This run took 57 seconds.
From aa131280164958acbb2649c9592aa25f077d3fdf Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Sat, 30 Nov 2024 04:02:52 +0000
Subject: [PATCH] build: Updating phpunit/phpunit to 9.6.21
Change-Id: I0face496cbe7a18bcb450730c34d76c0db993aab
---
composer.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/composer.json b/composer.json
index 1df9d45..f87c6b8 100644
--- a/composer.json
+++ b/composer.json
@@ -41,7 +41,7 @@
"ockcyp/covers-validator": "1.6.0",
"php-parallel-lint/php-console-highlighter": "1.0.0",
"php-parallel-lint/php-parallel-lint": "1.4.0",
- "phpunit/phpunit": "9.6.16",
+ "phpunit/phpunit": "9.6.21",
"wikimedia/update-history": "^1.0.1"
},
"scripts": {
--
2.39.2
$ date
--- stdout ---
Sat Nov 30 04:02:09 UTC 2024
--- end ---
$ git clone file:///srv/git/mediawiki-libs-LangConv.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
Updating files: 72% (127/176)
Updating files: 73% (129/176)
Updating files: 74% (131/176)
Updating files: 75% (132/176)
Updating files: 76% (134/176)
Updating files: 77% (136/176)
Updating files: 78% (138/176)
Updating files: 79% (140/176)
Updating files: 80% (141/176)
Updating files: 81% (143/176)
Updating files: 82% (145/176)
Updating files: 83% (147/176)
Updating files: 84% (148/176)
Updating files: 85% (150/176)
Updating files: 86% (152/176)
Updating files: 87% (154/176)
Updating files: 88% (155/176)
Updating files: 89% (157/176)
Updating files: 90% (159/176)
Updating files: 91% (161/176)
Updating files: 92% (162/176)
Updating files: 93% (164/176)
Updating files: 94% (166/176)
Updating files: 95% (168/176)
Updating files: 96% (169/176)
Updating files: 97% (171/176)
Updating files: 98% (173/176)
Updating files: 99% (175/176)
Updating files: 100% (176/176)
Updating files: 100% (176/176), done.
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
e3297e7cf7cbb8810704d376af49ac1a07619bb7 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"debug": {
"name": "debug",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1096793,
"name": "debug",
"dependency": "debug",
"title": "Regular Expression Denial of Service in debug",
"url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=3.2.0 <3.2.7"
}
],
"effects": [
"mocha"
],
"range": "3.2.0 - 3.2.6",
"nodes": [
"node_modules/mocha/node_modules/debug"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"flat": {
"name": "flat",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089152,
"name": "flat",
"dependency": "flat",
"title": "flat vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-2j2x-2gpw-g8fm",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<5.0.1"
}
],
"effects": [
"yargs-unparser"
],
"range": "<5.0.1",
"nodes": [
"node_modules/flat"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"mocha"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "critical",
"isDirect": true,
"via": [
"debug",
"minimatch",
"yargs-unparser"
],
"effects": [],
"range": "5.1.0 - 9.2.1",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"yargs-unparser": {
"name": "yargs-unparser",
"severity": "critical",
"isDirect": false,
"via": [
"flat"
],
"effects": [
"mocha"
],
"range": "<=1.6.3",
"nodes": [
"node_modules/yargs-unparser"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 1,
"critical": 3,
"total": 5
},
"dependencies": {
"prod": 1,
"dev": 371,
"optional": 2,
"peer": 1,
"peerOptional": 0,
"total": 371
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 69 installs, 0 updates, 0 removals
- Locking composer/pcre (3.3.2)
- Locking composer/semver (3.4.3)
- Locking composer/spdx-licenses (1.5.8)
- Locking composer/xdebug-handler (3.0.5)
- Locking dealerdirect/phpcodesniffer-composer-installer (v1.0.0)
- Locking doctrine/deprecations (1.1.3)
- Locking doctrine/instantiator (2.0.0)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v45.0.0)
- Locking mediawiki/mediawiki-phan-config (0.14.0)
- Locking mediawiki/minus-x (1.1.3)
- Locking mediawiki/phan-taint-check-plugin (6.0.0)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking myclabs/deep-copy (1.12.1)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking nikic/php-parser (v5.3.1)
- Locking ockcyp/covers-validator (v1.6.0)
- Locking phan/phan (5.4.3)
- Locking phar-io/manifest (2.0.4)
- Locking phar-io/version (3.2.1)
- Locking php-parallel-lint/php-console-color (v1.0.1)
- Locking php-parallel-lint/php-console-highlighter (v1.0.0)
- Locking php-parallel-lint/php-parallel-lint (v1.4.0)
- Locking phpcsstandards/phpcsextra (1.2.1)
- Locking phpcsstandards/phpcsutils (1.0.12)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.6.0)
- Locking phpdocumentor/type-resolver (1.10.0)
- Locking phpstan/phpdoc-parser (2.0.0)
- Locking phpunit/php-code-coverage (9.2.32)
- Locking phpunit/php-file-iterator (3.0.6)
- Locking phpunit/php-invoker (3.1.1)
- Locking phpunit/php-text-template (2.0.4)
- Locking phpunit/php-timer (5.0.3)
- Locking phpunit/phpunit (9.6.16)
- Locking psr/container (2.0.2)
- Locking psr/log (3.0.2)
- Locking sabre/event (5.1.7)
- Locking sebastian/cli-parser (1.0.2)
- Locking sebastian/code-unit (1.0.8)
- Locking sebastian/code-unit-reverse-lookup (2.0.3)
- Locking sebastian/comparator (4.0.8)
- Locking sebastian/complexity (2.0.3)
- Locking sebastian/diff (4.0.6)
- Locking sebastian/environment (5.1.5)
- Locking sebastian/exporter (4.0.6)
- Locking sebastian/global-state (5.0.7)
- Locking sebastian/lines-of-code (1.0.4)
- Locking sebastian/object-enumerator (4.0.4)
- Locking sebastian/object-reflector (2.0.4)
- Locking sebastian/recursion-context (4.0.5)
- Locking sebastian/resource-operations (3.0.4)
- Locking sebastian/type (3.2.1)
- Locking sebastian/version (3.0.2)
- Locking squizlabs/php_codesniffer (3.10.3)
- Locking symfony/console (v6.4.15)
- Locking symfony/deprecation-contracts (v3.5.1)
- Locking symfony/polyfill-ctype (v1.31.0)
- Locking symfony/polyfill-intl-grapheme (v1.31.0)
- Locking symfony/polyfill-intl-normalizer (v1.31.0)
- Locking symfony/polyfill-mbstring (v1.31.0)
- Locking symfony/polyfill-php80 (v1.31.0)
- Locking symfony/service-contracts (v3.5.1)
- Locking symfony/string (v7.2.0)
- Locking theseer/tokenizer (1.2.3)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (1.11.0)
- Locking wikimedia/assert (v0.5.1)
- Locking wikimedia/update-history (1.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 69 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing squizlabs/php_codesniffer (3.10.3): Extracting archive
- Installing dealerdirect/phpcodesniffer-composer-installer (v1.0.0): Extracting archive
- Installing composer/pcre (3.3.2): Extracting archive
- Installing symfony/polyfill-php80 (v1.31.0): Extracting archive
- Installing phpcsstandards/phpcsutils (1.0.12): Extracting archive
- Installing phpcsstandards/phpcsextra (1.2.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive
- Installing composer/spdx-licenses (1.5.8): Extracting archive
- Installing composer/semver (3.4.3): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v45.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.31.0): Extracting archive
- Installing symfony/string (v7.2.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.5.1): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.5.1): Extracting archive
- Installing symfony/console (v6.4.15): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (1.11.0): Extracting archive
- Installing phpstan/phpdoc-parser (2.0.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.3): Extracting archive
- Installing phpdocumentor/type-resolver (1.10.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.6.0): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (3.0.2): Extracting archive
- Installing composer/xdebug-handler (3.0.5): Extracting archive
- Installing phan/phan (5.4.3): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (6.0.0): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.14.0): Extracting archive
- Installing mediawiki/minus-x (1.1.3): Extracting archive
- Installing sebastian/version (3.0.2): Extracting archive
- Installing sebastian/type (3.2.1): Extracting archive
- Installing sebastian/resource-operations (3.0.4): Extracting archive
- Installing sebastian/recursion-context (4.0.5): Extracting archive
- Installing sebastian/object-reflector (2.0.4): Extracting archive
- Installing sebastian/object-enumerator (4.0.4): Extracting archive
- Installing sebastian/global-state (5.0.7): Extracting archive
- Installing sebastian/exporter (4.0.6): Extracting archive
- Installing sebastian/environment (5.1.5): Extracting archive
- Installing sebastian/diff (4.0.6): Extracting archive
- Installing sebastian/comparator (4.0.8): Extracting archive
- Installing sebastian/code-unit (1.0.8): Extracting archive
- Installing sebastian/cli-parser (1.0.2): Extracting archive
- Installing phpunit/php-timer (5.0.3): Extracting archive
- Installing phpunit/php-text-template (2.0.4): Extracting archive
- Installing phpunit/php-invoker (3.1.1): Extracting archive
- Installing phpunit/php-file-iterator (3.0.6): Extracting archive
- Installing theseer/tokenizer (1.2.3): Extracting archive
- Installing nikic/php-parser (v5.3.1): Extracting archive
- Installing sebastian/lines-of-code (1.0.4): Extracting archive
- Installing sebastian/complexity (2.0.3): Extracting archive
- Installing sebastian/code-unit-reverse-lookup (2.0.3): Extracting archive
- Installing phpunit/php-code-coverage (9.2.32): Extracting archive
- Installing phar-io/version (3.2.1): Extracting archive
- Installing phar-io/manifest (2.0.4): Extracting archive
- Installing myclabs/deep-copy (1.12.1): Extracting archive
- Installing doctrine/instantiator (2.0.0): Extracting archive
- Installing phpunit/phpunit (9.6.16): Extracting archive
- Installing ockcyp/covers-validator (v1.6.0): Extracting archive
- Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
- Installing wikimedia/assert (v0.5.1): Extracting archive
- Installing wikimedia/update-history (1.0.1): Extracting archive
0/67 [>---------------------------] 0%
23/67 [=========>------------------] 34%
38/67 [===============>------------] 56%
51/67 [=====================>------] 76%
64/67 [==========================>-] 95%
67/67 [============================] 100%
4 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating optimized autoload files
42 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils
--- end ---
Upgrading c:phpunit/phpunit from 9.6.16 -> 9.6.21
$ /usr/bin/composer update
--- stderr ---
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
- Upgrading phpunit/phpunit (9.6.16 => 9.6.21)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
- Upgrading phpunit/phpunit (9.6.16 => 9.6.21): Extracting archive
Generating optimized autoload files
42 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found
--- stdout ---
--- end ---
$ /usr/bin/composer install
--- stderr ---
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Nothing to install, update or remove
Generating optimized autoload files
42 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
$ /usr/bin/composer test
--- stderr ---
> parallel-lint . --exclude vendor --exclude node_modules
> phpunit
> covers-validator
> phpcs -sp
> phan --allow-polyfill-parser
Parsing files...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 54 / 1512 ( 5%) 51MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 108 / 1512 ( 7%) 66MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 162 / 1512 ( 11%) 74MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 216 / 1512 ( 21%) 80MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 270 / 1512 ( 21%) 80MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 324 / 1512 ( 21%) 80MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 378 / 1512 ( 26%) 98MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 432 / 1512 ( 33%) 126MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 486 / 1512 ( 33%) 126MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 540 / 1512 ( 36%) 138MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 594 / 1512 ( 44%) 153MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 648 / 1512 ( 44%) 153MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 702 / 1512 ( 52%) 162MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 756 / 1512 ( 52%) 162MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 810 / 1512 ( 54%) 173MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 864 / 1512 ( 63%) 180MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 918 / 1512 ( 63%) 180MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 972 / 1512 ( 68%) 192MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1026 / 1512 ( 68%) 192MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1080 / 1512 ( 74%) 203MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1134 / 1512 ( 80%) 213MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1188 / 1512 ( 80%) 213MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1242 / 1512 ( 87%) 224MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1296 / 1512 ( 87%) 224MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1350 / 1512 ( 91%) 235MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1404 / 1512 ( 95%) 244MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1458 / 1512 ( 99%) 262MB
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 1512 / 1512 (100%) 267MB
Analyzing classes...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 291MB
Analyzing functions...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 291MB
Analyzing methods...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 298MB
Analyzing files...
░░░░░░░░░░░░░░ 14 / 14 (100%) 308MB
> minus-x check .
--- stdout ---
PHP 8.2.20 | 10 parallel jobs
..................... 21/21 (100%)
Checked 21 files in 0.1 seconds
No syntax error found
PHPUnit 9.6.21 by Sebastian Bergmann and contributors.
... 3 / 3 (100%)
Time: 00:00.010, Memory: 6.00 MB
OK (3 tests, 4 assertions)
CoversValidator 1.6.0
Validation complete. All @covers tags are valid.
..................... 21 / 21 (100%)
Time: 414ms; Memory: 8MB
MinusX
======
Processing /src/repo...
.............................................................
.............................................................
........................................................
All good!
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"debug": {
"name": "debug",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1096793,
"name": "debug",
"dependency": "debug",
"title": "Regular Expression Denial of Service in debug",
"url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=3.2.0 <3.2.7"
}
],
"effects": [
"mocha"
],
"range": "3.2.0 - 3.2.6",
"nodes": [
"node_modules/mocha/node_modules/debug"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"flat": {
"name": "flat",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089152,
"name": "flat",
"dependency": "flat",
"title": "flat vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-2j2x-2gpw-g8fm",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<5.0.1"
}
],
"effects": [
"yargs-unparser"
],
"range": "<5.0.1",
"nodes": [
"node_modules/flat"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"mocha"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "critical",
"isDirect": true,
"via": [
"debug",
"minimatch",
"yargs-unparser"
],
"effects": [],
"range": "5.1.0 - 9.2.1",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"yargs-unparser": {
"name": "yargs-unparser",
"severity": "critical",
"isDirect": false,
"via": [
"flat"
],
"effects": [
"mocha"
],
"range": "<=1.6.3",
"nodes": [
"node_modules/yargs-unparser"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 1,
"critical": 3,
"total": 5
},
"dependencies": {
"prod": 1,
"dev": 371,
"optional": 2,
"peer": 1,
"peerOptional": 0,
"total": 371
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 371,
"removed": 0,
"changed": 0,
"audited": 372,
"funding": 59,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"debug": {
"name": "debug",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1096793,
"name": "debug",
"dependency": "debug",
"title": "Regular Expression Denial of Service in debug",
"url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c",
"severity": "low",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 3.7,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=3.2.0 <3.2.7"
}
],
"effects": [
"mocha"
],
"range": "3.2.0 - 3.2.6",
"nodes": [
"node_modules/mocha/node_modules/debug"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"flat": {
"name": "flat",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089152,
"name": "flat",
"dependency": "flat",
"title": "flat vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-2j2x-2gpw-g8fm",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<5.0.1"
}
],
"effects": [
"yargs-unparser"
],
"range": "<5.0.1",
"nodes": [
"node_modules/flat"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"mocha"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"mocha": {
"name": "mocha",
"severity": "critical",
"isDirect": true,
"via": [
"debug",
"minimatch",
"yargs-unparser"
],
"effects": [],
"range": "5.1.0 - 9.2.1",
"nodes": [
"node_modules/mocha"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
},
"yargs-unparser": {
"name": "yargs-unparser",
"severity": "critical",
"isDirect": false,
"via": [
"flat"
],
"effects": [
"mocha"
],
"range": "<=1.6.3",
"nodes": [
"node_modules/yargs-unparser"
],
"fixAvailable": {
"name": "mocha",
"version": "10.8.2",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 1,
"critical": 3,
"total": 5
},
"dependencies": {
"prod": 1,
"dev": 371,
"optional": 2,
"peer": 1,
"peerOptional": 0,
"total": 371
}
}
}
}
--- end ---
{"added": 371, "removed": 0, "changed": 0, "audited": 372, "funding": 59, "audit": {"auditReportVersion": 2, "vulnerabilities": {"debug": {"name": "debug", "severity": "low", "isDirect": false, "via": [{"source": 1096793, "name": "debug", "dependency": "debug", "title": "Regular Expression Denial of Service in debug", "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", "severity": "low", "cwe": ["CWE-400"], "cvss": {"score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": ">=3.2.0 <3.2.7"}], "effects": ["mocha"], "range": "3.2.0 - 3.2.6", "nodes": ["node_modules/mocha/node_modules/debug"], "fixAvailable": {"name": "mocha", "version": "10.8.2", "isSemVerMajor": true}}, "flat": {"name": "flat", "severity": "critical", "isDirect": false, "via": [{"source": 1089152, "name": "flat", "dependency": "flat", "title": "flat vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-2j2x-2gpw-g8fm", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": "<5.0.1"}], "effects": ["yargs-unparser"], "range": "<5.0.1", "nodes": ["node_modules/flat"], "fixAvailable": {"name": "mocha", "version": "10.8.2", "isSemVerMajor": true}}, "minimatch": {"name": "minimatch", "severity": "high", "isDirect": false, "via": [{"source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": ["CWE-400", "CWE-1333"], "cvss": {"score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "range": "<3.0.5"}], "effects": ["mocha"], "range": "<3.0.5", "nodes": ["node_modules/minimatch"], "fixAvailable": {"name": "mocha", "version": "10.8.2", "isSemVerMajor": true}}, "mocha": {"name": "mocha", "severity": "critical", "isDirect": true, "via": ["debug", "minimatch", "yargs-unparser"], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "mocha", "version": "10.8.2", "isSemVerMajor": true}}, "yargs-unparser": {"name": "yargs-unparser", "severity": "critical", "isDirect": false, "via": ["flat"], "effects": ["mocha"], "range": "<=1.6.3", "nodes": ["node_modules/yargs-unparser"], "fixAvailable": {"name": "mocha", "version": "10.8.2", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 1, "moderate": 0, "high": 1, "critical": 3, "total": 5}, "dependencies": {"prod": 1, "dev": 371, "optional": 2, "peer": 1, "peerOptional": 0, "total": 371}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
added 370 packages, and audited 371 packages in 5s
59 packages are looking for funding
run `npm fund` for details
# npm audit report
debug 3.2.0 - 3.2.6
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install mocha@10.8.2, which is a breaking change
node_modules/mocha/node_modules/debug
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of debug
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
flat <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install mocha@10.8.2, which is a breaking change
node_modules/flat
yargs-unparser <=1.6.3
Depends on vulnerable versions of flat
node_modules/yargs-unparser
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install mocha@10.8.2, which is a breaking change
node_modules/minimatch
5 vulnerabilities (1 low, 1 high, 3 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stdout ---
added 370 packages, and audited 371 packages in 5s
59 packages are looking for funding
run `npm fund` for details
5 vulnerabilities (1 low, 1 high, 3 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
(node:642) DeprecationWarning: Configuration via mocha.opts is DEPRECATED and will be removed from a future version of Mocha. Use RC files or package.json instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
--- stdout ---
> wikimedia-langconv@0.4.1+git test
> npm run eslint && npm run mocha
> wikimedia-langconv@0.4.1+git eslint
> eslint lib
/src/repo/lib/FST.js
48:1 warning The type 'Utf8Array' is undefined jsdoc/no-undefined-types
52:1 warning The type 'BracketMachine' is undefined jsdoc/no-undefined-types
52:1 warning The type 'ConversionMachine' is undefined jsdoc/no-undefined-types
/src/repo/lib/ReplacementMachine.js
17:1 warning Missing JSDoc @param "baseLanguage" type jsdoc/require-param-type
36:2 warning Missing JSDoc @return declaration jsdoc/require-returns
37:1 warning Missing JSDoc @param "filename" type jsdoc/require-param-type
38:1 warning Missing JSDoc @param "bracket" type jsdoc/require-param-type
59:2 warning Found more than one @return declaration jsdoc/require-returns
59:2 warning Found more than one @return declaration jsdoc/require-returns-check
70:1 warning Missing JSDoc @param "s" type jsdoc/require-param-type
71:1 warning Missing JSDoc @param "destCode" type jsdoc/require-param-type
72:1 warning Missing JSDoc @param "invertCode" type jsdoc/require-param-type
104:1 warning The type 'Node' is undefined jsdoc/no-undefined-types
107:1 warning The type 'Node' is undefined jsdoc/no-undefined-types
136:1 warning The type 'Document' is undefined jsdoc/no-undefined-types
144:1 warning The type 'DocumentFragment' is undefined jsdoc/no-undefined-types
✖ 16 problems (0 errors, 16 warnings)
> wikimedia-langconv@0.4.1+git mocha
> mocha --opts tests/mocha/mocha.opts tests/mocha
Foma FST verification
- LANGCONV_TEST_FOMA is not set, skipping
Language/CRH tests
✓ general words, covering more of the alphabet (1) [crh-cyrl]
✓ general words, covering more of the alphabet (2) [crh-cyrl]
✓ general words, covering more of the alphabet (3) [crh-cyrl]
✓ general words, covering more of the alphabet (4) [crh-cyrl]
✓ exception words [crh-cyrl]
✓ recent problem words, part 1 [crh-cyrl]
✓ recent problem words, part 2 [crh-cyrl]
✓ recent problem words, part 3 [crh-cyrl]
✓ recent problem words, part 4 [crh-cyrl]
✓ recent problem words, part 5 [crh-cyrl]
✓ recent problem words, part 6 [crh-cyrl]
✓ recent problem words, part 7 [crh-cyrl]
✓ regex pattern words [crh-cyrl]
✓ multi part words [crh-cyrl]
✓ affix patterns [crh-cyrl]
✓ Roman numerals and quotes, esp. single-letter Roman numerals at the end of a string [crh-cyrl]
✓ Roman numerals vs Initials, part 1 - Roman numeral initials without spaces [crh-cyrl]
✓ Roman numerals vs Initials, part 2 - Roman numeral initials with spaces [crh-cyrl]
✓ ALL CAPS, made up acronyms [crh-cyrl]
✓ Many-to-one mappings: many Cyrillic to one Latin [crh-cyrl]
✓ Many-to-one mappings: many Latin to one Cyrillic [crh-cyrl]
✓ general words, covering more of the alphabet (1) [crh-latn]
✓ general words, covering more of the alphabet (2) [crh-latn]
✓ general words, covering more of the alphabet (3) [crh-latn]
✓ general words, covering more of the alphabet (4) [crh-latn]
✓ exception words [crh-latn]
✓ recent problem words, part 1 [crh-latn]
✓ recent problem words, part 2 [crh-latn]
✓ recent problem words, part 3 [crh-latn]
✓ recent problem words, part 4 [crh-latn]
✓ recent problem words, part 5 [crh-latn]
✓ recent problem words, part 6 [crh-latn]
✓ recent problem words, part 7 [crh-latn]
✓ regex pattern words [crh-latn]
✓ multi part words [crh-latn]
✓ affix patterns [crh-latn]
✓ Roman numerals and quotes, esp. single-letter Roman numerals at the end of a string [crh-latn]
✓ Roman numerals vs Initials, part 1 - Roman numeral initials without spaces [crh-latn]
✓ Roman numerals vs Initials, part 2 - Roman numeral initials with spaces [crh-latn]
✓ ALL CAPS, made up acronyms [crh-latn]
✓ Many-to-one mappings: many Cyrillic to one Latin [crh-latn]
✓ Many-to-one mappings: many Latin to one Cyrillic [crh-latn]
LanguageEn tests
✓ Converting to Pig Latin [en]
✓ Converting from Pig Latin [en]
✓ Converting to Pig Latin [en-x-piglatin]
✓ Converting from Pig Latin [en-x-piglatin]
LanguageKu tests
✓ Test (1) [ku-arab]
✓ Test (3) [ku-arab]
✓ Test (1) [ku-latn]
✓ Test (2) [ku-latn]
✓ Test (3) [ku-latn]
LanguageSr tests
✓ A simple conversion of Latin to Cyrillic [sr-ec]
LanguageZh tests
✓ Plain hant -> hans [zh-cn]
✓ Plain hans -> hant [zh-cn]
✓ zh-cn specific [zh-cn]
✓ zh-hk specific [zh-cn]
✓ zh-tw specific [zh-cn]
✓ zh-tw overrides zh-hant [zh-cn]
✓ zh-hk overrides zh-hant [zh-cn]
✓ Plain hant -> hans [zh-sg]
✓ Plain hans -> hant [zh-sg]
✓ zh-cn specific [zh-sg]
✓ zh-hk specific [zh-sg]
✓ zh-tw specific [zh-sg]
✓ zh-tw overrides zh-hant [zh-sg]
✓ zh-hk overrides zh-hant [zh-sg]
✓ Plain hant -> hans [zh-my]
✓ Plain hans -> hant [zh-my]
✓ zh-cn specific [zh-my]
✓ zh-hk specific [zh-my]
✓ zh-tw specific [zh-my]
✓ zh-tw overrides zh-hant [zh-my]
✓ zh-hk overrides zh-hant [zh-my]
✓ Plain hant -> hans [zh-hans]
✓ Plain hans -> hant [zh-hans]
✓ zh-cn specific [zh-hans]
✓ zh-hk specific [zh-hans]
✓ zh-tw specific [zh-hans]
✓ zh-tw overrides zh-hant [zh-hans]
✓ zh-hk overrides zh-hant [zh-hans]
✓ Plain hant -> hans [zh-tw]
✓ Plain hans -> hant [zh-tw]
✓ zh-cn specific [zh-tw]
✓ zh-hk specific [zh-tw]
✓ zh-tw specific [zh-tw]
✓ zh-tw overrides zh-hant [zh-tw]
✓ zh-hk overrides zh-hant [zh-tw]
✓ Plain hant -> hans [zh-hk]
✓ Plain hans -> hant [zh-hk]
✓ zh-cn specific [zh-hk]
✓ zh-hk specific [zh-hk]
✓ zh-tw specific [zh-hk]
✓ zh-tw overrides zh-hant [zh-hk]
✓ zh-hk overrides zh-hant [zh-hk]
✓ Plain hant -> hans [zh-mo]
✓ Plain hans -> hant [zh-mo]
✓ zh-cn specific [zh-mo]
✓ zh-hk specific [zh-mo]
✓ zh-tw specific [zh-mo]
✓ zh-tw overrides zh-hant [zh-mo]
✓ zh-hk overrides zh-hant [zh-mo]
✓ Plain hant -> hans [zh-hant]
✓ Plain hans -> hant [zh-hant]
✓ zh-cn specific [zh-hant]
✓ zh-hk specific [zh-hant]
✓ zh-tw specific [zh-hant]
✓ zh-tw overrides zh-hant [zh-hant]
✓ zh-hk overrides zh-hant [zh-hant]
108 passing (77ms)
1 pending
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
build: Updating phpunit/phpunit to 9.6.21
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmptqdzw5rn
--- stdout ---
[master aa13128] build: Updating phpunit/phpunit to 9.6.21
1 file changed, 1 insertion(+), 1 deletion(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From aa131280164958acbb2649c9592aa25f077d3fdf Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Sat, 30 Nov 2024 04:02:52 +0000
Subject: [PATCH] build: Updating phpunit/phpunit to 9.6.21
Change-Id: I0face496cbe7a18bcb450730c34d76c0db993aab
---
composer.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/composer.json b/composer.json
index 1df9d45..f87c6b8 100644
--- a/composer.json
+++ b/composer.json
@@ -41,7 +41,7 @@
"ockcyp/covers-validator": "1.6.0",
"php-parallel-lint/php-console-highlighter": "1.0.0",
"php-parallel-lint/php-parallel-lint": "1.4.0",
- "phpunit/phpunit": "9.6.16",
+ "phpunit/phpunit": "9.6.21",
"wikimedia/update-history": "^1.0.1"
},
"scripts": {
--
2.39.2
--- end ---