This run took 79 seconds.
$ date --- stdout --- Mon Mar 13 03:31:32 UTC 2023 --- end --- $ git clone file:///srv/git/mediawiki-extensions-QuickSurveys.git repo --depth=1 -b master --- stderr --- Cloning into 'repo'... --- stdout --- --- end --- $ git config user.name libraryupgrader --- stdout --- --- end --- $ git config user.email tools.libraryupgrader@tools.wmflabs.org --- stdout --- --- end --- $ git submodule update --init --- stdout --- --- end --- $ grr init --- stdout --- Installed commit-msg hook. --- end --- $ git show-ref refs/heads/master --- stdout --- 8bad11733e28e27409c530f205b18d887b4490b1 refs/heads/master --- end --- $ /usr/bin/npm audit --json --legacy-peer-deps --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "babel-core": { "name": "babel-core", "severity": "high", "isDirect": true, "via": [ "babel-register", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "node_modules/babel-register" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "decode-uri-component": { "name": "decode-uri-component", "severity": "low", "isDirect": false, "via": [ { "source": 1088828, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": [ "CWE-1220" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=16.4.0" } ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "<=16.4.0", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1091147, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1091148, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/babel-core/node_modules/json5", "node_modules/json5" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1091173, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 2, "high": 3, "critical": 1, "total": 7 }, "dependencies": { "prod": 1, "dev": 1241, "optional": 3, "peer": 0, "peerOptional": 0, "total": 1241 } } } --- end --- $ /usr/bin/composer install --- stderr --- No lock file found. Updating dependencies instead of installing from lock file. Use composer update over composer install if you do not have a lock file. Loading composer repositories with package information Info from https://repo.packagist.org: [37;44m#StandWith[30;43mUkraine[0m Updating dependencies Lock file operations: 34 installs, 0 updates, 0 removals - Locking composer/pcre (1.0.1) - Locking composer/semver (3.3.2) - Locking composer/spdx-licenses (1.5.7) - Locking composer/xdebug-handler (2.0.5) - Locking felixfbecker/advanced-json-rpc (v3.2.1) - Locking mediawiki/mediawiki-codesniffer (v38.0.0) - Locking mediawiki/mediawiki-phan-config (0.11.1) - Locking mediawiki/minus-x (1.1.1) - Locking mediawiki/phan-taint-check-plugin (3.3.2) - Locking microsoft/tolerant-php-parser (v0.1.2) - Locking netresearch/jsonmapper (v4.1.0) - Locking phan/phan (5.2.0) - Locking php-parallel-lint/php-console-color (v0.3) - Locking php-parallel-lint/php-console-highlighter (v0.5) - Locking php-parallel-lint/php-parallel-lint (v1.3.1) - Locking phpdocumentor/reflection-common (2.2.0) - Locking phpdocumentor/reflection-docblock (5.3.0) - Locking phpdocumentor/type-resolver (1.6.2) - Locking psr/container (1.1.2) - Locking psr/log (1.1.4) - Locking sabre/event (5.1.4) - Locking squizlabs/php_codesniffer (3.6.1) - Locking symfony/console (v5.4.21) - Locking symfony/deprecation-contracts (v2.5.2) - Locking symfony/polyfill-ctype (v1.27.0) - Locking symfony/polyfill-intl-grapheme (v1.27.0) - Locking symfony/polyfill-intl-normalizer (v1.27.0) - Locking symfony/polyfill-mbstring (v1.27.0) - Locking symfony/polyfill-php73 (v1.27.0) - Locking symfony/polyfill-php80 (v1.27.0) - Locking symfony/service-contracts (v2.5.2) - Locking symfony/string (v5.4.21) - Locking tysonandre/var_representation_polyfill (0.1.3) - Locking webmozart/assert (1.11.0) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 34 installs, 0 updates, 0 removals 0 [>---------------------------] 0 [->--------------------------] 0 [--->------------------------] - Installing composer/pcre (1.0.1): Extracting archive - Installing squizlabs/php_codesniffer (3.6.1): Extracting archive - Installing symfony/polyfill-mbstring (v1.27.0): Extracting archive - Installing composer/spdx-licenses (1.5.7): Extracting archive - Installing composer/semver (3.3.2): Extracting archive - Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive - Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive - Installing symfony/polyfill-php80 (v1.27.0): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.27.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.27.0): Extracting archive - Installing symfony/polyfill-ctype (v1.27.0): Extracting archive - Installing symfony/string (v5.4.21): Extracting archive - Installing symfony/deprecation-contracts (v2.5.2): Extracting archive - Installing psr/container (1.1.2): Extracting archive - Installing symfony/service-contracts (v2.5.2): Extracting archive - Installing symfony/polyfill-php73 (v1.27.0): Extracting archive - Installing symfony/console (v5.4.21): Extracting archive - Installing sabre/event (5.1.4): Extracting archive - Installing netresearch/jsonmapper (v4.1.0): Extracting archive - Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive - Installing webmozart/assert (1.11.0): Extracting archive - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive - Installing phpdocumentor/type-resolver (1.6.2): Extracting archive - Installing phpdocumentor/reflection-docblock (5.3.0): Extracting archive - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive - Installing psr/log (1.1.4): Extracting archive - Installing composer/xdebug-handler (2.0.5): Extracting archive - Installing phan/phan (5.2.0): Extracting archive - Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive - Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive - Installing mediawiki/minus-x (1.1.1): Extracting archive - Installing php-parallel-lint/php-console-color (v0.3): Extracting archive - Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive - Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive 0/25 [>---------------------------] 0% 10/25 [===========>----------------] 40% 18/25 [====================>-------] 72% 25/25 [============================] 100%4 package suggestions were added by new dependencies, use `composer suggest` to see details. Generating autoload files 14 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- Upgrading n:vue from 3.2.33 -> 3.2.37 Upgrading n:@wikimedia/codex from 0.1.0-alpha.8 -> 0.6.2 $ /usr/bin/npm install --- stderr --- npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 1240 packages, and audited 1241 packages in 9s 83 packages are looking for funding run `npm fund` for details 7 vulnerabilities (1 low, 2 moderate, 3 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- $ /usr/bin/npm ci --legacy-peer-deps --- stderr --- npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 1240 packages, and audited 1241 packages in 9s 83 packages are looking for funding run `npm fund` for details 7 vulnerabilities (1 low, 2 moderate, 3 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stderr --- PASS tests/jest/render.test.js ● Console console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... > at <App> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... > at <App> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... > at <App> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... > at <App> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... > at <App> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) PASS tests/jest/QuickSurvey.test.js ● Console console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" yesButtonLabel="yes" noButtonLabel="no" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" yesButtonLabel="yes" noButtonLabel="no" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" thankYouMessage="thanks!" yesButtonLabel="yes" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" thankYouMessage="thanks!" footer="privacy policy instead of additional info" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey name="survey" thankYouMessage="thanks!" additionalInfo="addtional info instead of privacy policy" ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="single-answer" name="survey" answers= [ { key: 'yes', label: 'Yes' }, { key: 'maybe', label: 'maybe' }, { key: 'no', label: 'no' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="single-answer" name="survey" answers= [ { key: 'no', label: 'no' }, { key: 'maybe', label: 'maybe' }, { key: 'yes', label: 'Yes' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="single-answer" name="survey" answers= [ { key: 'maybe', label: 'maybe' }, { key: 'no', label: 'no' }, { key: 'yes', label: 'Yes' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="single-answer" name="survey" answers= [ { key: 'no', label: 'no' }, { key: 'yes', label: 'Yes' }, { key: 'maybe', label: 'maybe' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="single-answer" name="survey" answers= [ { key: 'maybe', label: 'maybe' }, { key: 'no', label: 'no' }, { key: 'yes', label: 'Yes' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) console.warn [Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden. See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> > at <QuickSurvey layout="multiple-answer" name="survey-multi" answers= [ { key: 'B', label: 'French' }, { key: 'A', label: 'Chinese' }, { key: 'C', label: 'English' } ] ... > at <VTUROOT> at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17) at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665) at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686) at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098) at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25) at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39) at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29) at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37) Test Suites: 2 passed, 2 total Tests: 19 passed, 19 total Snapshots: 0 total Time: 3.983 s Ran all test suites. --- stdout --- > test > npm run lint && npm run test:unit > lint > npm -s run lint:js && npm run -s lint:styles && npm -s run lint:i18n Checked 1 message directory. > test:unit > jest --testRegex tests/jest/*.test.js ----------------------|---------|----------|---------|---------|------------------- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s ----------------------|---------|----------|---------|---------|------------------- All files | 93.75 | 88.67 | 95.65 | 93.75 | QuickSurvey.vue | 100 | 100 | 100 | 100 | QuickSurveyLogger.js | 81.81 | 50 | 100 | 81.81 | 21,41 render.js | 100 | 94.44 | 100 | 100 | 50 utils.js | 78.57 | 50 | 66.66 | 78.57 | 10-11,28 ----------------------|---------|----------|---------|---------|------------------- --- end --- Upgrading c:mediawiki/mediawiki-codesniffer from 38.0.0 -> 41.0.0 Upgrading c:mediawiki/mediawiki-phan-config from 0.11.1 -> 0.12.0 Upgrading c:php-parallel-lint/php-console-highlighter from 0.5.0 -> 1.0.0 Upgrading c:php-parallel-lint/php-parallel-lint from 1.3.1 -> 1.3.2 $ /usr/bin/composer update --- stderr --- Loading composer repositories with package information Info from https://repo.packagist.org: [37;44m#StandWith[30;43mUkraine[0m Updating dependencies Lock file operations: 0 installs, 11 updates, 0 removals - Upgrading composer/pcre (1.0.1 => 3.1.0) - Upgrading composer/xdebug-handler (2.0.5 => 3.0.3) - Upgrading mediawiki/mediawiki-codesniffer (v38.0.0 => v41.0.0) - Upgrading mediawiki/mediawiki-phan-config (0.11.1 => 0.12.0) - Upgrading mediawiki/phan-taint-check-plugin (3.3.2 => 4.0.0) - Downgrading microsoft/tolerant-php-parser (v0.1.2 => v0.1.1) - Upgrading phan/phan (5.2.0 => 5.4.1) - Upgrading php-parallel-lint/php-console-color (v0.3 => v1.0.1) - Upgrading php-parallel-lint/php-console-highlighter (v0.5 => v1.0.0) - Upgrading php-parallel-lint/php-parallel-lint (v1.3.1 => v1.3.2) - Upgrading squizlabs/php_codesniffer (3.6.1 => 3.7.2) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 0 installs, 11 updates, 0 removals 0 [>---------------------------] 0 [->--------------------------] 0 [--->------------------------] - Upgrading composer/pcre (1.0.1 => 3.1.0): Extracting archive - Upgrading squizlabs/php_codesniffer (3.6.1 => 3.7.2): Extracting archive - Upgrading mediawiki/mediawiki-codesniffer (v38.0.0 => v41.0.0): Extracting archive - Downgrading microsoft/tolerant-php-parser (v0.1.2 => v0.1.1): Extracting archive - Upgrading composer/xdebug-handler (2.0.5 => 3.0.3): Extracting archive - Upgrading phan/phan (5.2.0 => 5.4.1): Extracting archive - Upgrading mediawiki/phan-taint-check-plugin (3.3.2 => 4.0.0): Extracting archive - Upgrading mediawiki/mediawiki-phan-config (0.11.1 => 0.12.0): Extracting archive - Upgrading php-parallel-lint/php-console-color (v0.3 => v1.0.1): Extracting archive - Upgrading php-parallel-lint/php-console-highlighter (v0.5 => v1.0.0): Extracting archive - Upgrading php-parallel-lint/php-parallel-lint (v1.3.1 => v1.3.2): Extracting archive 0/3 [>---------------------------] 0% 3/3 [============================] 100%Generating autoload files 14 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- set() $ /usr/bin/composer install --- stderr --- Installing dependencies from lock file (including require-dev) Verifying lock file contents can be installed on current platform. Nothing to install, update or remove Generating autoload files 14 packages you are using are looking for funding. Use the `composer fund` command to find out more! --- stdout --- --- end --- $ /usr/bin/composer test --- stderr --- > parallel-lint . --exclude vendor --exclude node_modules > phpcs -sp --cache > minus-x check . --- stdout --- PHP 7.4.33 | 10 parallel jobs ................ 16/16 (100 %) Checked 16 files in 0.1 seconds No syntax error found ................ 16 / 16 (100%) Time: 116ms; Memory: 28MB MinusX ====== Processing /src/repo... ............................................................. ............................................................. .................................... All good! --- end --- $ /usr/bin/npm audit --json --legacy-peer-deps --- stdout --- { "auditReportVersion": 2, "vulnerabilities": { "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "babel-core": { "name": "babel-core", "severity": "high", "isDirect": true, "via": [ "babel-register", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "node_modules/babel-register" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "decode-uri-component": { "name": "decode-uri-component", "severity": "low", "isDirect": false, "via": [ { "source": 1088828, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "node_modules/decode-uri-component" ], "fixAvailable": true }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": [ "CWE-1220" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=16.4.0" } ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "<=16.4.0", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1091147, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1091148, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "node_modules/babel-core/node_modules/json5", "node_modules/json5" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1091173, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "node_modules/minimist" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 2, "high": 3, "critical": 1, "total": 7 }, "dependencies": { "prod": 1, "dev": 1241, "optional": 3, "peer": 0, "peerOptional": 0, "total": 1241 } } } --- end --- Attempting to npm audit fix $ /usr/bin/npm audit fix --dry-run --only=dev --json --legacy-peer-deps --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production --- stdout --- { "added": 1, "removed": 4, "changed": 5, "audited": 1238, "funding": 84, "audit": { "auditReportVersion": 2, "vulnerabilities": { "@wikimedia/mw-node-qunit": { "name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": [ "jsdom" ], "effects": [], "range": "<=6.2.1", "nodes": [ "node_modules/@wikimedia/mw-node-qunit" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "babel-core": { "name": "babel-core", "severity": "high", "isDirect": true, "via": [ "babel-register", "json5" ], "effects": [ "babel-register" ], "range": "5.8.20 - 7.0.0-beta.3", "nodes": [ "node_modules/babel-core" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "babel-register": { "name": "babel-register", "severity": "high", "isDirect": false, "via": [ "babel-core" ], "effects": [ "babel-core" ], "range": "*", "nodes": [ "" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "decode-uri-component": { "name": "decode-uri-component", "severity": "low", "isDirect": false, "via": [ { "source": 1088828, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "low", "cwe": [ "CWE-20" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.2.1" } ], "effects": [], "range": "<0.2.1", "nodes": [ "" ], "fixAvailable": true }, "jsdom": { "name": "jsdom", "severity": "moderate", "isDirect": false, "via": [ { "source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": [ "CWE-1220" ], "cvss": { "score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, "range": "<=16.4.0" } ], "effects": [ "@wikimedia/mw-node-qunit" ], "range": "<=16.4.0", "nodes": [ "node_modules/jsdom" ], "fixAvailable": { "name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false } }, "json5": { "name": "json5", "severity": "high", "isDirect": false, "via": [ { "source": 1091147, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": "<1.0.2" }, { "source": 1091148, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" }, "range": ">=2.0.0 <2.2.2" } ], "effects": [ "babel-core" ], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": [ "", "" ], "fixAvailable": { "name": "babel-core", "version": "4.7.16", "isSemVerMajor": true } }, "minimist": { "name": "minimist", "severity": "critical", "isDirect": false, "via": [ { "source": 1091173, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": [ "CWE-1321" ], "cvss": { "score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=1.0.0 <1.2.6" } ], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [ "" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 2, "high": 3, "critical": 1, "total": 7 }, "dependencies": { "prod": 1, "dev": 1237, "optional": 3, "peer": 0, "peerOptional": 0, "total": 1237 } } } } --- end --- {"added": 1, "removed": 4, "changed": 5, "audited": 1238, "funding": 84, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@wikimedia/mw-node-qunit": {"name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": ["jsdom"], "effects": [], "range": "<=6.2.1", "nodes": ["node_modules/@wikimedia/mw-node-qunit"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false}}, "babel-core": {"name": "babel-core", "severity": "high", "isDirect": true, "via": ["babel-register", "json5"], "effects": ["babel-register"], "range": "5.8.20 - 7.0.0-beta.3", "nodes": ["node_modules/babel-core"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "babel-register": {"name": "babel-register", "severity": "high", "isDirect": false, "via": ["babel-core"], "effects": ["babel-core"], "range": "*", "nodes": [""], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "decode-uri-component": {"name": "decode-uri-component", "severity": "low", "isDirect": false, "via": [{"source": 1088828, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "low", "cwe": ["CWE-20"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.2.1"}], "effects": [], "range": "<0.2.1", "nodes": [""], "fixAvailable": true}, "jsdom": {"name": "jsdom", "severity": "moderate", "isDirect": false, "via": [{"source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": ["CWE-1220"], "cvss": {"score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": "<=16.4.0"}], "effects": ["@wikimedia/mw-node-qunit"], "range": "<=16.4.0", "nodes": ["node_modules/jsdom"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false}}, "json5": {"name": "json5", "severity": "high", "isDirect": false, "via": [{"source": 1091147, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": "<1.0.2"}, {"source": 1091148, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": ">=2.0.0 <2.2.2"}], "effects": ["babel-core"], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": ["", ""], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "minimist": {"name": "minimist", "severity": "critical", "isDirect": false, "via": [{"source": 1091173, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.0.0 <1.2.6"}], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 1, "moderate": 2, "high": 3, "critical": 1, "total": 7}, "dependencies": {"prod": 1, "dev": 1237, "optional": 3, "peer": 0, "peerOptional": 0, "total": 1237}}}} {} Upgrading n:@wikimedia/mw-node-qunit from 6.2.1 -> 6.4.1 $ /usr/bin/npm audit fix --only=dev --legacy-peer-deps --- stderr --- npm WARN invalid config only="dev" set in command line options npm WARN invalid config Must be one of: null, prod, production --- stdout --- added 52 packages, removed 303 packages, changed 46 packages, and audited 990 packages in 6s 86 packages are looking for funding run `npm fund` for details # npm audit report json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via `npm audit fix --force` Will install babel-core@4.7.16, which is a breaking change node_modules/babel-core/node_modules/json5 babel-core 5.8.20 - 7.0.0-beta.3 Depends on vulnerable versions of babel-register Depends on vulnerable versions of json5 node_modules/babel-core babel-register * Depends on vulnerable versions of babel-core node_modules/babel-register 3 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force --- end --- $ package-lock-lint package-lock.json --- stdout --- Checking package-lock.json --- end --- Verifying that tests still pass $ /usr/bin/npm ci --legacy-peer-deps --- stderr --- npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. --- stdout --- added 989 packages, and audited 990 packages in 8s 86 packages are looking for funding run `npm fund` for details 3 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. --- end --- $ /usr/bin/npm test --- stderr --- FAIL tests/jest/QuickSurvey.test.js ● Test suite failed to run ReferenceError: TextEncoder is not defined 3 | const wikimediaTestingUtils = require( '@wikimedia/mw-node-qunit' ); 4 | > 5 | wikimediaTestingUtils.setUp( false ); | ^ 6 | at Object.<anonymous> (node_modules/whatwg-url/lib/encoding.js:2:21) at Object.<anonymous> (node_modules/whatwg-url/lib/url-state-machine.js:5:34) at Object.<anonymous> (node_modules/whatwg-url/lib/URL-impl.js:2:13) at Object.<anonymous> (node_modules/whatwg-url/lib/URL.js:442:14) at Object.<anonymous> (node_modules/whatwg-url/webidl2js-wrapper.js:3:13) at Object.<anonymous> (node_modules/whatwg-url/index.js:3:34) at Object.<anonymous> (node_modules/jsdom/lib/api.js:7:19) at Object.setUp (node_modules/@wikimedia/mw-node-qunit/src/dom.js:14:18) at Object.setUp (node_modules/@wikimedia/mw-node-qunit/index.js:15:7) at Object.<anonymous> (jest.setup.js:5:23) FAIL tests/jest/render.test.js ● Test suite failed to run ReferenceError: TextEncoder is not defined 3 | const wikimediaTestingUtils = require( '@wikimedia/mw-node-qunit' ); 4 | > 5 | wikimediaTestingUtils.setUp( false ); | ^ 6 | at Object.<anonymous> (node_modules/whatwg-url/lib/encoding.js:2:21) at Object.<anonymous> (node_modules/whatwg-url/lib/url-state-machine.js:5:34) at Object.<anonymous> (node_modules/whatwg-url/lib/URL-impl.js:2:13) at Object.<anonymous> (node_modules/whatwg-url/lib/URL.js:442:14) at Object.<anonymous> (node_modules/whatwg-url/webidl2js-wrapper.js:3:13) at Object.<anonymous> (node_modules/whatwg-url/index.js:3:34) at Object.<anonymous> (node_modules/jsdom/lib/api.js:7:19) at Object.setUp (node_modules/@wikimedia/mw-node-qunit/src/dom.js:14:18) at Object.setUp (node_modules/@wikimedia/mw-node-qunit/index.js:15:7) at Object.<anonymous> (jest.setup.js:5:23) Jest: "global" coverage threshold for statements (77%) not met: 0% Jest: "global" coverage threshold for branches (76%) not met: 0% Jest: "global" coverage threshold for lines (77%) not met: 0% Jest: "global" coverage threshold for functions (80%) not met: 0% Test Suites: 2 failed, 2 total Tests: 0 total Snapshots: 0 total Time: 2.064 s, estimated 3 s Ran all test suites. --- stdout --- > test > npm run lint && npm run test:unit > lint > npm -s run lint:js && npm run -s lint:styles && npm -s run lint:i18n Checked 1 message directory. > test:unit > jest --testRegex tests/jest/*.test.js ----------------------|---------|----------|---------|---------|------------------- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s ----------------------|---------|----------|---------|---------|------------------- All files | 0 | 0 | 0 | 0 | QuickSurvey.vue | 0 | 0 | 0 | 0 | 75-328 QuickSurveyLogger.js | 0 | 0 | 0 | 0 | 1-43 render.js | 0 | 0 | 0 | 0 | 2-93 utils.js | 0 | 0 | 0 | 0 | 10-56 ----------------------|---------|----------|---------|---------|------------------- --- end --- Traceback (most recent call last): File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1400, in main libup.run(args.repo, args.output, args.branch) File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1344, in run self.npm_audit_fix(new_npm_audit) File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 242, in npm_audit_fix self.check_call(['npm', 'test']) File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/shell2.py", line 54, in check_call res.check_returncode() File "/usr/lib/python3.9/subprocess.py", line 460, in check_returncode raise CalledProcessError(self.returncode, self.args, self.stdout, subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 1.