This run took 79 seconds.
$ date
--- stdout ---
Mon Mar 13 03:31:32 UTC 2023
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-QuickSurveys.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
8bad11733e28e27409c530f205b18d887b4490b1 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"babel-core": {
"name": "babel-core",
"severity": "high",
"isDirect": true,
"via": [
"babel-register",
"json5"
],
"effects": [
"babel-register"
],
"range": "5.8.20 - 7.0.0-beta.3",
"nodes": [
"node_modules/babel-core"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"babel-register": {
"name": "babel-register",
"severity": "high",
"isDirect": false,
"via": [
"babel-core"
],
"effects": [
"babel-core"
],
"range": "*",
"nodes": [
"node_modules/babel-register"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1088828,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089185,
"name": "jsdom",
"dependency": "jsdom",
"title": "Insufficient Granularity of Access Control in JSDom",
"url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98",
"severity": "moderate",
"cwe": [
"CWE-1220"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<=16.4.0"
}
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "<=16.4.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091147,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1091148,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [
"babel-core"
],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/babel-core/node_modules/json5",
"node_modules/json5"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1091173,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 2,
"high": 3,
"critical": 1,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 1241,
"optional": 3,
"peer": 0,
"peerOptional": 0,
"total": 1241
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No lock file found. Updating dependencies instead of installing from lock file. Use composer update over composer install if you do not have a lock file.
Loading composer repositories with package information
Info from https://repo.packagist.org: [37;44m#StandWith[30;43mUkraine[0m
Updating dependencies
Lock file operations: 34 installs, 0 updates, 0 removals
- Locking composer/pcre (1.0.1)
- Locking composer/semver (3.3.2)
- Locking composer/spdx-licenses (1.5.7)
- Locking composer/xdebug-handler (2.0.5)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v38.0.0)
- Locking mediawiki/mediawiki-phan-config (0.11.1)
- Locking mediawiki/minus-x (1.1.1)
- Locking mediawiki/phan-taint-check-plugin (3.3.2)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.1.0)
- Locking phan/phan (5.2.0)
- Locking php-parallel-lint/php-console-color (v0.3)
- Locking php-parallel-lint/php-console-highlighter (v0.5)
- Locking php-parallel-lint/php-parallel-lint (v1.3.1)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.3.0)
- Locking phpdocumentor/type-resolver (1.6.2)
- Locking psr/container (1.1.2)
- Locking psr/log (1.1.4)
- Locking sabre/event (5.1.4)
- Locking squizlabs/php_codesniffer (3.6.1)
- Locking symfony/console (v5.4.21)
- Locking symfony/deprecation-contracts (v2.5.2)
- Locking symfony/polyfill-ctype (v1.27.0)
- Locking symfony/polyfill-intl-grapheme (v1.27.0)
- Locking symfony/polyfill-intl-normalizer (v1.27.0)
- Locking symfony/polyfill-mbstring (v1.27.0)
- Locking symfony/polyfill-php73 (v1.27.0)
- Locking symfony/polyfill-php80 (v1.27.0)
- Locking symfony/service-contracts (v2.5.2)
- Locking symfony/string (v5.4.21)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (1.11.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 34 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------] 0 [--->------------------------] - Installing composer/pcre (1.0.1): Extracting archive
- Installing squizlabs/php_codesniffer (3.6.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.27.0): Extracting archive
- Installing composer/spdx-licenses (1.5.7): Extracting archive
- Installing composer/semver (3.3.2): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-php80 (v1.27.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.27.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.27.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.27.0): Extracting archive
- Installing symfony/string (v5.4.21): Extracting archive
- Installing symfony/deprecation-contracts (v2.5.2): Extracting archive
- Installing psr/container (1.1.2): Extracting archive
- Installing symfony/service-contracts (v2.5.2): Extracting archive
- Installing symfony/polyfill-php73 (v1.27.0): Extracting archive
- Installing symfony/console (v5.4.21): Extracting archive
- Installing sabre/event (5.1.4): Extracting archive
- Installing netresearch/jsonmapper (v4.1.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (1.11.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing phpdocumentor/type-resolver (1.6.2): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.3.0): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (1.1.4): Extracting archive
- Installing composer/xdebug-handler (2.0.5): Extracting archive
- Installing phan/phan (5.2.0): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive
- Installing mediawiki/minus-x (1.1.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v0.3): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive
0/25 [>---------------------------] 0%
10/25 [===========>----------------] 40%
18/25 [====================>-------] 72%
25/25 [============================] 100%4 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
14 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
Upgrading n:vue from 3.2.33 -> 3.2.37
Upgrading n:@wikimedia/codex from 0.1.0-alpha.8 -> 0.6.2
$ /usr/bin/npm install
--- stderr ---
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
--- stdout ---
added 1240 packages, and audited 1241 packages in 9s
83 packages are looking for funding
run `npm fund` for details
7 vulnerabilities (1 low, 2 moderate, 3 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
$ /usr/bin/npm ci --legacy-peer-deps
--- stderr ---
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
--- stdout ---
added 1240 packages, and audited 1241 packages in 9s
83 packages are looking for funding
run `npm fund` for details
7 vulnerabilities (1 low, 2 moderate, 3 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
PASS tests/jest/render.test.js
● Console
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... >
at <App>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... >
at <App>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... >
at <App>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... >
at <App>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey onLogEvent=fn<mockConstructor> onDismiss=fn onDestroy=fn<onDestroy> ... >
at <App>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
PASS tests/jest/QuickSurvey.test.js
● Console
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" yesButtonLabel="yes" noButtonLabel="no" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" yesButtonLabel="yes" noButtonLabel="no" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" question="question" thankYouMessage="thanks!" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" thankYouMessage="thanks!" yesButtonLabel="yes" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" thankYouMessage="thanks!" footer="privacy policy instead of additional info" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey name="survey" thankYouMessage="thanks!" additionalInfo="addtional info instead of privacy policy" ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="single-answer" name="survey" answers= [
{ key: 'yes', label: 'Yes' },
{ key: 'maybe', label: 'maybe' },
{ key: 'no', label: 'no' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="single-answer" name="survey" answers= [
{ key: 'no', label: 'no' },
{ key: 'maybe', label: 'maybe' },
{ key: 'yes', label: 'Yes' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="single-answer" name="survey" answers= [
{ key: 'maybe', label: 'maybe' },
{ key: 'no', label: 'no' },
{ key: 'yes', label: 'Yes' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="single-answer" name="survey" answers= [
{ key: 'no', label: 'no' },
{ key: 'yes', label: 'Yes' },
{ key: 'maybe', label: 'maybe' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="single-answer" name="survey" answers= [
{ key: 'maybe', label: 'maybe' },
{ key: 'no', label: 'no' },
{ key: 'yes', label: 'Yes' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
console.warn
[Vue warn]: icon-only buttons require one of the following attribute: aria-label or aria-hidden.
See documentation on https://doc.wikimedia.org/codex/latest/components/button.html#default-icon-only
at <CdxButton type="quiet" onClick=fn<bound dismissAndDestroy> >
at <QuickSurvey layout="multiple-answer" name="survey-multi" answers= [
{ key: 'B', label: 'French' },
{ key: 'A', label: 'Chinese' },
{ key: 'C', label: 'English' }
] ... >
at <VTUROOT>
at Object.warn (node_modules/@vue/runtime-core/dist/runtime-core.cjs.js:40:17)
at St (node_modules/@wikimedia/codex/dist/codex.umd.js:1:5665)
at At (node_modules/@wikimedia/codex/dist/codex.umd.js:2:686)
at ReactiveEffect.fn (node_modules/@wikimedia/codex/dist/codex.umd.js:2:1098)
at ReactiveEffect.run (node_modules/@vue/reactivity/dist/reactivity.cjs.js:189:25)
at ComputedRefImpl.get value [as value] (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1136:39)
at unref (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1044:29)
at Object.get (node_modules/@vue/reactivity/dist/reactivity.cjs.js:1047:37)
Test Suites: 2 passed, 2 total
Tests: 19 passed, 19 total
Snapshots: 0 total
Time: 3.983 s
Ran all test suites.
--- stdout ---
> test
> npm run lint && npm run test:unit
> lint
> npm -s run lint:js && npm run -s lint:styles && npm -s run lint:i18n
Checked 1 message directory.
> test:unit
> jest --testRegex tests/jest/*.test.js
----------------------|---------|----------|---------|---------|-------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
----------------------|---------|----------|---------|---------|-------------------
All files | 93.75 | 88.67 | 95.65 | 93.75 |
QuickSurvey.vue | 100 | 100 | 100 | 100 |
QuickSurveyLogger.js | 81.81 | 50 | 100 | 81.81 | 21,41
render.js | 100 | 94.44 | 100 | 100 | 50
utils.js | 78.57 | 50 | 66.66 | 78.57 | 10-11,28
----------------------|---------|----------|---------|---------|-------------------
--- end ---
Upgrading c:mediawiki/mediawiki-codesniffer from 38.0.0 -> 41.0.0
Upgrading c:mediawiki/mediawiki-phan-config from 0.11.1 -> 0.12.0
Upgrading c:php-parallel-lint/php-console-highlighter from 0.5.0 -> 1.0.0
Upgrading c:php-parallel-lint/php-parallel-lint from 1.3.1 -> 1.3.2
$ /usr/bin/composer update
--- stderr ---
Loading composer repositories with package information
Info from https://repo.packagist.org: [37;44m#StandWith[30;43mUkraine[0m
Updating dependencies
Lock file operations: 0 installs, 11 updates, 0 removals
- Upgrading composer/pcre (1.0.1 => 3.1.0)
- Upgrading composer/xdebug-handler (2.0.5 => 3.0.3)
- Upgrading mediawiki/mediawiki-codesniffer (v38.0.0 => v41.0.0)
- Upgrading mediawiki/mediawiki-phan-config (0.11.1 => 0.12.0)
- Upgrading mediawiki/phan-taint-check-plugin (3.3.2 => 4.0.0)
- Downgrading microsoft/tolerant-php-parser (v0.1.2 => v0.1.1)
- Upgrading phan/phan (5.2.0 => 5.4.1)
- Upgrading php-parallel-lint/php-console-color (v0.3 => v1.0.1)
- Upgrading php-parallel-lint/php-console-highlighter (v0.5 => v1.0.0)
- Upgrading php-parallel-lint/php-parallel-lint (v1.3.1 => v1.3.2)
- Upgrading squizlabs/php_codesniffer (3.6.1 => 3.7.2)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 11 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------] 0 [--->------------------------] - Upgrading composer/pcre (1.0.1 => 3.1.0): Extracting archive
- Upgrading squizlabs/php_codesniffer (3.6.1 => 3.7.2): Extracting archive
- Upgrading mediawiki/mediawiki-codesniffer (v38.0.0 => v41.0.0): Extracting archive
- Downgrading microsoft/tolerant-php-parser (v0.1.2 => v0.1.1): Extracting archive
- Upgrading composer/xdebug-handler (2.0.5 => 3.0.3): Extracting archive
- Upgrading phan/phan (5.2.0 => 5.4.1): Extracting archive
- Upgrading mediawiki/phan-taint-check-plugin (3.3.2 => 4.0.0): Extracting archive
- Upgrading mediawiki/mediawiki-phan-config (0.11.1 => 0.12.0): Extracting archive
- Upgrading php-parallel-lint/php-console-color (v0.3 => v1.0.1): Extracting archive
- Upgrading php-parallel-lint/php-console-highlighter (v0.5 => v1.0.0): Extracting archive
- Upgrading php-parallel-lint/php-parallel-lint (v1.3.1 => v1.3.2): Extracting archive
0/3 [>---------------------------] 0%
3/3 [============================] 100%Generating autoload files
14 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
set()
$ /usr/bin/composer install
--- stderr ---
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Nothing to install, update or remove
Generating autoload files
14 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
$ /usr/bin/composer test
--- stderr ---
> parallel-lint . --exclude vendor --exclude node_modules
> phpcs -sp --cache
> minus-x check .
--- stdout ---
PHP 7.4.33 | 10 parallel jobs
................ 16/16 (100 %)
Checked 16 files in 0.1 seconds
No syntax error found
................ 16 / 16 (100%)
Time: 116ms; Memory: 28MB
MinusX
======
Processing /src/repo...
.............................................................
.............................................................
....................................
All good!
--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"babel-core": {
"name": "babel-core",
"severity": "high",
"isDirect": true,
"via": [
"babel-register",
"json5"
],
"effects": [
"babel-register"
],
"range": "5.8.20 - 7.0.0-beta.3",
"nodes": [
"node_modules/babel-core"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"babel-register": {
"name": "babel-register",
"severity": "high",
"isDirect": false,
"via": [
"babel-core"
],
"effects": [
"babel-core"
],
"range": "*",
"nodes": [
"node_modules/babel-register"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1088828,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089185,
"name": "jsdom",
"dependency": "jsdom",
"title": "Insufficient Granularity of Access Control in JSDom",
"url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98",
"severity": "moderate",
"cwe": [
"CWE-1220"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<=16.4.0"
}
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "<=16.4.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091147,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1091148,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [
"babel-core"
],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/babel-core/node_modules/json5",
"node_modules/json5"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1091173,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 2,
"high": 3,
"critical": 1,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 1241,
"optional": 3,
"peer": 0,
"peerOptional": 0,
"total": 1241
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json --legacy-peer-deps
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 1,
"removed": 4,
"changed": 5,
"audited": 1238,
"funding": 84,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"jsdom"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"babel-core": {
"name": "babel-core",
"severity": "high",
"isDirect": true,
"via": [
"babel-register",
"json5"
],
"effects": [
"babel-register"
],
"range": "5.8.20 - 7.0.0-beta.3",
"nodes": [
"node_modules/babel-core"
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"babel-register": {
"name": "babel-register",
"severity": "high",
"isDirect": false,
"via": [
"babel-core"
],
"effects": [
"babel-core"
],
"range": "*",
"nodes": [
""
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1088828,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "low",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
""
],
"fixAvailable": true
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089185,
"name": "jsdom",
"dependency": "jsdom",
"title": "Insufficient Granularity of Access Control in JSDom",
"url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98",
"severity": "moderate",
"cwe": [
"CWE-1220"
],
"cvss": {
"score": 5.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
"range": "<=16.4.0"
}
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "<=16.4.0",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.1",
"isSemVerMajor": false
}
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091147,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1091148,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [
"babel-core"
],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"",
""
],
"fixAvailable": {
"name": "babel-core",
"version": "4.7.16",
"isSemVerMajor": true
}
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1091173,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 2,
"high": 3,
"critical": 1,
"total": 7
},
"dependencies": {
"prod": 1,
"dev": 1237,
"optional": 3,
"peer": 0,
"peerOptional": 0,
"total": 1237
}
}
}
}
--- end ---
{"added": 1, "removed": 4, "changed": 5, "audited": 1238, "funding": 84, "audit": {"auditReportVersion": 2, "vulnerabilities": {"@wikimedia/mw-node-qunit": {"name": "@wikimedia/mw-node-qunit", "severity": "moderate", "isDirect": true, "via": ["jsdom"], "effects": [], "range": "<=6.2.1", "nodes": ["node_modules/@wikimedia/mw-node-qunit"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false}}, "babel-core": {"name": "babel-core", "severity": "high", "isDirect": true, "via": ["babel-register", "json5"], "effects": ["babel-register"], "range": "5.8.20 - 7.0.0-beta.3", "nodes": ["node_modules/babel-core"], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "babel-register": {"name": "babel-register", "severity": "high", "isDirect": false, "via": ["babel-core"], "effects": ["babel-core"], "range": "*", "nodes": [""], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "decode-uri-component": {"name": "decode-uri-component", "severity": "low", "isDirect": false, "via": [{"source": 1088828, "name": "decode-uri-component", "dependency": "decode-uri-component", "title": "decode-uri-component vulnerable to Denial of Service (DoS)", "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", "severity": "low", "cwe": ["CWE-20"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.2.1"}], "effects": [], "range": "<0.2.1", "nodes": [""], "fixAvailable": true}, "jsdom": {"name": "jsdom", "severity": "moderate", "isDirect": false, "via": [{"source": 1089185, "name": "jsdom", "dependency": "jsdom", "title": "Insufficient Granularity of Access Control in JSDom", "url": "https://github.com/advisories/GHSA-f4c9-cqv8-9v98", "severity": "moderate", "cwe": ["CWE-1220"], "cvss": {"score": 5.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "range": "<=16.4.0"}], "effects": ["@wikimedia/mw-node-qunit"], "range": "<=16.4.0", "nodes": ["node_modules/jsdom"], "fixAvailable": {"name": "@wikimedia/mw-node-qunit", "version": "6.4.1", "isSemVerMajor": false}}, "json5": {"name": "json5", "severity": "high", "isDirect": false, "via": [{"source": 1091147, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": "<1.0.2"}, {"source": 1091148, "name": "json5", "dependency": "json5", "title": "Prototype Pollution in JSON5 via Parse Method", "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h", "severity": "high", "cwe": ["CWE-1321"], "cvss": {"score": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}, "range": ">=2.0.0 <2.2.2"}], "effects": ["babel-core"], "range": "<1.0.2 || >=2.0.0 <2.2.2", "nodes": ["", ""], "fixAvailable": {"name": "babel-core", "version": "4.7.16", "isSemVerMajor": true}}, "minimist": {"name": "minimist", "severity": "critical", "isDirect": false, "via": [{"source": 1091173, "name": "minimist", "dependency": "minimist", "title": "Prototype Pollution in minimist", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "severity": "critical", "cwe": ["CWE-1321"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.0.0 <1.2.6"}], "effects": [], "range": "1.0.0 - 1.2.5", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 1, "moderate": 2, "high": 3, "critical": 1, "total": 7}, "dependencies": {"prod": 1, "dev": 1237, "optional": 3, "peer": 0, "peerOptional": 0, "total": 1237}}}}
{}
Upgrading n:@wikimedia/mw-node-qunit from 6.2.1 -> 6.4.1
$ /usr/bin/npm audit fix --only=dev --legacy-peer-deps
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
added 52 packages, removed 303 packages, changed 46 packages, and audited 990 packages in 6s
86 packages are looking for funding
run `npm fund` for details
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/babel-core/node_modules/json5
babel-core 5.8.20 - 7.0.0-beta.3
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of json5
node_modules/babel-core
babel-register *
Depends on vulnerable versions of babel-core
node_modules/babel-register
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci --legacy-peer-deps
--- stderr ---
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@3.21.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
--- stdout ---
added 989 packages, and audited 990 packages in 8s
86 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stderr ---
FAIL tests/jest/QuickSurvey.test.js
● Test suite failed to run
ReferenceError: TextEncoder is not defined
3 | const wikimediaTestingUtils = require( '@wikimedia/mw-node-qunit' );
4 |
> 5 | wikimediaTestingUtils.setUp( false );
| ^
6 |
at Object.<anonymous> (node_modules/whatwg-url/lib/encoding.js:2:21)
at Object.<anonymous> (node_modules/whatwg-url/lib/url-state-machine.js:5:34)
at Object.<anonymous> (node_modules/whatwg-url/lib/URL-impl.js:2:13)
at Object.<anonymous> (node_modules/whatwg-url/lib/URL.js:442:14)
at Object.<anonymous> (node_modules/whatwg-url/webidl2js-wrapper.js:3:13)
at Object.<anonymous> (node_modules/whatwg-url/index.js:3:34)
at Object.<anonymous> (node_modules/jsdom/lib/api.js:7:19)
at Object.setUp (node_modules/@wikimedia/mw-node-qunit/src/dom.js:14:18)
at Object.setUp (node_modules/@wikimedia/mw-node-qunit/index.js:15:7)
at Object.<anonymous> (jest.setup.js:5:23)
FAIL tests/jest/render.test.js
● Test suite failed to run
ReferenceError: TextEncoder is not defined
3 | const wikimediaTestingUtils = require( '@wikimedia/mw-node-qunit' );
4 |
> 5 | wikimediaTestingUtils.setUp( false );
| ^
6 |
at Object.<anonymous> (node_modules/whatwg-url/lib/encoding.js:2:21)
at Object.<anonymous> (node_modules/whatwg-url/lib/url-state-machine.js:5:34)
at Object.<anonymous> (node_modules/whatwg-url/lib/URL-impl.js:2:13)
at Object.<anonymous> (node_modules/whatwg-url/lib/URL.js:442:14)
at Object.<anonymous> (node_modules/whatwg-url/webidl2js-wrapper.js:3:13)
at Object.<anonymous> (node_modules/whatwg-url/index.js:3:34)
at Object.<anonymous> (node_modules/jsdom/lib/api.js:7:19)
at Object.setUp (node_modules/@wikimedia/mw-node-qunit/src/dom.js:14:18)
at Object.setUp (node_modules/@wikimedia/mw-node-qunit/index.js:15:7)
at Object.<anonymous> (jest.setup.js:5:23)
Jest: "global" coverage threshold for statements (77%) not met: 0%
Jest: "global" coverage threshold for branches (76%) not met: 0%
Jest: "global" coverage threshold for lines (77%) not met: 0%
Jest: "global" coverage threshold for functions (80%) not met: 0%
Test Suites: 2 failed, 2 total
Tests: 0 total
Snapshots: 0 total
Time: 2.064 s, estimated 3 s
Ran all test suites.
--- stdout ---
> test
> npm run lint && npm run test:unit
> lint
> npm -s run lint:js && npm run -s lint:styles && npm -s run lint:i18n
Checked 1 message directory.
> test:unit
> jest --testRegex tests/jest/*.test.js
----------------------|---------|----------|---------|---------|-------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
----------------------|---------|----------|---------|---------|-------------------
All files | 0 | 0 | 0 | 0 |
QuickSurvey.vue | 0 | 0 | 0 | 0 | 75-328
QuickSurveyLogger.js | 0 | 0 | 0 | 0 | 1-43
render.js | 0 | 0 | 0 | 0 | 2-93
utils.js | 0 | 0 | 0 | 0 | 10-56
----------------------|---------|----------|---------|---------|-------------------
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1400, in main
libup.run(args.repo, args.output, args.branch)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1344, in run
self.npm_audit_fix(new_npm_audit)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 242, in npm_audit_fix
self.check_call(['npm', 'test'])
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/shell2.py", line 54, in check_call
res.check_returncode()
File "/usr/lib/python3.9/subprocess.py", line 460, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 1.