAvailable": true }, "shell-quote": { "name": "shell-quote", "severity": "critical", "isDirect": false, "via": [ { "source": 1096375, "name": "shell-quote", "dependency": "shell-quote", "title": "Improper Neutralization of Special Elements used in a Command in Shell-quote", "url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7", "severity": "critical", "cwe": [ "CWE-77" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<=1.7.2" } ], "effects": [ "react-dev-utils" ], "range": "<=1.7.2", "nodes": [ "node_modules/shell-quote" ], "fixAvailable": true }, "simple-get": { "name": "simple-get", "severity": "high", "isDirect": false, "via": [ { "source": 1090445, "name": "simple-get", "dependency": "simple-get", "title": "Exposure of Sensitive Information in simple-get", "url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv", "severity": "high", "cwe": [ "CWE-200" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.1" } ], "effects": [], "range": "3.0.0 - 3.1.0", "nodes": [ "node_modules/simple-get" ], "fixAvailable": true }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "taffydb": { "name": "taffydb", "severity": "high", "isDirect": false, "via": [ { "source": 1089386, "name": "taffydb", "dependency": "taffydb", "title": "TaffyDB can allow access to any data items in the DB", "url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6", "severity": "high", "cwe": [ "CWE-20", "CWE-668" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, "range": "<=2.7.3" } ], "effects": [ "jsdoc" ], "range": "*", "nodes": [ "node_modules/taffydb" ], "fixAvailable": { "name": "jsdoc", "version": "3.6.11", "isSemVerMajor": false } }, "tar": { "name": "tar", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097493, "name": "tar", "dependency": "tar", "title": "Denial of service while parsing a tar file due to lack of folders count validation", "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<6.2.1" } ], "effects": [], "range": "<6.2.1", "nodes": [ "node_modules/tar" ], "fixAvailable": true }, "terser": { "name": "terser", "severity": "high", "isDirect": false, "via": [ { "source": 1091691, "name": "terser", "dependency": "terser", "title": "Terser insecure use of regular expressions leads to ReDoS", "url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.8.1" } ], "effects": [], "range": "<4.8.1", "nodes": [ "node_modules/terser" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/tough-cookie" ], "fixAvailable": { "name": "jsdom", "version": "25.0.1", "isSemVerMajor": true } }, "watchpack": { "name": "watchpack", "severity": "high", "isDirect": false, "via": [ "watchpack-chokidar2" ], "effects": [], "range": "1.7.2 - 1.7.5", "nodes": [ "node_modules/watchpack" ], "fixAvailable": true }, "watchpack-chokidar2": { "name": "watchpack-chokidar2", "severity": "high", "isDirect": false, "via": [ "chokidar" ], "effects": [ "watchpack" ], "range": "*", "nodes": [ "node_modules/watchpack-chokidar2" ], "fixAvailable": true }, "webpack": { "name": "webpack", "severity": "moderate", "isDirect": true, "via": [ "micromatch" ], "effects": [ "@storybook/core-common", "@storybook/core-server" ], "range": "4.0.0-alpha.0 - 5.0.0-rc.6", "nodes": [ "node_modules/webpack" ], "fixAvailable": { "name": "webpack", "version": "5.96.1", "isSemVerMajor": true } }, "webpack-cli": { "name": "webpack-cli", "severity": "high", "isDirect": true, "via": [ "cross-spawn", "findup-sync", "loader-utils" ], "effects": [], "range": "1.3.0 - 2.0.9 || 3.2.0 - 3.3.12", "nodes": [ "node_modules/webpack-cli" ], "fixAvailable": { "name": "webpack-cli", "version": "3.3.12", "isSemVerMajor": false } }, "webpack-dev-middleware": { "name": "webpack-dev-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1096729, "name": "webpack-dev-middleware", "dependency": "webpack-dev-middleware", "title": "Path traversal in webpack-dev-middleware", "url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, "range": "<=5.3.3" } ], "effects": [ "@storybook/core-server" ], "range": "<=5.3.3", "nodes": [ "node_modules/webpack-dev-middleware" ], "fixAvailable": { "name": "@storybook/html", "version": "8.4.5", "isSemVerMajor": true } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098394, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.2.3" } ], "effects": [], "range": "6.0.0 - 6.2.2", "nodes": [ "node_modules/ws" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 44, "high": 38, "critical": 8, "total": 94 }, "dependencies": { "prod": 1, "dev": 2059, "optional": 31, "peer": 0, "peerOptional": 0, "total": 2059 } } } --- end --- Attempting to npm audit fix Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1868, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1813, in run self.npm_audit_fix(new_npm_audit) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 209, in npm_audit_fix prior_lock = PackageLockJson() ^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 88, in __init__ raise RuntimeError("lockfileVersion 1 is no longer supported") RuntimeError: lockfileVersion 1 is no longer supported