This run took 15 seconds.
$ date --- stdout --- Sun Dec 1 11:39:07 UTC 2024 --- end --- $ git clone file:///srv/git/mediawiki-extensions-RelatedArticles.git repo --depth=1 -b REL1_39 --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/REL1_39 --- stdout --- 225e22507f7d6622ebbb33052adddfde76493183 refs/heads/REL1_39 --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@wdio/cli": { "name": "@wdio/cli", "severity": "high", "isDirect": true, "via": [ "webdriverio", "yarn-install" ], "effects": [], "range": "5.4.10 - 8.40.6", "nodes": [ "node_modules/@wdio/cli" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } }, "@wdio/local-runner": { "name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": [ "@wdio/runner" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/local-runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.4.1", "isSemVerMajor": true } }, "@wdio/runner": { "name": "@wdio/runner", "severity": "high", "isDirect": false, "via": [ "webdriverio" ], "effects": [ "@wdio/local-runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.4.1", "isSemVerMajor": true } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom", "qunit" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "anymatch": { "name": "anymatch", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "sane" ], "range": "1.2.0 - 2.0.0", "nodes": [ "node_modules/sane/node_modules/anymatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/braces", "node_modules/findup-sync/node_modules/braces", "node_modules/sane/node_modules/braces" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100562, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.0.6" }, { "source": 1100563, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.0.5" } ], "effects": [ "yarn-install" ], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/cross-spawn", "node_modules/cross-spawn", "node_modules/eslint/node_modules/cross-spawn", "node_modules/execa/node_modules/cross-spawn", "node_modules/jest-changed-files/node_modules/cross-spawn", "node_modules/jest-runtime/node_modules/cross-spawn" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "devtools": { "name": "devtools", "severity": "high", "isDirect": false, "via": [ "puppeteer-core" ], "effects": [], "range": ">=7.16.5", "nodes": [ "node_modules/devtools" ], "fixAvailable": true }, "ejs": { "name": "ejs", "severity": "critical", "isDirect": false, "via": [ { "source": 1089270, "name": "ejs", "dependency": "ejs", "title": "ejs template injection vulnerability", "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q", "severity": "critical", "cwe": [ "CWE-74" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<3.1.7" }, { "source": 1098366, "name": "ejs", "dependency": "ejs", "title": "ejs lacks certain pollution protection", "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", "severity": "moderate", "cwe": [ "CWE-693", "CWE-1321" ], "cvss": { "score": 4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<3.1.10" } ], "effects": [], "range": "<=3.1.9", "nodes": [ "node_modules/ejs" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "findup-sync": { "name": "findup-sync", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "qunit" ], "range": "0.4.0 - 3.0.0", "nodes": [ "node_modules/findup-sync" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "got": { "name": "got", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" } ], "effects": [], "range": "<11.8.5", "nodes": [ "node_modules/got" ], "fixAvailable": true }, "http-cache-semantics": { "name": "http-cache-semantics", "severity": "high", "isDirect": false, "via": [ { "source": 1092316, "name": "http-cache-semantics", "dependency": "http-cache-semantics", "title": "http-cache-semantics vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-rc47-6667-2j5j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.1.1" } ], "effects": [], "range": "<4.1.1", "nodes": [ "node_modules/http-cache-semantics" ], "fixAvailable": true }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": false, "via": [ "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "0.1.20 || 0.2.0 - 16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [ "node_modules/json5" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" }, "braces" ], "effects": [ "anymatch", "findup-sync", "sane" ], "range": "<=4.0.7", "nodes": [ "node_modules/findup-sync/node_modules/micromatch", "node_modules/micromatch", "node_modules/sane/node_modules/micromatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha", "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": true }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/mocha" ], "fixAvailable": true }, "mwbot": { "name": "mwbot", "severity": "high", "isDirect": false, "via": [ "request", "semver" ], "effects": [ "wdio-mediawiki" ], "range": ">=0.1.6", "nodes": [ "node_modules/mwbot" ], "fixAvailable": { "name": "wdio-mediawiki", "version": "2.5.0", "isSemVerMajor": false } }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099561, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.2.0 <1.9.0" } ], "effects": [], "range": "0.2.0 - 1.8.0", "nodes": [ "node_modules/path-to-regexp" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "autoprefixer", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": false, "via": [ "ws" ], "effects": [ "devtools", "webdriverio" ], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "qunit": { "name": "qunit", "severity": "moderate", "isDirect": false, "via": [ "findup-sync", "sane" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "2.4.1 - 2.8.0", "nodes": [ "node_modules/qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "mwbot" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "sane": { "name": "sane", "severity": "moderate", "isDirect": false, "via": [ "anymatch", "micromatch" ], "effects": [ "qunit" ], "range": "1.5.0 - 4.1.0", "nodes": [ "node_modules/sane" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "eslint-plugin-compat", "mwbot" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/core/node_modules/semver", "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/cross-spawn/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/istanbul-lib-report/node_modules/semver", "node_modules/jest-snapshot/node_modules/semver", "node_modules/meow/node_modules/read-pkg/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/mwbot/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": true }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/jest-environment-jsdom/node_modules/tough-cookie", "node_modules/tough-cookie" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ua-parser-js": { "name": "ua-parser-js", "severity": "high", "isDirect": false, "via": [ { "source": 1092302, "name": "ua-parser-js", "dependency": "ua-parser-js", "title": "ReDoS Vulnerability in ua-parser-js version", "url": "https://github.com/advisories/GHSA-fhg7-m89q-25r3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.8.0 <1.0.33" } ], "effects": [], "range": "0.8.1 - 1.0.32", "nodes": [ "node_modules/ua-parser-js" ], "fixAvailable": true }, "wdio-mediawiki": { "name": "wdio-mediawiki", "severity": "high", "isDirect": true, "via": [ "mwbot" ], "effects": [], "range": "1.1.0 - 2.2.0", "nodes": [ "node_modules/wdio-mediawiki" ], "fixAvailable": { "name": "wdio-mediawiki", "version": "2.5.0", "isSemVerMajor": false } }, "webdriverio": { "name": "webdriverio", "severity": "high", "isDirect": true, "via": [ "devtools", "puppeteer-core" ], "effects": [ "@wdio/cli", "@wdio/runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/webdriverio" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" }, { "source": 1098393, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.10" }, { "source": 1098394, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.2.3" } ], "effects": [ "puppeteer-core" ], "range": "6.0.0 - 6.2.2 || 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0", "nodes": [ "node_modules/jest-environment-jsdom/node_modules/ws", "node_modules/jsdom/node_modules/ws", "node_modules/ws" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "yarn-install": { "name": "yarn-install", "severity": "high", "isDirect": false, "via": [ "cross-spawn" ], "effects": [ "@wdio/cli" ], "range": "*", "nodes": [ "node_modules/yarn-install" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 21, "high": 24, "critical": 3, "total": 48 }, "dependencies": { "prod": 1, "dev": 1269, "optional": 4, "peer": 0, "peerOptional": 0, "total": 1269 } } } --- end --- $ /usr/bin/composer install --- stderr --- No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information. Loading composer repositories with package information Updating dependencies Lock file operations: 36 installs, 0 updates, 0 removals - Locking composer/pcre (1.0.1) - Locking composer/semver (3.4.3) - Locking composer/spdx-licenses (1.5.8) - Locking composer/xdebug-handler (2.0.5) - Locking doctrine/deprecations (1.1.3) - Locking felixfbecker/advanced-json-rpc (v3.2.1) - Locking mediawiki/mediawiki-codesniffer (v38.0.0) - Locking mediawiki/mediawiki-phan-config (0.11.1) - Locking mediawiki/minus-x (1.1.1) - Locking mediawiki/phan-taint-check-plugin (3.3.2) - Locking microsoft/tolerant-php-parser (v0.1.2) - Locking netresearch/jsonmapper (v4.5.0) - Locking phan/phan (5.2.0) - Locking php-parallel-lint/php-console-color (v0.3) - Locking php-parallel-lint/php-console-highlighter (v0.5) - Locking php-parallel-lint/php-parallel-lint (v1.3.1) - Locking phpdocumentor/reflection-common (2.2.0) - Locking phpdocumentor/reflection-docblock (5.6.0) - Locking phpdocumentor/type-resolver (1.10.0) - Locking phpstan/phpdoc-parser (2.0.0) - Locking psr/container (2.0.2) - Locking psr/log (2.0.0) - Locking sabre/event (5.1.7) - Locking squizlabs/php_codesniffer (3.6.1) - Locking symfony/console (v5.4.47) - Locking symfony/deprecation-contracts (v3.5.1) - Locking symfony/polyfill-ctype (v1.31.0) - Locking symfony/polyfill-intl-grapheme (v1.31.0) - Locking symfony/polyfill-intl-normalizer (v1.31.0) - Locking symfony/polyfill-mbstring (v1.31.0) - Locking symfony/polyfill-php73 (v1.31.0) - Locking symfony/polyfill-php80 (v1.31.0) - Locking symfony/service-contracts (v3.5.1) - Locking symfony/string (v6.4.15) - Locking tysonandre/var_representation_polyfill (0.1.3) - Locking webmozart/assert (1.11.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 36 installs, 0 updates, 0 removals 0 [>---------------------------] 0 [->--------------------------] - Installing composer/pcre (1.0.1): Extracting archive - Installing squizlabs/php_codesniffer (3.6.1): Extracting archive - Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive - Installing composer/spdx-licenses (1.5.8): Extracting archive - Installing composer/semver (3.4.3): Extracting archive - Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive - Installing symfony/polyfill-php80 (v1.31.0): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive - Installing symfony/polyfill-ctype (v1.31.0): Extracting archive - Installing symfony/string (v6.4.15): Extracting archive - Installing symfony/deprecation-contracts (v3.5.1): Extracting archive - Installing psr/container (2.0.2): Extracting archive - Installing symfony/service-contracts (v3.5.1): Extracting archive - Installing symfony/polyfill-php73 (v1.31.0): Extracting archive - Installing symfony/console (v5.4.47): Extracting archive - Installing sabre/event (5.1.7): Extracting archive - Installing netresearch/jsonmapper (v4.5.0): Extracting archive - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive - Installing webmozart/assert (1.11.0): Extracting archive - Installing phpstan/phpdoc-parser (2.0.0): Extracting archive - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive - Installing doctrine/deprecations (1.1.3): Extracting archive - Installing phpdocumentor/type-resolver (1.10.0): Extracting archive - Installing phpdocumentor/reflection-docblock (5.6.0): Extracting archive - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive - Installing psr/log (2.0.0): Extracting archive - Installing composer/xdebug-handler (2.0.5): Extracting archive - Installing phan/phan (5.2.0): Extracting archive - Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive - Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive - Installing mediawiki/minus-x (1.1.1): Extracting archive - Installing php-parallel-lint/php-console-color (v0.3): Extracting archive - Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive - Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive 0/36 [>---------------------------] 0% 20/36 [===============>------------] 55% 35/36 [===========================>] 97% 36/36 [============================] 100% 3 package suggestions were added by new dependencies, use `composer suggest` to see details. Generating autoload files 15 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@babel/traverse": { "name": "@babel/traverse", "severity": "critical", "isDirect": false, "via": [ { "source": 1096886, "name": "@babel/traverse", "dependency": "@babel/traverse", "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92", "severity": "critical", "cwe": [ "CWE-184", "CWE-697" ], "cvss": { "score": 9.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, "range": "<7.23.2" } ], "effects": [], "range": "<7.23.2", "nodes": [ "node_modules/@babel/traverse" ], "fixAvailable": true }, "@wdio/cli": { "name": "@wdio/cli", "severity": "high", "isDirect": true, "via": [ "webdriverio", "yarn-install" ], "effects": [], "range": "5.4.10 - 8.40.6", "nodes": [ "node_modules/@wdio/cli" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } }, "@wdio/local-runner": { "name": "@wdio/local-runner", "severity": "high", "isDirect": true, "via": [ "@wdio/runner" ], "effects": [], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/local-runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.4.1", "isSemVerMajor": true } }, "@wdio/runner": { "name": "@wdio/runner", "severity": "high", "isDirect": false, "via": [ "webdriverio" ], "effects": [ "@wdio/local-runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/@wdio/runner" ], "fixAvailable": { "name": "@wdio/local-runner", "version": "9.4.1", "isSemVerMajor": true } }, "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom", "qunit" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "anymatch": { "name": "anymatch", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "sane" ], "range": "1.2.0 - 2.0.0", "nodes": [ "node_modules/sane/node_modules/anymatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "autoprefixer": { "name": "autoprefixer", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "1.0.20131222 - 9.8.8", "nodes": [ "node_modules/autoprefixer" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "braces": { "name": "braces", "severity": "high", "isDirect": false, "via": [ { "source": 1098094, "name": "braces", "dependency": "braces", "title": "Uncontrolled resource consumption in braces", "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", "severity": "high", "cwe": [ "CWE-400", "CWE-1050" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.3" } ], "effects": [ "micromatch" ], "range": "<3.0.3", "nodes": [ "node_modules/braces", "node_modules/findup-sync/node_modules/braces", "node_modules/sane/node_modules/braces" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100562, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.0.6" }, { "source": 1100563, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.0.5" } ], "effects": [ "yarn-install" ], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": [ "node_modules/@wikimedia/mw-node-qunit/node_modules/cross-spawn", "node_modules/cross-spawn", "node_modules/eslint/node_modules/cross-spawn", "node_modules/execa/node_modules/cross-spawn", "node_modules/jest-changed-files/node_modules/cross-spawn", "node_modules/jest-runtime/node_modules/cross-spawn" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } }, "decode-uri-component": { "name": "decode-uri-component", "severity": "high", "isDirect": false, "via": [ { "source": 1094087, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "high", "cwe": [ "CWE-20" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "devtools": { "name": "devtools", "severity": "high", "isDirect": false, "via": [ "puppeteer-core" ], "effects": [], "range": ">=7.16.5", "nodes": [ "node_modules/devtools" ], "fixAvailable": true }, "ejs": { "name": "ejs", "severity": "critical", "isDirect": false, "via": [ { "source": 1089270, "name": "ejs", "dependency": "ejs", "title": "ejs template injection vulnerability", "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q", "severity": "critical", "cwe": [ "CWE-74" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": "<3.1.7" }, { "source": 1098366, "name": "ejs", "dependency": "ejs", "title": "ejs lacks certain pollution protection", "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", "severity": "moderate", "cwe": [ "CWE-693", "CWE-1321" ], "cvss": { "score": 4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<3.1.10" } ], "effects": [], "range": "<=3.1.9", "nodes": [ "node_modules/ejs" ], "fixAvailable": true }, "eslint-config-wikimedia": { "name": "eslint-config-wikimedia", "severity": "high", "isDirect": true, "via": [ "eslint-plugin-compat" ], "effects": [], "range": "0.18.0 - 0.21.0", "nodes": [ "node_modules/eslint-config-wikimedia" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "eslint-plugin-compat": { "name": "eslint-plugin-compat", "severity": "high", "isDirect": false, "via": [ "semver" ], "effects": [ "eslint-config-wikimedia" ], "range": "3.6.0-0 - 4.1.4", "nodes": [ "node_modules/eslint-plugin-compat" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "findup-sync": { "name": "findup-sync", "severity": "moderate", "isDirect": false, "via": [ "micromatch" ], "effects": [ "qunit" ], "range": "0.4.0 - 3.0.0", "nodes": [ "node_modules/findup-sync" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "got": { "name": "got", "severity": "moderate", "isDirect": false, "via": [ { "source": 1088948, "name": "got", "dependency": "got", "title": "Got allows a redirect to a UNIX socket", "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", "severity": "moderate", "cwe": [], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<11.8.5" } ], "effects": [], "range": "<11.8.5", "nodes": [ "node_modules/got" ], "fixAvailable": true }, "http-cache-semantics": { "name": "http-cache-semantics", "severity": "high", "isDirect": false, "via": [ { "source": 1092316, "name": "http-cache-semantics", "dependency": "http-cache-semantics", "title": "http-cache-semantics vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-rc47-6667-2j5j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<4.1.1" } ], "effects": [], "range": "<4.1.1", "nodes": [ "node_modules/http-cache-semantics" ], "fixAvailable": true }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": false, "via": [ "request", "tough-cookie" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "0.1.20 || 0.2.0 - 16.5.3", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1096544, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [], "range": "2.0.0 - 2.2.1", "nodes": [ "node_modules/json5" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "high", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" }, "braces" ], "effects": [ "anymatch", "findup-sync", "sane" ], "range": "<=4.0.7", "nodes": [ "node_modules/findup-sync/node_modules/micromatch", "node_modules/micromatch", "node_modules/sane/node_modules/micromatch" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1096485, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS vulnerability", "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.0.5" } ], "effects": [ "mocha", "recursive-readdir" ], "range": "<3.0.5", "nodes": [ "node_modules/minimatch" ], "fixAvailable": true }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1097678, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true }, "mocha": { "name": "mocha", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [], "range": "5.1.0 - 9.2.1", "nodes": [ "node_modules/mocha" ], "fixAvailable": true }, "mwbot": { "name": "mwbot", "severity": "high", "isDirect": false, "via": [ "request", "semver" ], "effects": [ "wdio-mediawiki" ], "range": ">=0.1.6", "nodes": [ "node_modules/mwbot" ], "fixAvailable": { "name": "wdio-mediawiki", "version": "2.5.0", "isSemVerMajor": false } }, "nanoid": { "name": "nanoid", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089011, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, "range": ">=3.0.0 <3.1.31" } ], "effects": [], "range": "3.0.0 - 3.1.30", "nodes": [ "node_modules/doiuse/node_modules/nanoid", "node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid" ], "fixAvailable": true }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099561, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.2.0 <1.9.0" } ], "effects": [], "range": "0.2.0 - 1.8.0", "nodes": [ "node_modules/path-to-regexp" ], "fixAvailable": true }, "postcss": { "name": "postcss", "severity": "moderate", "isDirect": false, "via": [ { "source": 1094544, "name": "postcss", "dependency": "postcss", "title": "PostCSS line return parsing error", "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", "severity": "moderate", "cwe": [ "CWE-74", "CWE-144" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<8.4.31" } ], "effects": [ "autoprefixer", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "stylelint", "sugarss" ], "range": "<8.4.31", "nodes": [ "node_modules/doiuse/node_modules/postcss", "node_modules/postcss", "node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-less": { "name": "postcss-less", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [], "range": "<=3.1.4", "nodes": [ "node_modules/postcss-less" ], "fixAvailable": true }, "postcss-safe-parser": { "name": "postcss-safe-parser", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=4.0.2", "nodes": [ "node_modules/postcss-safe-parser" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-sass": { "name": "postcss-sass", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=0.4.4", "nodes": [ "node_modules/postcss-sass" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "postcss-scss": { "name": "postcss-scss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.1.1", "nodes": [ "node_modules/postcss-scss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "puppeteer-core": { "name": "puppeteer-core", "severity": "high", "isDirect": false, "via": [ "ws" ], "effects": [ "devtools", "webdriverio" ], "range": "11.0.0 - 22.11.1", "nodes": [ "node_modules/puppeteer-core" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "qunit": { "name": "qunit", "severity": "moderate", "isDirect": false, "via": [ "findup-sync", "sane" ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "2.4.1 - 2.8.0", "nodes": [ "node_modules/qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "recursive-readdir": { "name": "recursive-readdir", "severity": "high", "isDirect": false, "via": [ "minimatch" ], "effects": [], "range": "1.2.0 - 2.2.2", "nodes": [ "node_modules/recursive-readdir" ], "fixAvailable": true }, "request": { "name": "request", "severity": "moderate", "isDirect": false, "via": [ { "source": 1096727, "name": "request", "dependency": "request", "title": "Server-Side Request Forgery in Request", "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", "severity": "moderate", "cwe": [ "CWE-918" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": "<=2.88.2" }, "tough-cookie" ], "effects": [ "jsdom", "mwbot" ], "range": "*", "nodes": [ "node_modules/request" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "request-promise-native": { "name": "request-promise-native", "severity": "moderate", "isDirect": false, "via": [ "tough-cookie" ], "effects": [], "range": ">=1.0.6", "nodes": [ "node_modules/request-promise-native" ], "fixAvailable": true }, "sane": { "name": "sane", "severity": "moderate", "isDirect": false, "via": [ "anymatch", "micromatch" ], "effects": [ "qunit" ], "range": "1.5.0 - 4.1.0", "nodes": [ "node_modules/sane" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "semver": { "name": "semver", "severity": "high", "isDirect": false, "via": [ { "source": 1098562, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.2" }, { "source": 1098563, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<5.7.2" }, { "source": 1098564, "name": "semver", "dependency": "semver", "title": "semver vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.3.1" } ], "effects": [ "eslint-plugin-compat", "mwbot" ], "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1", "nodes": [ "node_modules/@babel/core/node_modules/semver", "node_modules/@babel/helper-compilation-targets/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/cross-spawn/node_modules/semver", "node_modules/@wikimedia/mw-node-qunit/node_modules/semver", "node_modules/eslint-plugin-compat/node_modules/semver", "node_modules/eslint-plugin-jsdoc/node_modules/semver", "node_modules/eslint-plugin-node/node_modules/semver", "node_modules/eslint-plugin-vue/node_modules/semver", "node_modules/eslint/node_modules/semver", "node_modules/istanbul-lib-instrument/node_modules/semver", "node_modules/istanbul-lib-report/node_modules/semver", "node_modules/jest-snapshot/node_modules/semver", "node_modules/meow/node_modules/read-pkg/node_modules/semver", "node_modules/meow/node_modules/semver", "node_modules/mwbot/node_modules/semver", "node_modules/semver", "node_modules/vue-eslint-parser/node_modules/semver" ], "fixAvailable": { "name": "eslint-config-wikimedia", "version": "0.28.2", "isSemVerMajor": true } }, "stylelint": { "name": "stylelint", "severity": "moderate", "isDirect": false, "via": [ "autoprefixer", "postcss", "postcss-less", "postcss-safe-parser", "postcss-sass", "postcss-scss", "sugarss" ], "effects": [ "stylelint-config-wikimedia" ], "range": "0.1.0 - 13.13.1", "nodes": [ "node_modules/stylelint" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "stylelint-config-wikimedia": { "name": "stylelint-config-wikimedia", "severity": "moderate", "isDirect": true, "via": [ "stylelint" ], "effects": [], "range": "<=0.11.1", "nodes": [ "node_modules/stylelint-config-wikimedia" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "sugarss": { "name": "sugarss", "severity": "moderate", "isDirect": false, "via": [ "postcss" ], "effects": [ "stylelint" ], "range": "<=2.0.0", "nodes": [ "node_modules/sugarss" ], "fixAvailable": { "name": "stylelint-config-wikimedia", "version": "0.17.2", "isSemVerMajor": true } }, "tough-cookie": { "name": "tough-cookie", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097682, "name": "tough-cookie", "dependency": "tough-cookie", "title": "tough-cookie Prototype Pollution vulnerability", "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": "<4.1.3" } ], "effects": [ "jsdom", "request", "request-promise-native" ], "range": "<4.1.3", "nodes": [ "node_modules/jest-environment-jsdom/node_modules/tough-cookie", "node_modules/tough-cookie" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.2", "isSemVerMajor": false } }, "ua-parser-js": { "name": "ua-parser-js", "severity": "high", "isDirect": false, "via": [ { "source": 1092302, "name": "ua-parser-js", "dependency": "ua-parser-js", "title": "ReDoS Vulnerability in ua-parser-js version", "url": "https://github.com/advisories/GHSA-fhg7-m89q-25r3", "severity": "high", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=0.8.0 <1.0.33" } ], "effects": [], "range": "0.8.1 - 1.0.32", "nodes": [ "node_modules/ua-parser-js" ], "fixAvailable": true }, "wdio-mediawiki": { "name": "wdio-mediawiki", "severity": "high", "isDirect": true, "via": [ "mwbot" ], "effects": [], "range": "1.1.0 - 2.2.0", "nodes": [ "node_modules/wdio-mediawiki" ], "fixAvailable": { "name": "wdio-mediawiki", "version": "2.5.0", "isSemVerMajor": false } }, "webdriverio": { "name": "webdriverio", "severity": "high", "isDirect": true, "via": [ "devtools", "puppeteer-core" ], "effects": [ "@wdio/cli", "@wdio/runner" ], "range": "7.16.5 - 8.40.6", "nodes": [ "node_modules/webdriverio" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "word-wrap": { "name": "word-wrap", "severity": "moderate", "isDirect": false, "via": [ { "source": 1097681, "name": "word-wrap", "dependency": "word-wrap", "title": "word-wrap vulnerable to Regular Expression Denial of Service", "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<1.2.4" } ], "effects": [], "range": "<1.2.4", "nodes": [ "node_modules/word-wrap" ], "fixAvailable": true }, "ws": { "name": "ws", "severity": "high", "isDirect": false, "via": [ { "source": 1098392, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=8.0.0 <8.17.1" }, { "source": 1098393, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.5.10" }, { "source": 1098394, "name": "ws", "dependency": "ws", "title": "ws affected by a DoS when handling a request with many HTTP headers", "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", "severity": "high", "cwe": [ "CWE-476" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=6.0.0 <6.2.3" } ], "effects": [ "puppeteer-core" ], "range": "6.0.0 - 6.2.2 || 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0", "nodes": [ "node_modules/jest-environment-jsdom/node_modules/ws", "node_modules/jsdom/node_modules/ws", "node_modules/ws" ], "fixAvailable": { "name": "webdriverio", "version": "9.4.1", "isSemVerMajor": true } }, "yarn-install": { "name": "yarn-install", "severity": "high", "isDirect": false, "via": [ "cross-spawn" ], "effects": [ "@wdio/cli" ], "range": "*", "nodes": [ "node_modules/yarn-install" ], "fixAvailable": { "name": "@wdio/cli", "version": "9.4.1", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 21, "high": 24, "critical": 3, "total": 48 }, "dependencies": { "prod": 1, "dev": 1269, "optional": 4, "peer": 0, "peerOptional": 0, "total": 1269 } } } --- end --- Attempting to npm audit fix Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1868, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1813, in run self.npm_audit_fix(new_npm_audit) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 209, in npm_audit_fix prior_lock = PackageLockJson() ^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 88, in __init__ raise RuntimeError("lockfileVersion 1 is no longer supported") RuntimeError: lockfileVersion 1 is no longer supported