mediawiki/extensions/GraphQL (REL1_39)

sourcepatches
$ date
--- stdout ---
Sun May 19 05:42:27 UTC 2024

--- end ---
$ git clone file:///srv/git/mediawiki-extensions-GraphQL.git repo --depth=1 -b REL1_39
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/REL1_39
--- stdout ---
562b0c6feb2d66d928be791baae9f3d818fcc69f refs/heads/REL1_39

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "@babel/traverse": {
      "name": "@babel/traverse",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096886,
          "name": "@babel/traverse",
          "dependency": "@babel/traverse",
          "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
          "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
          "severity": "critical",
          "cwe": [
            "CWE-184",
            "CWE-697"
          ],
          "cvss": {
            "score": 9.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
          },
          "range": "<7.23.2"
        }
      ],
      "effects": [],
      "range": "<7.23.2",
      "nodes": [
        "node_modules/@babel/traverse"
      ],
      "fixAvailable": true
    },
    "browserify-sign": {
      "name": "browserify-sign",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1096644,
          "name": "browserify-sign",
          "dependency": "browserify-sign",
          "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
          "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
          "severity": "high",
          "cwe": [
            "CWE-347"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
          },
          "range": ">=2.6.0 <=4.2.1"
        }
      ],
      "effects": [],
      "range": "2.6.0 - 4.2.1",
      "nodes": [
        "node_modules/browserify-sign"
      ],
      "fixAvailable": true
    },
    "chokidar": {
      "name": "chokidar",
      "severity": "high",
      "isDirect": false,
      "via": [
        "glob-parent"
      ],
      "effects": [
        "watchpack-chokidar2"
      ],
      "range": "1.0.0-rc1 - 2.1.8",
      "nodes": [
        "node_modules/watchpack-chokidar2/node_modules/chokidar"
      ],
      "fixAvailable": true
    },
    "codemirror-graphql": {
      "name": "codemirror-graphql",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-language-service-interface"
      ],
      "effects": [
        "graphiql"
      ],
      "range": "0.6.12 - 0.8.3",
      "nodes": [
        "node_modules/codemirror-graphql"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "cross-fetch": {
      "name": "cross-fetch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1088709,
          "name": "cross-fetch",
          "dependency": "cross-fetch",
          "title": "Incorrect Authorization in cross-fetch",
          "url": "https://github.com/advisories/GHSA-7gc6-qh9x-w6h8",
          "severity": "moderate",
          "cwe": [
            "CWE-359",
            "CWE-863"
          ],
          "cvss": {
            "score": 6.1,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
          },
          "range": "<2.2.6"
        },
        "node-fetch"
      ],
      "effects": [
        "graphql-request"
      ],
      "range": "<=2.2.5 || 3.0.0 - 3.1.4 || 3.2.0-alpha.0 - 3.2.0-alpha.2",
      "nodes": [
        "node_modules/cross-fetch"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "css-loader": {
      "name": "css-loader",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "icss-utils",
        "postcss",
        "postcss-modules-extract-imports",
        "postcss-modules-local-by-default",
        "postcss-modules-scope",
        "postcss-modules-values"
      ],
      "effects": [],
      "range": "0.15.0 - 4.3.0",
      "nodes": [
        "node_modules/css-loader"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.1",
        "isSemVerMajor": true
      }
    },
    "eslint-plugin-compat": {
      "name": "eslint-plugin-compat",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "semver"
      ],
      "effects": [],
      "range": "3.6.0-0 - 4.1.4",
      "nodes": [
        "node_modules/eslint-plugin-compat"
      ],
      "fixAvailable": true
    },
    "glob-parent": {
      "name": "glob-parent",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1095007,
          "name": "glob-parent",
          "dependency": "glob-parent",
          "title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex",
          "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6",
          "severity": "high",
          "cwe": [
            "CWE-400"
          ],
          "cvss": {
            "score": 7.5,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "range": "<5.1.2"
        }
      ],
      "effects": [
        "chokidar"
      ],
      "range": "<5.1.2",
      "nodes": [
        "node_modules/watchpack-chokidar2/node_modules/glob-parent"
      ],
      "fixAvailable": true
    },
    "graphiql": {
      "name": "graphiql",
      "severity": "high",
      "isDirect": true,
      "via": [
        {
          "source": 1089589,
          "name": "graphiql",
          "dependency": "graphiql",
          "title": "GraphiQL introspection schema template injection attack",
          "url": "https://github.com/advisories/GHSA-x4r7-m2q9-69c8",
          "severity": "high",
          "cwe": [
            "CWE-79"
          ],
          "cvss": {
            "score": 7.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L"
          },
          "range": ">=0.5.0 <1.4.7"
        },
        "codemirror-graphql",
        "markdown-it"
      ],
      "effects": [],
      "range": "0.5.0 - 1.4.7-canary-85a66743.0",
      "nodes": [
        "node_modules/graphiql"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "graphql-config": {
      "name": "graphql-config",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-request"
      ],
      "effects": [
        "graphql-language-service-interface",
        "graphql-language-service-utils"
      ],
      "range": "0.0.0-experimental.0 || 1.0.8 - 3.0.0-rc.3",
      "nodes": [
        "node_modules/graphql-config"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "graphql-language-service-interface": {
      "name": "graphql-language-service-interface",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-config",
        "graphql-language-service-utils"
      ],
      "effects": [
        "codemirror-graphql"
      ],
      "range": "1.0.16 - 2.4.0-alpha.11",
      "nodes": [
        "node_modules/graphql-language-service-interface"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "graphql-language-service-utils": {
      "name": "graphql-language-service-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "graphql-config"
      ],
      "effects": [
        "graphql-language-service-interface"
      ],
      "range": "1.0.16 - 2.4.0-alpha.9",
      "nodes": [
        "node_modules/graphql-language-service-utils"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "graphql-request": {
      "name": "graphql-request",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "cross-fetch"
      ],
      "effects": [
        "graphql-config"
      ],
      "range": "1.4.0 - 1.8.2",
      "nodes": [
        "node_modules/graphql-request"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "icss-utils": {
      "name": "icss-utils",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [
        "css-loader"
      ],
      "range": "<=4.1.1",
      "nodes": [
        "node_modules/icss-utils"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.1",
        "isSemVerMajor": true
      }
    },
    "markdown-it": {
      "name": "markdown-it",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1092663,
          "name": "markdown-it",
          "dependency": "markdown-it",
          "title": "Uncontrolled Resource Consumption in markdown-it",
          "url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
          "severity": "moderate",
          "cwe": [
            "CWE-400",
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<12.3.2"
        }
      ],
      "effects": [
        "graphiql"
      ],
      "range": "<12.3.2",
      "nodes": [
        "node_modules/markdown-it"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "node-fetch": {
      "name": "node-fetch",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1091791,
          "name": "node-fetch",
          "dependency": "node-fetch",
          "title": "The `size` option isn't honored after following a redirect in node-fetch",
          "url": "https://github.com/advisories/GHSA-w7rc-rwvf-8q5r",
          "severity": "low",
          "cwe": [
            "CWE-20",
            "CWE-770"
          ],
          "cvss": {
            "score": 2.6,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L"
          },
          "range": "<2.6.1"
        },
        {
          "source": 1095073,
          "name": "node-fetch",
          "dependency": "node-fetch",
          "title": "node-fetch forwards secure headers to untrusted sites",
          "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
          "severity": "high",
          "cwe": [
            "CWE-173",
            "CWE-200",
            "CWE-601"
          ],
          "cvss": {
            "score": 8.8,
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<2.6.7"
        }
      ],
      "effects": [
        "cross-fetch"
      ],
      "range": "<=2.6.6",
      "nodes": [
        "node_modules/node-fetch"
      ],
      "fixAvailable": {
        "name": "graphiql",
        "version": "3.2.2",
        "isSemVerMajor": true
      }
    },
    "postcss": {
      "name": "postcss",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1094544,
          "name": "postcss",
          "dependency": "postcss",
          "title": "PostCSS line return parsing error",
          "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
          "severity": "moderate",
          "cwe": [
            "CWE-74",
            "CWE-144"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
          },
          "range": "<8.4.31"
        }
      ],
      "effects": [
        "css-loader",
        "icss-utils",
        "postcss-modules-extract-imports",
        "postcss-modules-local-by-default",
        "postcss-modules-scope",
        "postcss-modules-values"
      ],
      "range": "<8.4.31",
      "nodes": [
        "node_modules/postcss"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.1",
        "isSemVerMajor": true
      }
    },
    "postcss-modules-extract-imports": {
      "name": "postcss-modules-extract-imports",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=2.0.0",
      "nodes": [
        "node_modules/postcss-modules-extract-imports"
      ],
      "fixAvailable": true
    },
    "postcss-modules-local-by-default": {
      "name": "postcss-modules-local-by-default",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=3.0.3",
      "nodes": [
        "node_modules/postcss-modules-local-by-default"
      ],
      "fixAvailable": true
    },
    "postcss-modules-scope": {
      "name": "postcss-modules-scope",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [],
      "range": "<=2.2.0",
      "nodes": [
        "node_modules/postcss-modules-scope"
      ],
      "fixAvailable": true
    },
    "postcss-modules-values": {
      "name": "postcss-modules-values",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "postcss"
      ],
      "effects": [
        "css-loader"
      ],
      "range": "<=3.0.0",
      "nodes": [
        "node_modules/postcss-modules-values"
      ],
      "fixAvailable": {
        "name": "css-loader",
        "version": "7.1.1",
        "isSemVerMajor": true
      }
    },
    "semver": {
      "name": "semver",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1096482,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=7.0.0 <7.5.2"
        },
        {
          "source": 1096483,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<5.7.2"
        },
        {
          "source": 1096484,
          "name": "semver",
          "dependency": "semver",
          "title": "semver vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": ">=6.0.0 <6.3.1"
        }
      ],
      "effects": [
        "eslint-plugin-compat"
      ],
      "range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
      "nodes": [
        "node_modules/core-js-compat/node_modules/semver",
        "node_modules/eslint-plugin-compat/node_modules/semver",
        "node_modules/eslint-plugin-jsdoc/node_modules/semver",
        "node_modules/eslint-plugin-mediawiki/node_modules/semver",
        "node_modules/eslint-plugin-node/node_modules/semver",
        "node_modules/eslint-plugin-unicorn/node_modules/semver",
        "node_modules/eslint-plugin-vue/node_modules/semver",
        "node_modules/semver",
        "node_modules/vue-eslint-parser/node_modules/semver"
      ],
      "fixAvailable": true
    },
    "undici": {
      "name": "undici",
      "severity": "low",
      "isDirect": false,
      "via": [
        {
          "source": 1096502,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
          "url": "https://github.com/advisories/GHSA-wqq4-5wpv-mx2g",
          "severity": "low",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<5.26.2"
        },
        {
          "source": 1097109,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
          "url": "https://github.com/advisories/GHSA-m4v8-wqvr-p9f7",
          "severity": "low",
          "cwe": [
            "CWE-200",
            "CWE-285"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<5.28.4"
        },
        {
          "source": 1097200,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
          "url": "https://github.com/advisories/GHSA-9qxr-qj54-h672",
          "severity": "low",
          "cwe": [
            "CWE-284"
          ],
          "cvss": {
            "score": 2.6,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"
          },
          "range": "<5.28.4"
        },
        {
          "source": 1097221,
          "name": "undici",
          "dependency": "undici",
          "title": "Undici proxy-authorization header not cleared on cross-origin redirect in fetch",
          "url": "https://github.com/advisories/GHSA-3787-6prv-h9w3",
          "severity": "low",
          "cwe": [
            "CWE-200"
          ],
          "cvss": {
            "score": 3.9,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
          },
          "range": "<=5.28.2"
        }
      ],
      "effects": [],
      "range": "<=5.28.3",
      "nodes": [
        "node_modules/undici"
      ],
      "fixAvailable": true
    },
    "watchpack": {
      "name": "watchpack",
      "severity": "high",
      "isDirect": false,
      "via": [
        "watchpack-chokidar2"
      ],
      "effects": [],
      "range": "1.7.2 - 1.7.5",
      "nodes": [
        "node_modules/watchpack"
      ],
      "fixAvailable": true
    },
    "watchpack-chokidar2": {
      "name": "watchpack-chokidar2",
      "severity": "high",
      "isDirect": false,
      "via": [
        "chokidar"
      ],
      "effects": [
        "watchpack"
      ],
      "range": "*",
      "nodes": [
        "node_modules/watchpack-chokidar2"
      ],
      "fixAvailable": true
    },
    "word-wrap": {
      "name": "word-wrap",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1095091,
          "name": "word-wrap",
          "dependency": "word-wrap",
          "title": "word-wrap vulnerable to Regular Expression Denial of Service",
          "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<1.2.4"
        }
      ],
      "effects": [],
      "range": "<1.2.4",
      "nodes": [
        "node_modules/word-wrap"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 16,
      "high": 8,
      "critical": 1,
      "total": 26
    },
    "dependencies": {
      "prod": 167,
      "dev": 736,
      "optional": 26,
      "peer": 0,
      "peerOptional": 0,
      "total": 902
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - overblog/dataloader-php[v0.5.2, ..., v0.5.3] require php ^5.5|^7.0 -> your php version (8.2.7) does not satisfy that requirement.
    - Root composer.json requires overblog/dataloader-php ^0.5.2 -> satisfiable by overblog/dataloader-php[v0.5.2, v0.5.3].
--- stdout ---

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1787, in main
    libup.run(args.repo, args.output, args.branch)
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1711, in run
    "composer": self.composer_audit(),
                ^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 181, in composer_audit
    self.ensure_composer_lock()
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 140, in ensure_composer_lock
    self.check_call(["composer", "install"])
  File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/shell2.py", line 54, in check_call
    res.check_returncode()
  File "/usr/lib/python3.11/subprocess.py", line 502, in check_returncode
    raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/composer', 'install']' returned non-zero exit status 2.

composer dependencies

Dependencies
Development dependencies

npm dependencies

Dependencies
Development dependencies

Logs

Source code is licensed under the AGPL.