$ date
--- stdout ---
Tue Apr 23 09:52:03 UTC 2024
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-GraphQL.git repo --depth=1 -b master
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
93367a80f9b10835a24b94b90bc14ab34601e934 refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
"node_modules/@babel/traverse"
],
"fixAvailable": true
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096644,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
"node_modules/browserify-sign"
],
"fixAvailable": true
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"glob-parent"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.0.0-rc1 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"codemirror-graphql": {
"name": "codemirror-graphql",
"severity": "moderate",
"isDirect": false,
"via": [
"graphql-language-service-interface"
],
"effects": [
"graphiql"
],
"range": "0.6.12 - 0.8.3",
"nodes": [
"node_modules/codemirror-graphql"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"cross-fetch": {
"name": "cross-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1088709,
"name": "cross-fetch",
"dependency": "cross-fetch",
"title": "Incorrect Authorization in cross-fetch",
"url": "https://github.com/advisories/GHSA-7gc6-qh9x-w6h8",
"severity": "moderate",
"cwe": [
"CWE-359",
"CWE-863"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<2.2.6"
},
"node-fetch"
],
"effects": [
"graphql-request"
],
"range": "<=2.2.5 || 3.0.0 - 3.1.4 || 3.2.0-alpha.0 - 3.2.0-alpha.2",
"nodes": [
"node_modules/cross-fetch"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": true,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": {
"name": "css-loader",
"version": "7.1.1",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "moderate",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": true
},
"glob-parent": {
"name": "glob-parent",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095007,
"name": "glob-parent",
"dependency": "glob-parent",
"title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.1.2"
}
],
"effects": [
"chokidar"
],
"range": "<5.1.2",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/glob-parent"
],
"fixAvailable": true
},
"graphiql": {
"name": "graphiql",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1089589,
"name": "graphiql",
"dependency": "graphiql",
"title": "GraphiQL introspection schema template injection attack",
"url": "https://github.com/advisories/GHSA-x4r7-m2q9-69c8",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L"
},
"range": ">=0.5.0 <1.4.7"
},
"codemirror-graphql",
"markdown-it"
],
"effects": [],
"range": "0.5.0 - 1.4.7-canary-85a66743.0",
"nodes": [
"node_modules/graphiql"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"graphql-config": {
"name": "graphql-config",
"severity": "moderate",
"isDirect": false,
"via": [
"graphql-request"
],
"effects": [
"graphql-language-service-interface",
"graphql-language-service-utils"
],
"range": "0.0.0-experimental.0 || 1.0.8 - 3.0.0-rc.3",
"nodes": [
"node_modules/graphql-config"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"graphql-language-service-interface": {
"name": "graphql-language-service-interface",
"severity": "moderate",
"isDirect": false,
"via": [
"graphql-config",
"graphql-language-service-utils"
],
"effects": [
"codemirror-graphql"
],
"range": "1.0.16 - 2.4.0-alpha.11",
"nodes": [
"node_modules/graphql-language-service-interface"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"graphql-language-service-utils": {
"name": "graphql-language-service-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"graphql-config"
],
"effects": [
"graphql-language-service-interface"
],
"range": "1.0.16 - 2.4.0-alpha.9",
"nodes": [
"node_modules/graphql-language-service-utils"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"graphql-request": {
"name": "graphql-request",
"severity": "moderate",
"isDirect": false,
"via": [
"cross-fetch"
],
"effects": [
"graphql-config"
],
"range": "1.4.0 - 1.8.2",
"nodes": [
"node_modules/graphql-request"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": {
"name": "css-loader",
"version": "7.1.1",
"isSemVerMajor": true
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"graphiql"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091791,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "The `size` option isn't honored after following a redirect in node-fetch",
"url": "https://github.com/advisories/GHSA-w7rc-rwvf-8q5r",
"severity": "low",
"cwe": [
"CWE-20",
"CWE-770"
],
"cvss": {
"score": 2.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L"
},
"range": "<2.6.1"
},
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [
"cross-fetch"
],
"range": "<=2.6.6",
"nodes": [
"node_modules/node-fetch"
],
"fixAvailable": {
"name": "graphiql",
"version": "3.2.0",
"isSemVerMajor": true
}
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1094544,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"css-loader",
"icss-utils",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"range": "<8.4.31",
"nodes": [
"node_modules/postcss"
],
"fixAvailable": {
"name": "css-loader",
"version": "7.1.1",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=3.0.3",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=3.0.0",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": {
"name": "css-loader",
"version": "7.1.1",
"isSemVerMajor": true
}
},
"semver": {
"name": "semver",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1096482,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1096483,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<5.7.2"
},
{
"source": 1096484,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"node_modules/core-js-compat/node_modules/semver",
"node_modules/eslint-plugin-compat/node_modules/semver",
"node_modules/eslint-plugin-jsdoc/node_modules/semver",
"node_modules/eslint-plugin-node/node_modules/semver",
"node_modules/eslint-plugin-unicorn/node_modules/semver",
"node_modules/eslint-plugin-vue/node_modules/semver",
"node_modules/semver",
"node_modules/vue-eslint-parser/node_modules/semver"
],
"fixAvailable": true
},
"undici": {
"name": "undici",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1096502,
"name": "undici",
"dependency": "undici",
"title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
"url": "https://github.com/advisories/GHSA-wqq4-5wpv-mx2g",
"severity": "low",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 3.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<5.26.2"
},
{
"source": 1096969,
"name": "undici",
"dependency": "undici",
"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
"url": "https://github.com/advisories/GHSA-9qxr-qj54-h672",
"severity": "low",
"cwe": [
"CWE-284"
],
"cvss": {
"score": 2.6,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"
},
"range": "<5.28.4"
},
{
"source": 1097102,
"name": "undici",
"dependency": "undici",
"title": "Undici proxy-authorization header not cleared on cross-origin redirect in fetch",
"url": "https://github.com/advisories/GHSA-3787-6prv-h9w3",
"severity": "low",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 3.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<=5.28.2"
},
{
"source": 1097109,
"name": "undici",
"dependency": "undici",
"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
"url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7",
"severity": "low",
"cwe": [
"CWE-200",
"CWE-285"
],
"cvss": {
"score": 3.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<5.28.4"
}
],
"effects": [],
"range": "<=5.28.3",
"nodes": [
"node_modules/undici"
],
"fixAvailable": true
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1095091,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
"node_modules/word-wrap"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 16,
"high": 8,
"critical": 1,
"total": 26
},
"dependencies": {
"prod": 167,
"dev": 741,
"optional": 26,
"peer": 1,
"peerOptional": 0,
"total": 908
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- overblog/dataloader-php[v0.5.2, ..., v0.5.3] require php ^5.5|^7.0 -> your php version (8.2.7) does not satisfy that requirement.
- Root composer.json requires overblog/dataloader-php ^0.5.2 -> satisfiable by overblog/dataloader-php[v0.5.2, v0.5.3].
--- stdout ---
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1584, in main
libup.run(args.repo, args.output, args.branch)
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1507, in run
'composer': self.composer_audit(),
^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 157, in composer_audit
self.ensure_composer_lock()
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 117, in ensure_composer_lock
self.check_call(['composer', 'install'])
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 54, in check_call
res.check_returncode()
File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/composer', 'install']' returned non-zero exit status 2.