This run took 86 seconds.
$ date --- stdout --- Mon Dec 9 05:00:33 UTC 2024 --- end --- $ git clone file:///srv/git/wikidata-query-builder.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- f7879aed4fe23b7f0ce93051ade1a1ce78ada7fa refs/heads/master --- end --- $ /usr/bin/npm audit --json --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@vitejs/plugin-vue": { "name": "@vitejs/plugin-vue", "severity": "moderate", "isDirect": true, "via": [ "vite" ], "effects": [], "range": "1.8.0 - 2.3.4", "nodes": [ "node_modules/@vitejs/plugin-vue" ], "fixAvailable": { "name": "@vitejs/plugin-vue", "version": "5.2.1", "isSemVerMajor": true } }, "@vue/composition-api": { "name": "@vue/composition-api", "severity": "low", "isDirect": false, "via": [ "vue" ], "effects": [ "@wmde/wikit-vue-components" ], "range": "*", "nodes": [ "node_modules/@wmde/wikit-vue-components/node_modules/@vue/composition-api" ], "fixAvailable": false }, "@wmde/wikit-vue-components": { "name": "@wmde/wikit-vue-components", "severity": "low", "isDirect": true, "via": [ "@vue/composition-api", "vue" ], "effects": [], "range": "<=2.1.0-alpha.16", "nodes": [ "node_modules/@wmde/wikit-vue-components" ], "fixAvailable": false }, "body-parser": { "name": "body-parser", "severity": "high", "isDirect": false, "via": [ { "source": 1099520, "name": "body-parser", "dependency": "body-parser", "title": "body-parser vulnerable to denial of service when url encoding is enabled", "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", "severity": "high", "cwe": [ "CWE-405" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<1.20.3" } ], "effects": [ "express" ], "range": "<1.20.3", "nodes": [ "node_modules/netlify-cli/node_modules/body-parser" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "cookie": { "name": "cookie", "severity": "low", "isDirect": false, "via": [ { "source": 1099846, "name": "cookie", "dependency": "cookie", "title": "cookie accepts cookie name, path, and domain with out of bounds characters", "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", "severity": "low", "cwe": [ "CWE-74" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.7.0" } ], "effects": [ "express", "light-my-request", "netlify-cli" ], "range": "<0.7.0", "nodes": [ "node_modules/netlify-cli/node_modules/cookie" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "cross-spawn": { "name": "cross-spawn", "severity": "high", "isDirect": false, "via": [ { "source": 1100562, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<6.0.6" }, { "source": 1100563, "name": "cross-spawn", "dependency": "cross-spawn", "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=7.0.0 <7.0.5" } ], "effects": [], "range": "<6.0.6 || >=7.0.0 <7.0.5", "nodes": [ "node_modules/cross-spawn", "node_modules/netlify-cli/node_modules/cross-spawn", "node_modules/npm-run-all/node_modules/cross-spawn" ], "fixAvailable": true }, "express": { "name": "express", "severity": "high", "isDirect": false, "via": [ { "source": 1100530, "name": "express", "dependency": "express", "title": "express vulnerable to XSS via response.redirect()", "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<4.20.0" }, "body-parser", "cookie", "path-to-regexp", "send", "serve-static" ], "effects": [ "netlify-cli" ], "range": "<=4.21.1 || 5.0.0-alpha.1 - 5.0.0", "nodes": [ "node_modules/netlify-cli/node_modules/express" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "find-my-way": { "name": "find-my-way", "severity": "high", "isDirect": false, "via": [ { "source": 1099853, "name": "find-my-way", "dependency": "find-my-way", "title": "find-my-way has a ReDoS vulnerability in multiparametric routes", "url": "https://github.com/advisories/GHSA-rrr8-f88r-h8q6", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=5.5.0 <8.2.2" } ], "effects": [], "range": "5.5.0 - 8.2.1", "nodes": [ "node_modules/netlify-cli/node_modules/find-my-way" ], "fixAvailable": true }, "http-proxy-middleware": { "name": "http-proxy-middleware", "severity": "high", "isDirect": false, "via": [ { "source": 1100223, "name": "http-proxy-middleware", "dependency": "http-proxy-middleware", "title": "Denial of service in http-proxy-middleware", "url": "https://github.com/advisories/GHSA-c7qv-q95q-8v27", "severity": "high", "cwe": [ "CWE-400" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.0.7" } ], "effects": [ "netlify-cli" ], "range": "<2.0.7", "nodes": [ "node_modules/netlify-cli/node_modules/http-proxy-middleware" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "light-my-request": { "name": "light-my-request", "severity": "low", "isDirect": false, "via": [ "cookie" ], "effects": [], "range": "3.7.0 - 5.13.0 || 6.0.0-pre.fv5.1 - 6.0.0", "nodes": [ "node_modules/netlify-cli/node_modules/light-my-request" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "moderate", "isDirect": false, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" } ], "effects": [], "range": "<4.0.8", "nodes": [ "node_modules/micromatch", "node_modules/netlify-cli/node_modules/micromatch" ], "fixAvailable": true }, "netlify-cli": { "name": "netlify-cli", "severity": "high", "isDirect": true, "via": [ "cookie", "express", "http-proxy-middleware" ], "effects": [], "range": "2.14.0 - 17.37.0-rc-redirects.0", "nodes": [ "node_modules/netlify-cli" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "path-to-regexp": { "name": "path-to-regexp", "severity": "high", "isDirect": false, "via": [ { "source": 1099562, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "path-to-regexp outputs backtracking regular expressions", "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<0.1.10" }, { "source": 1101081, "name": "path-to-regexp", "dependency": "path-to-regexp", "title": "Unpatched `path-to-regexp` ReDoS in 0.1.x", "url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.1.12" } ], "effects": [ "express" ], "range": "<=0.1.11", "nodes": [ "node_modules/netlify-cli/node_modules/path-to-regexp" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "rollup": { "name": "rollup", "severity": "high", "isDirect": false, "via": [ { "source": 1099757, "name": "rollup", "dependency": "rollup", "title": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS", "url": "https://github.com/advisories/GHSA-gcx4-mw62-g8wm", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, "range": "<2.79.2" }, { "source": 1099764, "name": "rollup", "dependency": "rollup", "title": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS", "url": "https://github.com/advisories/GHSA-gcx4-mw62-g8wm", "severity": "high", "cwe": [ "CWE-79" ], "cvss": { "score": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, "range": ">=4.0.0 <4.22.4" } ], "effects": [ "vite" ], "range": "<2.79.2 || >=4.0.0 <4.22.4", "nodes": [ "node_modules/rollup", "node_modules/vite/node_modules/rollup" ], "fixAvailable": { "name": "vite", "version": "6.0.3", "isSemVerMajor": true } }, "send": { "name": "send", "severity": "low", "isDirect": false, "via": [ { "source": 1100526, "name": "send", "dependency": "send", "title": "send vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<0.19.0" } ], "effects": [ "express", "serve-static" ], "range": "<0.19.0", "nodes": [ "node_modules/netlify-cli/node_modules/send" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "serve-static": { "name": "serve-static", "severity": "low", "isDirect": false, "via": [ { "source": 1100528, "name": "serve-static", "dependency": "serve-static", "title": "serve-static vulnerable to template injection that can lead to XSS", "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p", "severity": "low", "cwe": [ "CWE-79" ], "cvss": { "score": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, "range": "<1.16.0" }, "send" ], "effects": [ "express" ], "range": "<=1.16.0", "nodes": [ "node_modules/netlify-cli/node_modules/serve-static" ], "fixAvailable": { "name": "netlify-cli", "version": "17.38.0", "isSemVerMajor": false } }, "vite": { "name": "vite", "severity": "high", "isDirect": true, "via": [ { "source": 1099690, "name": "vite", "dependency": "vite", "title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS", "url": "https://github.com/advisories/GHSA-64vr-g452-qvp3", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, "range": "<3.2.11" }, { "source": 1099695, "name": "vite", "dependency": "vite", "title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`", "url": "https://github.com/advisories/GHSA-9cwx-2883-4wfx", "severity": "moderate", "cwe": [ "CWE-200", "CWE-284" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": "<=3.2.10" }, "rollup" ], "effects": [ "@vitejs/plugin-vue" ], "range": "<=3.2.10", "nodes": [ "node_modules/vite" ], "fixAvailable": { "name": "vite", "version": "6.0.3", "isSemVerMajor": true } }, "vue": { "name": "vue", "severity": "low", "isDirect": false, "via": [ { "source": 1100238, "name": "vue", "dependency": "vue", "title": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function", "url": "https://github.com/advisories/GHSA-5j4c-8p2g-v4jx", "severity": "low", "cwe": [ "CWE-1333" ], "cvss": { "score": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=2.0.0-alpha.1 <3.0.0-alpha.0" } ], "effects": [ "@vue/composition-api", "@wmde/wikit-vue-components" ], "range": "2.0.0-alpha.1 - 2.7.16", "nodes": [ "node_modules/@wmde/wikit-vue-components/node_modules/vue" ], "fixAvailable": false } }, "metadata": { "vulnerabilities": { "info": 0, "low": 7, "moderate": 2, "high": 9, "critical": 0, "total": 18 }, "dependencies": { "prod": 127, "dev": 2447, "optional": 127, "peer": 78, "peerOptional": 0, "total": 2591 } } } --- end --- Upgrading n:@wmde/eslint-config-wikimedia-typescript from ^0.2.9 -> 0.2.12 $ /usr/bin/npm install --- stderr --- npm WARN deprecated rdf-js@4.0.2: Use @types/rdf-js instead. See https://github.com/rdfjs/types?tab=readme-ov-file#what-about-typesrdf-js npm WARN deprecated @types/rdf-js@4.0.2: This is a stub types definition. rdf-js provides its own type definitions, so you do not need this installed. npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm WARN deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead npm WARN deprecated vue@2.6.14: Vue 2 has reached EOL and is no longer actively maintained. See https://v2.vuejs.org/eol/ for more details. --- stdout --- added 2488 packages, and audited 2491 packages in 48s 404 packages are looking for funding run `npm fund` for details 18 vulnerabilities (7 low, 2 moderate, 9 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json node_modules/netlify-cli/tools/lint-rules@unknown: Neither "resolved" nor "version" are present --- end --- Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1868, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1807, in run self.npm_upgrade(plan) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1190, in npm_upgrade self.check_package_lock() File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 335, in check_package_lock self.check_call(["package-lock-lint", "package-lock.json"]) File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 59, in check_call res.check_returncode() File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['package-lock-lint', 'package-lock.json']' returned non-zero exit status 1.