$ date
--- stdout ---
Sun Oct 27 06:35:07 UTC 2024
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-MobileFrontend.git repo --depth=1 -b REL1_39
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_39
--- stdout ---
862943c5e6208557a3bfa4a6b899aa8db6f2f6e1 refs/heads/REL1_39
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
"node_modules/@babel/traverse"
],
"fixAvailable": true
},
"@storybook/builder-webpack4": {
"name": "@storybook/builder-webpack4",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-common",
"@storybook/ui",
"autoprefixer",
"css-loader",
"fork-ts-checker-webpack-plugin",
"postcss",
"postcss-flexbugs-fixes",
"react-dev-utils",
"webpack",
"webpack-dev-middleware"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@storybook/builder-webpack4"
],
"fixAvailable": true
},
"@storybook/core": {
"name": "@storybook/core",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-client",
"@storybook/core-server"
],
"effects": [
"@storybook/html"
],
"range": "6.2.0-alpha.0 - 6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-client": {
"name": "@storybook/core-client",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/ui"
],
"effects": [
"@storybook/core",
"@storybook/core-server"
],
"range": "<=6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core-client"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-common": {
"name": "@storybook/core-common",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"@storybook/html"
],
"range": "<=6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core-common"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-server": {
"name": "@storybook/core-server",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/builder-webpack4",
"@storybook/core-client",
"@storybook/core-common",
"@storybook/ui",
"cpy",
"css-loader",
"webpack",
"webpack-dev-middleware"
],
"effects": [
"@storybook/core"
],
"range": "<=7.0.0-rc.11",
"nodes": [
"node_modules/@storybook/core-server"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/html": {
"name": "@storybook/html",
"severity": "high",
"isDirect": true,
"via": [
"@storybook/core",
"@storybook/core-common"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/html"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/ui": {
"name": "@storybook/ui",
"severity": "moderate",
"isDirect": false,
"via": [
"markdown-to-jsx"
],
"effects": [
"@storybook/builder-webpack4",
"@storybook/core-client"
],
"range": "4.2.0-alpha.1 - 6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/ui"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"jsdom",
"qunit"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094091,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex",
"node_modules/webpack-cli/node_modules/ansi-regex"
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar",
"sane"
],
"range": "1.2.0 - 2.0.0",
"nodes": [
"node_modules/sane/node_modules/anymatch",
"node_modules/watchpack-chokidar2/node_modules/anymatch"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"autoprefixer": {
"name": "autoprefixer",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "1.0.20131222 - 9.8.8",
"nodes": [
"node_modules/autoprefixer"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
}
],
"effects": [
"bundlesize",
"github-build"
],
"range": "0.8.1 - 0.27.2",
"nodes": [
"node_modules/axios",
"node_modules/github-build/node_modules/axios"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"body-parser": {
"name": "body-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099520,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser vulnerable to denial of service when url encoding is enabled",
"url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
"severity": "high",
"cwe": [
"CWE-405"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.20.3"
},
"qs"
],
"effects": [
"express"
],
"range": "<=1.20.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098094,
"name": "braces",
"dependency": "braces",
"title": "Uncontrolled resource consumption in braces",
"url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1050"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.3"
}
],
"effects": [
"chokidar",
"micromatch"
],
"range": "<3.0.3",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/braces",
"node_modules/braces",
"node_modules/fast-glob/node_modules/braces",
"node_modules/findup-sync/node_modules/braces",
"node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces",
"node_modules/sane/node_modules/braces",
"node_modules/watchpack-chokidar2/node_modules/braces",
"node_modules/webpack-cli/node_modules/braces",
"node_modules/webpack/node_modules/braces"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096644,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
"node_modules/browserify-sign"
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [
"react-dev-utils"
],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/react-dev-utils/node_modules/browserslist"
],
"fixAvailable": true
},
"bundlesize": {
"name": "bundlesize",
"severity": "moderate",
"isDirect": true,
"via": [
"axios"
],
"effects": [],
"range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1",
"nodes": [
"node_modules/bundlesize"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"braces",
"readdirp"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.3.0 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"cookie": {
"name": "cookie",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1099846,
"name": "cookie",
"dependency": "cookie",
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"severity": "low",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.7.0"
}
],
"effects": [
"express"
],
"range": "<0.7.0",
"nodes": [
"node_modules/cookie"
],
"fixAvailable": true
},
"core-js-compat": {
"name": "core-js-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0 - 3.25.0",
"nodes": [
"node_modules/core-js-compat"
],
"fixAvailable": true
},
"cpy": {
"name": "cpy",
"severity": "moderate",
"isDirect": false,
"via": [
"globby"
],
"effects": [
"@storybook/core-server"
],
"range": "7.0.0 - 8.1.2",
"nodes": [
"node_modules/cpy"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"elliptic": {
"name": "elliptic",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1098593,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's EDDSA missing signature length check",
"url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=6.5.6"
},
{
"source": 1098594,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
"url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
"severity": "low",
"cwe": [
"CWE-130"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=2.0.0 <=6.5.6"
},
{
"source": 1098595,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic allows BER-encoded signatures",
"url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=5.2.1 <=6.5.6"
},
{
"source": 1100075,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's verify function omits uniqueness validation",
"url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.5.6"
},
{
"source": 1100186,
"name": "elliptic",
"dependency": "elliptic",
"title": "Valid ECDSA signatures erroneously rejected in Elliptic",
"url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.5.7"
}
],
"effects": [],
"range": "<=6.5.7",
"nodes": [
"node_modules/elliptic"
],
"fixAvailable": true
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "high",
"isDirect": true,
"via": [
"eslint-plugin-compat"
],
"effects": [],
"range": "0.18.0 - 0.21.0",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096820,
"name": "express",
"dependency": "express",
"title": "Express.js Open Redirect in malformed URLs",
"url": "https://github.com/advisories/GHSA-rv95-896h-c2vc",
"severity": "moderate",
"cwe": [
"CWE-601",
"CWE-1286"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.19.2"
},
{
"source": 1099529,
"name": "express",
"dependency": "express",
"title": "express vulnerable to XSS via response.redirect()",
"url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<4.20.0"
},
"body-parser",
"cookie",
"path-to-regexp",
"qs",
"send",
"serve-static"
],
"effects": [],
"range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
"nodes": [
"node_modules/express"
],
"fixAvailable": true
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"findup-sync": {
"name": "findup-sync",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"qunit",
"webpack-cli"
],
"range": "0.4.0 - 3.0.0",
"nodes": [
"node_modules/findup-sync",
"node_modules/webpack-cli/node_modules/findup-sync"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1092623,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",
"url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-212"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.14.8"
},
{
"source": 1095014,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of sensitive information in follow-redirects",
"url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q",
"severity": "high",
"cwe": [
"CWE-359"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.14.7"
},
{
"source": 1096353,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Follow Redirects improperly handles URLs in the url.parse() function",
"url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-601"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<1.15.4"
},
{
"source": 1096856,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects' Proxy-Authorization header kept across hosts",
"url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=1.15.5"
}
],
"effects": [],
"range": "<=1.15.5",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"fork-ts-checker-webpack-plugin": {
"name": "fork-ts-checker-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"react-dev-utils"
],
"range": "0.4.14 - 4.1.6",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin",
"node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"
],
"fixAvailable": true
},
"github-build": {
"name": "github-build",
"severity": "moderate",
"isDirect": false,
"via": [
"axios"
],
"effects": [],
"range": "<=1.2.3",
"nodes": [
"node_modules/github-build"
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"cpy"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader",
"postcss-modules-local-by-default",
"postcss-modules-values"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": true
},
"immer": {
"name": "immer",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097196,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx",
"severity": "high",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <9.0.6"
},
{
"source": 1097209,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-33f9-j839-rf8h",
"severity": "critical",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.0.0 <9.0.6"
}
],
"effects": [],
"range": "7.0.0 - 9.0.5",
"nodes": [
"node_modules/immer"
],
"fixAvailable": true
},
"ip": {
"name": "ip",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097720,
"name": "ip",
"dependency": "ip",
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<1.1.9"
},
{
"source": 1099357,
"name": "ip",
"dependency": "ip",
"title": "ip SSRF improper categorization in isPublic",
"url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=2.0.1"
}
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/ip"
],
"fixAvailable": true
},
"jsdoc": {
"name": "jsdoc",
"severity": "high",
"isDirect": true,
"via": [
"markdown-it",
"marked",
"taffydb"
],
"effects": [],
"range": "3.2.0-dev - 3.6.11",
"nodes": [
"node_modules/jsdoc"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": true,
"via": [
"request",
"tough-cookie"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.1.20 || 0.2.0 - 16.5.3",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"json-schema": {
"name": "json-schema",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095057,
"name": "json-schema",
"dependency": "json-schema",
"title": "json-schema is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-896r-f27r-55mw",
"severity": "critical",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.4.0"
}
],
"effects": [
"jsprim"
],
"range": "<0.4.0",
"nodes": [
"node_modules/json-schema"
],
"fixAvailable": true
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096543,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1096544,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/json5",
"node_modules/loader-utils/node_modules/json5",
"node_modules/webpack-cli/node_modules/json5"
],
"fixAvailable": true
},
"jsprim": {
"name": "jsprim",
"severity": "critical",
"isDirect": false,
"via": [
"json-schema"
],
"effects": [],
"range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1",
"nodes": [
"node_modules/jsprim"
],
"fixAvailable": true
},
"less": {
"name": "less",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3",
"nodes": [
"node_modules/less"
],
"fixAvailable": {
"name": "less",
"version": "3.13.1",
"isSemVerMajor": false
}
},
"loader-utils": {
"name": "loader-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094088,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.4.1"
},
{
"source": 1094089,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1095054,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1095055,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
},
{
"source": 1097142,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1097143,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
}
],
"effects": [
"react-dev-utils",
"webpack-cli"
],
"range": "<=1.4.1 || 2.0.0 - 2.0.3",
"nodes": [
"node_modules/file-loader/node_modules/loader-utils",
"node_modules/html-loader/node_modules/loader-utils",
"node_modules/loader-utils",
"node_modules/postcss-loader/node_modules/loader-utils",
"node_modules/raw-loader/node_modules/loader-utils",
"node_modules/react-dev-utils/node_modules/loader-utils",
"node_modules/style-loader/node_modules/loader-utils",
"node_modules/url-loader/node_modules/loader-utils",
"node_modules/webpack-cli/node_modules/loader-utils"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"jsdoc"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"markdown-to-jsx": {
"name": "markdown-to-jsx",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1100074,
"name": "markdown-to-jsx",
"dependency": "markdown-to-jsx",
"title": "Cross site scripting in markdown-to-jsx",
"url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<7.4.0"
}
],
"effects": [
"@storybook/ui"
],
"range": "<7.4.0",
"nodes": [
"node_modules/@storybook/ui/node_modules/markdown-to-jsx",
"node_modules/markdown-to-jsx"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"marked": {
"name": "marked",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095051,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
},
{
"source": 1095052,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
}
],
"effects": [
"jsdoc"
],
"range": "<=4.0.9",
"nodes": [
"node_modules/marked"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
},
"braces"
],
"effects": [
"anymatch",
"fast-glob",
"findup-sync",
"fork-ts-checker-webpack-plugin",
"readdirp",
"sane",
"webpack"
],
"range": "<=4.0.7",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/micromatch",
"node_modules/fast-glob/node_modules/micromatch",
"node_modules/findup-sync/node_modules/micromatch",
"node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/micromatch",
"node_modules/sane/node_modules/micromatch",
"node_modules/watchpack-chokidar2/node_modules/micromatch",
"node_modules/webpack-cli/node_modules/micromatch",
"node_modules/webpack/node_modules/micromatch"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"recursive-readdir"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097678,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089011,
"name": "nanoid",
"dependency": "nanoid",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
"url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.31"
}
],
"effects": [],
"range": "3.0.0 - 3.1.30",
"nodes": [
"node_modules/doiuse/node_modules/nanoid",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid"
],
"fixAvailable": true
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [],
"range": "<2.6.7",
"nodes": [
"node_modules/node-fetch"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099561,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=0.2.0 <1.9.0"
},
{
"source": 1099562,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.10"
}
],
"effects": [
"express"
],
"range": "<=0.1.9 || 0.2.0 - 1.8.0",
"nodes": [
"node_modules/nise/node_modules/path-to-regexp",
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1094544,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"@storybook/builder-webpack4",
"autoprefixer",
"css-loader",
"icss-utils",
"postcss-flexbugs-fixes",
"postcss-less",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"stylelint",
"sugarss"
],
"range": "<8.4.31",
"nodes": [
"node_modules/doiuse/node_modules/postcss",
"node_modules/postcss",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-flexbugs-fixes": {
"name": "postcss-flexbugs-fixes",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=4.2.1",
"nodes": [
"node_modules/postcss-flexbugs-fixes"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=3.1.4",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [],
"range": "<=4.0.0-rc.4",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.0.0-rc.5",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": true
},
"postcss-safe-parser": {
"name": "postcss-safe-parser",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=4.0.2",
"nodes": [
"node_modules/postcss-safe-parser"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=0.4.4",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-scss": {
"name": "postcss-scss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.1.1",
"nodes": [
"node_modules/postcss-scss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"prismjs": {
"name": "prismjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090424,
"name": "prismjs",
"dependency": "prismjs",
"title": "Cross-site Scripting in Prism",
"url": "https://github.com/advisories/GHSA-3949-f494-cm99",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"
},
"range": ">=1.14.0 <1.27.0"
}
],
"effects": [
"refractor"
],
"range": "1.14.0 - 1.26.0",
"nodes": [
"node_modules/prismjs"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096470,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.5.0 <6.5.3"
},
{
"source": 1096472,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.7.0 <6.7.3"
},
{
"source": 1096475,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.10.0 <6.10.3"
}
],
"effects": [
"body-parser",
"express"
],
"range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2",
"nodes": [
"node_modules/body-parser/node_modules/qs",
"node_modules/express/node_modules/qs",
"node_modules/qs",
"node_modules/request/node_modules/qs"
],
"fixAvailable": true
},
"qunit": {
"name": "qunit",
"severity": "moderate",
"isDirect": false,
"via": [
"findup-sync",
"sane"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "2.4.1 - 2.8.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"react-dev-utils": {
"name": "react-dev-utils",
"severity": "critical",
"isDirect": false,
"via": [
"browserslist",
"fork-ts-checker-webpack-plugin",
"immer",
"loader-utils",
"recursive-readdir",
"shell-quote"
],
"effects": [
"@storybook/builder-webpack4"
],
"range": "0.5.2 - 12.0.0-next.60",
"nodes": [
"node_modules/react-dev-utils"
],
"fixAvailable": true
},
"readdirp": {
"name": "readdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "2.2.0 - 2.2.1",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/readdirp"
],
"fixAvailable": true
},
"recursive-readdir": {
"name": "recursive-readdir",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"react-dev-utils"
],
"range": "1.2.0 - 2.2.2",
"nodes": [
"node_modules/recursive-readdir"
],
"fixAvailable": true
},
"refractor": {
"name": "refractor",
"severity": "high",
"isDirect": false,
"via": [
"prismjs"
],
"effects": [],
"range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0",
"nodes": [
"node_modules/refractor"
],
"fixAvailable": true
},
"request": {
"name": "request",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"tough-cookie"
],
"effects": [
"jsdom",
"less"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"request-promise-native": {
"name": "request-promise-native",
"severity": "moderate",
"isDirect": false,
"via": [
"tough-cookie"
],
"effects": [],
"range": ">=1.0.6",
"nodes": [
"node_modules/request-promise-native"
],
"fixAvailable": true
},
"sane": {
"name": "sane",
"severity": "moderate",
"isDirect": false,
"via": [
"anymatch",
"micromatch"
],
"effects": [
"qunit"
],
"range": "1.5.0 - 4.1.0",
"nodes": [
"node_modules/sane"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"semver": {
"name": "semver",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098562,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1098563,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.7.2"
},
{
"source": 1098564,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"core-js-compat",
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"node_modules/@babel/helper-compilation-targets/node_modules/semver",
"node_modules/@npmcli/fs/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/semver",
"node_modules/@storybook/core-server/node_modules/semver",
"node_modules/@stylelint/postcss-css-in-js/node_modules/semver",
"node_modules/@wikimedia/mw-node-qunit/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs2/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs3/node_modules/semver",
"node_modules/babel-plugin-polyfill-regenerator/node_modules/semver",
"node_modules/core-js-compat/node_modules/semver",
"node_modules/css-loader/node_modules/semver",
"node_modules/eslint-plugin-compat/node_modules/semver",
"node_modules/eslint-plugin-jsdoc/node_modules/semver",
"node_modules/eslint-plugin-mediawiki/node_modules/semver",
"node_modules/eslint-plugin-node/node_modules/semver",
"node_modules/eslint-plugin-unicorn/node_modules/semver",
"node_modules/eslint-plugin-vue/node_modules/semver",
"node_modules/eslint-template-visitor/node_modules/semver",
"node_modules/eslint/node_modules/semver",
"node_modules/fork-ts-checker-webpack-plugin/node_modules/semver",
"node_modules/istanbul-lib-instrument/node_modules/semver",
"node_modules/make-dir/node_modules/semver",
"node_modules/meow/node_modules/semver",
"node_modules/nyc/node_modules/semver",
"node_modules/postcss-loader/node_modules/semver",
"node_modules/semver",
"node_modules/vue-eslint-parser/node_modules/semver"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"send": {
"name": "send",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1099525,
"name": "send",
"dependency": "send",
"title": "send vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<0.19.0"
}
],
"effects": [
"express",
"serve-static"
],
"range": "<0.19.0",
"nodes": [
"node_modules/send"
],
"fixAvailable": true
},
"serve-static": {
"name": "serve-static",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1099527,
"name": "serve-static",
"dependency": "serve-static",
"title": "serve-static vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<1.16.0"
},
"send"
],
"effects": [],
"range": "<=1.16.0",
"nodes": [
"node_modules/serve-static"
],
"fixAvailable": true
},
"shell-quote": {
"name": "shell-quote",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096375,
"name": "shell-quote",
"dependency": "shell-quote",
"title": "Improper Neutralization of Special Elements used in a Command in Shell-quote",
"url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7",
"severity": "critical",
"cwe": [
"CWE-77"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=1.7.2"
}
],
"effects": [
"react-dev-utils"
],
"range": "<=1.7.2",
"nodes": [
"node_modules/shell-quote"
],
"fixAvailable": true
},
"simple-get": {
"name": "simple-get",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090445,
"name": "simple-get",
"dependency": "simple-get",
"title": "Exposure of Sensitive Information in simple-get",
"url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.1"
}
],
"effects": [],
"range": "3.0.0 - 3.1.0",
"nodes": [
"node_modules/simple-get"
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "moderate",
"isDirect": false,
"via": [
"autoprefixer",
"postcss",
"postcss-less",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"sugarss"
],
"effects": [
"stylelint-config-wikimedia"
],
"range": "0.1.0 - 13.13.1",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"stylelint-config-wikimedia": {
"name": "stylelint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"stylelint"
],
"effects": [],
"range": "<=0.11.1",
"nodes": [
"node_modules/stylelint-config-wikimedia"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"taffydb": {
"name": "taffydb",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089386,
"name": "taffydb",
"dependency": "taffydb",
"title": "TaffyDB can allow access to any data items in the DB",
"url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=2.7.3"
}
],
"effects": [
"jsdoc"
],
"range": "*",
"nodes": [
"node_modules/taffydb"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"tar": {
"name": "tar",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
}
],
"effects": [],
"range": "<6.2.1",
"nodes": [
"node_modules/tar"
],
"fixAvailable": true
},
"terser": {
"name": "terser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091691,
"name": "terser",
"dependency": "terser",
"title": "Terser insecure use of regular expressions leads to ReDoS",
"url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.8.1"
}
],
"effects": [],
"range": "<4.8.1",
"nodes": [
"node_modules/terser"
],
"fixAvailable": true
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"jsdom",
"request",
"request-promise-native"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "moderate",
"isDirect": true,
"via": [
"micromatch"
],
"effects": [
"@storybook/core-common",
"@storybook/core-server"
],
"range": "4.0.0-alpha.0 - 5.0.0-rc.6",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"webpack-cli": {
"name": "webpack-cli",
"severity": "high",
"isDirect": true,
"via": [
"findup-sync",
"loader-utils"
],
"effects": [],
"range": "3.2.0 - 3.3.12",
"nodes": [
"node_modules/webpack-cli"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"webpack-dev-middleware": {
"name": "webpack-dev-middleware",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096729,
"name": "webpack-dev-middleware",
"dependency": "webpack-dev-middleware",
"title": "Path traversal in webpack-dev-middleware",
"url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
},
"range": "<=5.3.3"
}
],
"effects": [
"@storybook/core-server"
],
"range": "<=5.3.3",
"nodes": [
"node_modules/webpack-dev-middleware"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097681,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
"node_modules/word-wrap"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098394,
"name": "ws",
"dependency": "ws",
"title": "ws affected by a DoS when handling a request with many HTTP headers",
"url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
"severity": "high",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.2.3"
}
],
"effects": [],
"range": "6.0.0 - 6.2.2",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 46,
"high": 36,
"critical": 8,
"total": 92
},
"dependencies": {
"prod": 1,
"dev": 2059,
"optional": 31,
"peer": 0,
"peerOptional": 0,
"total": 2059
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 36 installs, 0 updates, 0 removals
- Locking composer/pcre (1.0.1)
- Locking composer/semver (3.4.3)
- Locking composer/spdx-licenses (1.5.8)
- Locking composer/xdebug-handler (2.0.5)
- Locking doctrine/deprecations (1.1.3)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v38.0.0)
- Locking mediawiki/mediawiki-phan-config (0.11.1)
- Locking mediawiki/minus-x (1.1.1)
- Locking mediawiki/phan-taint-check-plugin (3.3.2)
- Locking microsoft/tolerant-php-parser (v0.1.2)
- Locking netresearch/jsonmapper (v4.5.0)
- Locking phan/phan (5.2.0)
- Locking php-parallel-lint/php-console-color (v0.3)
- Locking php-parallel-lint/php-console-highlighter (v0.5)
- Locking php-parallel-lint/php-parallel-lint (v1.3.1)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.4.1)
- Locking phpdocumentor/type-resolver (1.8.2)
- Locking phpstan/phpdoc-parser (1.33.0)
- Locking psr/container (2.0.2)
- Locking psr/log (2.0.0)
- Locking sabre/event (5.1.7)
- Locking squizlabs/php_codesniffer (3.6.1)
- Locking symfony/console (v5.4.44)
- Locking symfony/deprecation-contracts (v3.5.0)
- Locking symfony/polyfill-ctype (v1.31.0)
- Locking symfony/polyfill-intl-grapheme (v1.31.0)
- Locking symfony/polyfill-intl-normalizer (v1.31.0)
- Locking symfony/polyfill-mbstring (v1.31.0)
- Locking symfony/polyfill-php73 (v1.31.0)
- Locking symfony/polyfill-php80 (v1.31.0)
- Locking symfony/service-contracts (v3.5.0)
- Locking symfony/string (v6.4.12)
- Locking tysonandre/var_representation_polyfill (0.1.3)
- Locking webmozart/assert (1.11.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 36 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------]
- Installing composer/pcre (1.0.1): Extracting archive
- Installing squizlabs/php_codesniffer (3.6.1): Extracting archive
- Installing symfony/polyfill-mbstring (v1.31.0): Extracting archive
- Installing composer/spdx-licenses (1.5.8): Extracting archive
- Installing composer/semver (3.4.3): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v38.0.0): Extracting archive
- Installing tysonandre/var_representation_polyfill (0.1.3): Extracting archive
- Installing symfony/polyfill-php80 (v1.31.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.31.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.31.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.31.0): Extracting archive
- Installing symfony/string (v6.4.12): Extracting archive
- Installing symfony/deprecation-contracts (v3.5.0): Extracting archive
- Installing psr/container (2.0.2): Extracting archive
- Installing symfony/service-contracts (v3.5.0): Extracting archive
- Installing symfony/polyfill-php73 (v1.31.0): Extracting archive
- Installing symfony/console (v5.4.44): Extracting archive
- Installing sabre/event (5.1.7): Extracting archive
- Installing netresearch/jsonmapper (v4.5.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.1.2): Extracting archive
- Installing webmozart/assert (1.11.0): Extracting archive
- Installing phpstan/phpdoc-parser (1.33.0): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (1.1.3): Extracting archive
- Installing phpdocumentor/type-resolver (1.8.2): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.4.1): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (2.0.0): Extracting archive
- Installing composer/xdebug-handler (2.0.5): Extracting archive
- Installing phan/phan (5.2.0): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (3.3.2): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.11.1): Extracting archive
- Installing mediawiki/minus-x (1.1.1): Extracting archive
- Installing php-parallel-lint/php-console-color (v0.3): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.3.1): Extracting archive
0/36 [>---------------------------] 0%
22/36 [=================>----------] 61%
35/36 [===========================>] 97%
36/36 [============================] 100%
3 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
15 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"@babel/traverse": {
"name": "@babel/traverse",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096886,
"name": "@babel/traverse",
"dependency": "@babel/traverse",
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
"severity": "critical",
"cwe": [
"CWE-184",
"CWE-697"
],
"cvss": {
"score": 9.4,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"range": "<7.23.2"
}
],
"effects": [],
"range": "<7.23.2",
"nodes": [
"node_modules/@babel/traverse"
],
"fixAvailable": true
},
"@storybook/builder-webpack4": {
"name": "@storybook/builder-webpack4",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-common",
"@storybook/ui",
"autoprefixer",
"css-loader",
"fork-ts-checker-webpack-plugin",
"postcss",
"postcss-flexbugs-fixes",
"react-dev-utils",
"webpack",
"webpack-dev-middleware"
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/@storybook/builder-webpack4"
],
"fixAvailable": true
},
"@storybook/core": {
"name": "@storybook/core",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/core-client",
"@storybook/core-server"
],
"effects": [
"@storybook/html"
],
"range": "6.2.0-alpha.0 - 6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-client": {
"name": "@storybook/core-client",
"severity": "moderate",
"isDirect": false,
"via": [
"@storybook/ui"
],
"effects": [
"@storybook/core",
"@storybook/core-server"
],
"range": "<=6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/core-client"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-common": {
"name": "@storybook/core-common",
"severity": "moderate",
"isDirect": false,
"via": [
"webpack"
],
"effects": [
"@storybook/html"
],
"range": "<=6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/core-common"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/core-server": {
"name": "@storybook/core-server",
"severity": "high",
"isDirect": false,
"via": [
"@storybook/builder-webpack4",
"@storybook/core-client",
"@storybook/core-common",
"@storybook/ui",
"cpy",
"css-loader",
"webpack",
"webpack-dev-middleware"
],
"effects": [
"@storybook/core"
],
"range": "<=7.0.0-rc.11",
"nodes": [
"node_modules/@storybook/core-server"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/html": {
"name": "@storybook/html",
"severity": "high",
"isDirect": true,
"via": [
"@storybook/core",
"@storybook/core-common"
],
"effects": [],
"range": "6.2.0-alpha.0 - 6.5.17-alpha.0",
"nodes": [
"node_modules/@storybook/html"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@storybook/ui": {
"name": "@storybook/ui",
"severity": "moderate",
"isDirect": false,
"via": [
"markdown-to-jsx"
],
"effects": [
"@storybook/builder-webpack4",
"@storybook/core-client"
],
"range": "4.2.0-alpha.1 - 6.4.0-rc.11",
"nodes": [
"node_modules/@storybook/ui"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"@wikimedia/mw-node-qunit": {
"name": "@wikimedia/mw-node-qunit",
"severity": "moderate",
"isDirect": true,
"via": [
"jsdom",
"qunit"
],
"effects": [],
"range": "<=6.2.1",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"ansi-regex": {
"name": "ansi-regex",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094091,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": "Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "high",
"cwe": [
"CWE-697",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=4.0.0 <4.1.1"
}
],
"effects": [],
"range": "4.0.0 - 4.1.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/ansi-regex",
"node_modules/webpack-cli/node_modules/ansi-regex"
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar",
"sane"
],
"range": "1.2.0 - 2.0.0",
"nodes": [
"node_modules/sane/node_modules/anymatch",
"node_modules/watchpack-chokidar2/node_modules/anymatch"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"autoprefixer": {
"name": "autoprefixer",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "1.0.20131222 - 9.8.8",
"nodes": [
"node_modules/autoprefixer"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"axios": {
"name": "axios",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097679,
"name": "axios",
"dependency": "axios",
"title": "Axios Cross-Site Request Forgery Vulnerability",
"url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx",
"severity": "moderate",
"cwe": [
"CWE-352"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"range": ">=0.8.1 <0.28.0"
}
],
"effects": [
"bundlesize",
"github-build"
],
"range": "0.8.1 - 0.27.2",
"nodes": [
"node_modules/axios",
"node_modules/github-build/node_modules/axios"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"body-parser": {
"name": "body-parser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099520,
"name": "body-parser",
"dependency": "body-parser",
"title": "body-parser vulnerable to denial of service when url encoding is enabled",
"url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7",
"severity": "high",
"cwe": [
"CWE-405"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<1.20.3"
},
"qs"
],
"effects": [
"express"
],
"range": "<=1.20.2",
"nodes": [
"node_modules/body-parser"
],
"fixAvailable": true
},
"braces": {
"name": "braces",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098094,
"name": "braces",
"dependency": "braces",
"title": "Uncontrolled resource consumption in braces",
"url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1050"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.3"
}
],
"effects": [
"chokidar",
"micromatch"
],
"range": "<3.0.3",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/braces",
"node_modules/braces",
"node_modules/fast-glob/node_modules/braces",
"node_modules/findup-sync/node_modules/braces",
"node_modules/react-dev-utils/node_modules/micromatch/node_modules/braces",
"node_modules/sane/node_modules/braces",
"node_modules/watchpack-chokidar2/node_modules/braces",
"node_modules/webpack-cli/node_modules/braces",
"node_modules/webpack/node_modules/braces"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"browserify-sign": {
"name": "browserify-sign",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096644,
"name": "browserify-sign",
"dependency": "browserify-sign",
"title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack",
"url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw",
"severity": "high",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
"range": ">=2.6.0 <=4.2.1"
}
],
"effects": [],
"range": "2.6.0 - 4.2.1",
"nodes": [
"node_modules/browserify-sign"
],
"fixAvailable": true
},
"browserslist": {
"name": "browserslist",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1093035,
"name": "browserslist",
"dependency": "browserslist",
"title": "Regular Expression Denial of Service in browserslist",
"url": "https://github.com/advisories/GHSA-w8qv-6jwh-64r5",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": ">=4.0.0 <4.16.5"
}
],
"effects": [
"react-dev-utils"
],
"range": "4.0.0 - 4.16.4",
"nodes": [
"node_modules/react-dev-utils/node_modules/browserslist"
],
"fixAvailable": true
},
"bundlesize": {
"name": "bundlesize",
"severity": "moderate",
"isDirect": true,
"via": [
"axios"
],
"effects": [],
"range": "0.3.0 - 0.18.1 || >=1.0.0-beta.1",
"nodes": [
"node_modules/bundlesize"
],
"fixAvailable": {
"name": "bundlesize",
"version": "0.18.2",
"isSemVerMajor": false
}
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"braces",
"readdirp"
],
"effects": [
"watchpack-chokidar2"
],
"range": "1.3.0 - 2.1.8",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/chokidar"
],
"fixAvailable": true
},
"cookie": {
"name": "cookie",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1099846,
"name": "cookie",
"dependency": "cookie",
"title": "cookie accepts cookie name, path, and domain with out of bounds characters",
"url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
"severity": "low",
"cwe": [
"CWE-74"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.7.0"
}
],
"effects": [
"express"
],
"range": "<0.7.0",
"nodes": [
"node_modules/cookie"
],
"fixAvailable": true
},
"core-js-compat": {
"name": "core-js-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [],
"range": "3.6.0 - 3.25.0",
"nodes": [
"node_modules/core-js-compat"
],
"fixAvailable": true
},
"cpy": {
"name": "cpy",
"severity": "moderate",
"isDirect": false,
"via": [
"globby"
],
"effects": [
"@storybook/core-server"
],
"range": "7.0.0 - 8.1.2",
"nodes": [
"node_modules/cpy"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"css-loader": {
"name": "css-loader",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values"
],
"effects": [],
"range": "0.15.0 - 4.3.0",
"nodes": [
"node_modules/css-loader"
],
"fixAvailable": true
},
"decode-uri-component": {
"name": "decode-uri-component",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1094087,
"name": "decode-uri-component",
"dependency": "decode-uri-component",
"title": "decode-uri-component vulnerable to Denial of Service (DoS)",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"severity": "high",
"cwe": [
"CWE-20"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.2.1"
}
],
"effects": [],
"range": "<0.2.1",
"nodes": [
"node_modules/decode-uri-component"
],
"fixAvailable": true
},
"elliptic": {
"name": "elliptic",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1098593,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's EDDSA missing signature length check",
"url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=4.0.0 <=6.5.6"
},
{
"source": 1098594,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero",
"url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw",
"severity": "low",
"cwe": [
"CWE-130"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=2.0.0 <=6.5.6"
},
{
"source": 1098595,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic allows BER-encoded signatures",
"url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"range": ">=5.2.1 <=6.5.6"
},
{
"source": 1100075,
"name": "elliptic",
"dependency": "elliptic",
"title": "Elliptic's verify function omits uniqueness validation",
"url": "https://github.com/advisories/GHSA-434g-2637-qmqr",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<6.5.6"
},
{
"source": 1100186,
"name": "elliptic",
"dependency": "elliptic",
"title": "Valid ECDSA signatures erroneously rejected in Elliptic",
"url": "https://github.com/advisories/GHSA-fc9h-whq2-v747",
"severity": "low",
"cwe": [
"CWE-347"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=6.5.7"
}
],
"effects": [],
"range": "<=6.5.7",
"nodes": [
"node_modules/elliptic"
],
"fixAvailable": true
},
"eslint-config-wikimedia": {
"name": "eslint-config-wikimedia",
"severity": "high",
"isDirect": true,
"via": [
"eslint-plugin-compat"
],
"effects": [],
"range": "0.18.0 - 0.21.0",
"nodes": [
"node_modules/eslint-config-wikimedia"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"eslint-plugin-compat": {
"name": "eslint-plugin-compat",
"severity": "high",
"isDirect": false,
"via": [
"semver"
],
"effects": [
"eslint-config-wikimedia"
],
"range": "3.6.0-0 - 4.1.4",
"nodes": [
"node_modules/eslint-plugin-compat"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"express": {
"name": "express",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096820,
"name": "express",
"dependency": "express",
"title": "Express.js Open Redirect in malformed URLs",
"url": "https://github.com/advisories/GHSA-rv95-896h-c2vc",
"severity": "moderate",
"cwe": [
"CWE-601",
"CWE-1286"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<4.19.2"
},
{
"source": 1099529,
"name": "express",
"dependency": "express",
"title": "express vulnerable to XSS via response.redirect()",
"url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<4.20.0"
},
"body-parser",
"cookie",
"path-to-regexp",
"qs",
"send",
"serve-static"
],
"effects": [],
"range": "<=4.21.0 || 5.0.0-alpha.1 - 5.0.0",
"nodes": [
"node_modules/express"
],
"fixAvailable": true
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"globby"
],
"range": "<=2.2.7",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"findup-sync": {
"name": "findup-sync",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"qunit",
"webpack-cli"
],
"range": "0.4.0 - 3.0.0",
"nodes": [
"node_modules/findup-sync",
"node_modules/webpack-cli/node_modules/findup-sync"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"follow-redirects": {
"name": "follow-redirects",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1092623,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",
"url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c",
"severity": "moderate",
"cwe": [
"CWE-200",
"CWE-212"
],
"cvss": {
"score": 5.9,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<1.14.8"
},
{
"source": 1095014,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Exposure of sensitive information in follow-redirects",
"url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q",
"severity": "high",
"cwe": [
"CWE-359"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
},
"range": "<1.14.7"
},
{
"source": 1096353,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "Follow Redirects improperly handles URLs in the url.parse() function",
"url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc",
"severity": "moderate",
"cwe": [
"CWE-20",
"CWE-601"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<1.15.4"
},
{
"source": 1096856,
"name": "follow-redirects",
"dependency": "follow-redirects",
"title": "follow-redirects' Proxy-Authorization header kept across hosts",
"url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=1.15.5"
}
],
"effects": [],
"range": "<=1.15.5",
"nodes": [
"node_modules/follow-redirects"
],
"fixAvailable": true
},
"fork-ts-checker-webpack-plugin": {
"name": "fork-ts-checker-webpack-plugin",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"react-dev-utils"
],
"range": "0.4.14 - 4.1.6",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/fork-ts-checker-webpack-plugin",
"node_modules/react-dev-utils/node_modules/fork-ts-checker-webpack-plugin"
],
"fixAvailable": true
},
"github-build": {
"name": "github-build",
"severity": "moderate",
"isDirect": false,
"via": [
"axios"
],
"effects": [],
"range": "<=1.2.3",
"nodes": [
"node_modules/github-build"
],
"fixAvailable": true
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"cpy"
],
"range": "8.0.0 - 9.2.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"icss-utils": {
"name": "icss-utils",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"css-loader",
"postcss-modules-local-by-default",
"postcss-modules-values"
],
"range": "<=4.1.1",
"nodes": [
"node_modules/icss-utils"
],
"fixAvailable": true
},
"immer": {
"name": "immer",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097196,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-c36v-fmgq-m8hx",
"severity": "high",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <9.0.6"
},
{
"source": 1097209,
"name": "immer",
"dependency": "immer",
"title": "Prototype Pollution in immer",
"url": "https://github.com/advisories/GHSA-33f9-j839-rf8h",
"severity": "critical",
"cwe": [
"CWE-843",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=7.0.0 <9.0.6"
}
],
"effects": [],
"range": "7.0.0 - 9.0.5",
"nodes": [
"node_modules/immer"
],
"fixAvailable": true
},
"ip": {
"name": "ip",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1097720,
"name": "ip",
"dependency": "ip",
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"severity": "low",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<1.1.9"
},
{
"source": 1099357,
"name": "ip",
"dependency": "ip",
"title": "ip SSRF improper categorization in isPublic",
"url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp",
"severity": "high",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=2.0.1"
}
],
"effects": [],
"range": "*",
"nodes": [
"node_modules/ip"
],
"fixAvailable": true
},
"jsdoc": {
"name": "jsdoc",
"severity": "high",
"isDirect": true,
"via": [
"markdown-it",
"marked",
"taffydb"
],
"effects": [],
"range": "3.2.0-dev - 3.6.11",
"nodes": [
"node_modules/jsdoc"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"jsdom": {
"name": "jsdom",
"severity": "moderate",
"isDirect": true,
"via": [
"request",
"tough-cookie"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "0.1.20 || 0.2.0 - 16.5.3",
"nodes": [
"node_modules/jsdom"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"json-schema": {
"name": "json-schema",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1095057,
"name": "json-schema",
"dependency": "json-schema",
"title": "json-schema is vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-896r-f27r-55mw",
"severity": "critical",
"cwe": [
"CWE-915",
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<0.4.0"
}
],
"effects": [
"jsprim"
],
"range": "<0.4.0",
"nodes": [
"node_modules/json-schema"
],
"fixAvailable": true
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096543,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": "<1.0.2"
},
{
"source": 1096544,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "<1.0.2 || >=2.0.0 <2.2.2",
"nodes": [
"node_modules/json5",
"node_modules/loader-utils/node_modules/json5",
"node_modules/webpack-cli/node_modules/json5"
],
"fixAvailable": true
},
"jsprim": {
"name": "jsprim",
"severity": "critical",
"isDirect": false,
"via": [
"json-schema"
],
"effects": [],
"range": "0.3.0 - 1.4.1 || 2.0.0 - 2.0.1",
"nodes": [
"node_modules/jsprim"
],
"fixAvailable": true
},
"less": {
"name": "less",
"severity": "moderate",
"isDirect": true,
"via": [
"request"
],
"effects": [],
"range": "1.4.0-b1 - 2.6.1 || 2.7.2 - 3.11.3",
"nodes": [
"node_modules/less"
],
"fixAvailable": {
"name": "less",
"version": "3.13.1",
"isSemVerMajor": false
}
},
"loader-utils": {
"name": "loader-utils",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1094088,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<1.4.1"
},
{
"source": 1094089,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "Prototype pollution in webpack loader-utils",
"url": "https://github.com/advisories/GHSA-76p3-8jx3-jpfq",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=2.0.0 <2.0.3"
},
{
"source": 1095054,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1095055,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable",
"url": "https://github.com/advisories/GHSA-3rfm-jhwj-7488",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
},
{
"source": 1097142,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=2.0.0 <2.0.4"
},
{
"source": 1097143,
"name": "loader-utils",
"dependency": "loader-utils",
"title": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=1.0.0 <1.4.2"
}
],
"effects": [
"react-dev-utils",
"webpack-cli"
],
"range": "<=1.4.1 || 2.0.0 - 2.0.3",
"nodes": [
"node_modules/file-loader/node_modules/loader-utils",
"node_modules/html-loader/node_modules/loader-utils",
"node_modules/loader-utils",
"node_modules/postcss-loader/node_modules/loader-utils",
"node_modules/raw-loader/node_modules/loader-utils",
"node_modules/react-dev-utils/node_modules/loader-utils",
"node_modules/style-loader/node_modules/loader-utils",
"node_modules/url-loader/node_modules/loader-utils",
"node_modules/webpack-cli/node_modules/loader-utils"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"markdown-it": {
"name": "markdown-it",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1092663,
"name": "markdown-it",
"dependency": "markdown-it",
"title": "Uncontrolled Resource Consumption in markdown-it",
"url": "https://github.com/advisories/GHSA-6vfc-qv3f-vr6c",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<12.3.2"
}
],
"effects": [
"jsdoc"
],
"range": "<12.3.2",
"nodes": [
"node_modules/markdown-it"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"markdown-to-jsx": {
"name": "markdown-to-jsx",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1100074,
"name": "markdown-to-jsx",
"dependency": "markdown-to-jsx",
"title": "Cross site scripting in markdown-to-jsx",
"url": "https://github.com/advisories/GHSA-4wx3-54gh-9fr9",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<7.4.0"
}
],
"effects": [
"@storybook/ui"
],
"range": "<7.4.0",
"nodes": [
"node_modules/@storybook/ui/node_modules/markdown-to-jsx",
"node_modules/markdown-to-jsx"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"marked": {
"name": "marked",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095051,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
},
{
"source": 1095052,
"name": "marked",
"dependency": "marked",
"title": "Inefficient Regular Expression Complexity in marked",
"url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.0.10"
}
],
"effects": [
"jsdoc"
],
"range": "<=4.0.9",
"nodes": [
"node_modules/marked"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
},
"braces"
],
"effects": [
"anymatch",
"fast-glob",
"findup-sync",
"fork-ts-checker-webpack-plugin",
"readdirp",
"sane",
"webpack"
],
"range": "<=4.0.7",
"nodes": [
"node_modules/@storybook/builder-webpack4/node_modules/micromatch",
"node_modules/fast-glob/node_modules/micromatch",
"node_modules/findup-sync/node_modules/micromatch",
"node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/fast-glob/node_modules/micromatch",
"node_modules/react-dev-utils/node_modules/micromatch",
"node_modules/sane/node_modules/micromatch",
"node_modules/watchpack-chokidar2/node_modules/micromatch",
"node_modules/webpack-cli/node_modules/micromatch",
"node_modules/webpack/node_modules/micromatch"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"minimatch": {
"name": "minimatch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096485,
"name": "minimatch",
"dependency": "minimatch",
"title": "minimatch ReDoS vulnerability",
"url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3",
"severity": "high",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<3.0.5"
}
],
"effects": [
"recursive-readdir"
],
"range": "<3.0.5",
"nodes": [
"node_modules/minimatch"
],
"fixAvailable": true
},
"minimist": {
"name": "minimist",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1097678,
"name": "minimist",
"dependency": "minimist",
"title": "Prototype Pollution in minimist",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"severity": "critical",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.0.0 <1.2.6"
}
],
"effects": [],
"range": "1.0.0 - 1.2.5",
"nodes": [
"node_modules/minimist"
],
"fixAvailable": true
},
"nanoid": {
"name": "nanoid",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1089011,
"name": "nanoid",
"dependency": "nanoid",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
"url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
"severity": "moderate",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.31"
}
],
"effects": [],
"range": "3.0.0 - 3.1.30",
"nodes": [
"node_modules/doiuse/node_modules/nanoid",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/nanoid"
],
"fixAvailable": true
},
"node-fetch": {
"name": "node-fetch",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1095073,
"name": "node-fetch",
"dependency": "node-fetch",
"title": "node-fetch forwards secure headers to untrusted sites",
"url": "https://github.com/advisories/GHSA-r683-j2x4-v87g",
"severity": "high",
"cwe": [
"CWE-173",
"CWE-200",
"CWE-601"
],
"cvss": {
"score": 8.8,
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<2.6.7"
}
],
"effects": [],
"range": "<2.6.7",
"nodes": [
"node_modules/node-fetch"
],
"fixAvailable": true
},
"path-to-regexp": {
"name": "path-to-regexp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1099561,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=0.2.0 <1.9.0"
},
{
"source": 1099562,
"name": "path-to-regexp",
"dependency": "path-to-regexp",
"title": "path-to-regexp outputs backtracking regular expressions",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<0.1.10"
}
],
"effects": [
"express"
],
"range": "<=0.1.9 || 0.2.0 - 1.8.0",
"nodes": [
"node_modules/nise/node_modules/path-to-regexp",
"node_modules/path-to-regexp"
],
"fixAvailable": true
},
"postcss": {
"name": "postcss",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1094544,
"name": "postcss",
"dependency": "postcss",
"title": "PostCSS line return parsing error",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"severity": "moderate",
"cwe": [
"CWE-74",
"CWE-144"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"range": "<8.4.31"
}
],
"effects": [
"@storybook/builder-webpack4",
"autoprefixer",
"css-loader",
"icss-utils",
"postcss-flexbugs-fixes",
"postcss-less",
"postcss-modules-extract-imports",
"postcss-modules-local-by-default",
"postcss-modules-scope",
"postcss-modules-values",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"stylelint",
"sugarss"
],
"range": "<8.4.31",
"nodes": [
"node_modules/doiuse/node_modules/postcss",
"node_modules/postcss",
"node_modules/stylelint-no-unsupported-browser-features/node_modules/postcss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-flexbugs-fixes": {
"name": "postcss-flexbugs-fixes",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=4.2.1",
"nodes": [
"node_modules/postcss-flexbugs-fixes"
],
"fixAvailable": true
},
"postcss-less": {
"name": "postcss-less",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=3.1.4",
"nodes": [
"node_modules/postcss-less"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-modules-extract-imports": {
"name": "postcss-modules-extract-imports",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/postcss-modules-extract-imports"
],
"fixAvailable": true
},
"postcss-modules-local-by-default": {
"name": "postcss-modules-local-by-default",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [],
"range": "<=4.0.0-rc.4",
"nodes": [
"node_modules/postcss-modules-local-by-default"
],
"fixAvailable": true
},
"postcss-modules-scope": {
"name": "postcss-modules-scope",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.2.0",
"nodes": [
"node_modules/postcss-modules-scope"
],
"fixAvailable": true
},
"postcss-modules-values": {
"name": "postcss-modules-values",
"severity": "moderate",
"isDirect": false,
"via": [
"icss-utils",
"postcss"
],
"effects": [
"css-loader"
],
"range": "<=4.0.0-rc.5",
"nodes": [
"node_modules/postcss-modules-values"
],
"fixAvailable": true
},
"postcss-safe-parser": {
"name": "postcss-safe-parser",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=4.0.2",
"nodes": [
"node_modules/postcss-safe-parser"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-sass": {
"name": "postcss-sass",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=0.4.4",
"nodes": [
"node_modules/postcss-sass"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"postcss-scss": {
"name": "postcss-scss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [
"stylelint"
],
"range": "<=2.1.1",
"nodes": [
"node_modules/postcss-scss"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"prismjs": {
"name": "prismjs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090424,
"name": "prismjs",
"dependency": "prismjs",
"title": "Cross-site Scripting in Prism",
"url": "https://github.com/advisories/GHSA-3949-f494-cm99",
"severity": "high",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"
},
"range": ">=1.14.0 <1.27.0"
}
],
"effects": [
"refractor"
],
"range": "1.14.0 - 1.26.0",
"nodes": [
"node_modules/prismjs"
],
"fixAvailable": true
},
"qs": {
"name": "qs",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096470,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.5.0 <6.5.3"
},
{
"source": 1096472,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.7.0 <6.7.3"
},
{
"source": 1096475,
"name": "qs",
"dependency": "qs",
"title": "qs vulnerable to Prototype Pollution",
"url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.10.0 <6.10.3"
}
],
"effects": [
"body-parser",
"express"
],
"range": "6.5.0 - 6.5.2 || 6.7.0 - 6.7.2 || 6.10.0 - 6.10.2",
"nodes": [
"node_modules/body-parser/node_modules/qs",
"node_modules/express/node_modules/qs",
"node_modules/qs",
"node_modules/request/node_modules/qs"
],
"fixAvailable": true
},
"qunit": {
"name": "qunit",
"severity": "moderate",
"isDirect": false,
"via": [
"findup-sync",
"sane"
],
"effects": [
"@wikimedia/mw-node-qunit"
],
"range": "2.4.1 - 2.8.0",
"nodes": [
"node_modules/@wikimedia/mw-node-qunit/node_modules/qunit"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"react-dev-utils": {
"name": "react-dev-utils",
"severity": "critical",
"isDirect": false,
"via": [
"browserslist",
"fork-ts-checker-webpack-plugin",
"immer",
"loader-utils",
"recursive-readdir",
"shell-quote"
],
"effects": [
"@storybook/builder-webpack4"
],
"range": "0.5.2 - 12.0.0-next.60",
"nodes": [
"node_modules/react-dev-utils"
],
"fixAvailable": true
},
"readdirp": {
"name": "readdirp",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "2.2.0 - 2.2.1",
"nodes": [
"node_modules/watchpack-chokidar2/node_modules/readdirp"
],
"fixAvailable": true
},
"recursive-readdir": {
"name": "recursive-readdir",
"severity": "high",
"isDirect": false,
"via": [
"minimatch"
],
"effects": [
"react-dev-utils"
],
"range": "1.2.0 - 2.2.2",
"nodes": [
"node_modules/recursive-readdir"
],
"fixAvailable": true
},
"refractor": {
"name": "refractor",
"severity": "high",
"isDirect": false,
"via": [
"prismjs"
],
"effects": [],
"range": "2.4.0 - 3.5.0 || 4.0.0 - 4.4.0",
"nodes": [
"node_modules/refractor"
],
"fixAvailable": true
},
"request": {
"name": "request",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1096727,
"name": "request",
"dependency": "request",
"title": "Server-Side Request Forgery in Request",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6",
"severity": "moderate",
"cwe": [
"CWE-918"
],
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"range": "<=2.88.2"
},
"tough-cookie"
],
"effects": [
"jsdom",
"less"
],
"range": "*",
"nodes": [
"node_modules/request"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"request-promise-native": {
"name": "request-promise-native",
"severity": "moderate",
"isDirect": false,
"via": [
"tough-cookie"
],
"effects": [],
"range": ">=1.0.6",
"nodes": [
"node_modules/request-promise-native"
],
"fixAvailable": true
},
"sane": {
"name": "sane",
"severity": "moderate",
"isDirect": false,
"via": [
"anymatch",
"micromatch"
],
"effects": [
"qunit"
],
"range": "1.5.0 - 4.1.0",
"nodes": [
"node_modules/sane"
],
"fixAvailable": {
"name": "@wikimedia/mw-node-qunit",
"version": "6.4.2",
"isSemVerMajor": false
}
},
"semver": {
"name": "semver",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098562,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=7.0.0 <7.5.2"
},
{
"source": 1098563,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<5.7.2"
},
{
"source": 1098564,
"name": "semver",
"dependency": "semver",
"title": "semver vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.3.1"
}
],
"effects": [
"core-js-compat",
"eslint-plugin-compat"
],
"range": "<=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1",
"nodes": [
"node_modules/@babel/helper-compilation-targets/node_modules/semver",
"node_modules/@npmcli/fs/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/core/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver",
"node_modules/@storybook/builder-webpack4/node_modules/@babel/preset-env/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/@babel/register/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/find-cache-dir/node_modules/semver",
"node_modules/@storybook/core-common/node_modules/semver",
"node_modules/@storybook/core-server/node_modules/semver",
"node_modules/@stylelint/postcss-css-in-js/node_modules/semver",
"node_modules/@wikimedia/mw-node-qunit/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs2/node_modules/semver",
"node_modules/babel-plugin-polyfill-corejs3/node_modules/semver",
"node_modules/babel-plugin-polyfill-regenerator/node_modules/semver",
"node_modules/core-js-compat/node_modules/semver",
"node_modules/css-loader/node_modules/semver",
"node_modules/eslint-plugin-compat/node_modules/semver",
"node_modules/eslint-plugin-jsdoc/node_modules/semver",
"node_modules/eslint-plugin-mediawiki/node_modules/semver",
"node_modules/eslint-plugin-node/node_modules/semver",
"node_modules/eslint-plugin-unicorn/node_modules/semver",
"node_modules/eslint-plugin-vue/node_modules/semver",
"node_modules/eslint-template-visitor/node_modules/semver",
"node_modules/eslint/node_modules/semver",
"node_modules/fork-ts-checker-webpack-plugin/node_modules/semver",
"node_modules/istanbul-lib-instrument/node_modules/semver",
"node_modules/make-dir/node_modules/semver",
"node_modules/meow/node_modules/semver",
"node_modules/nyc/node_modules/semver",
"node_modules/postcss-loader/node_modules/semver",
"node_modules/semver",
"node_modules/vue-eslint-parser/node_modules/semver"
],
"fixAvailable": {
"name": "eslint-config-wikimedia",
"version": "0.28.2",
"isSemVerMajor": true
}
},
"send": {
"name": "send",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1099525,
"name": "send",
"dependency": "send",
"title": "send vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<0.19.0"
}
],
"effects": [
"express",
"serve-static"
],
"range": "<0.19.0",
"nodes": [
"node_modules/send"
],
"fixAvailable": true
},
"serve-static": {
"name": "serve-static",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1099527,
"name": "serve-static",
"dependency": "serve-static",
"title": "serve-static vulnerable to template injection that can lead to XSS",
"url": "https://github.com/advisories/GHSA-cm22-4g7w-348p",
"severity": "moderate",
"cwe": [
"CWE-79"
],
"cvss": {
"score": 5,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
},
"range": "<1.16.0"
},
"send"
],
"effects": [],
"range": "<=1.16.0",
"nodes": [
"node_modules/serve-static"
],
"fixAvailable": true
},
"shell-quote": {
"name": "shell-quote",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1096375,
"name": "shell-quote",
"dependency": "shell-quote",
"title": "Improper Neutralization of Special Elements used in a Command in Shell-quote",
"url": "https://github.com/advisories/GHSA-g4rg-993r-mgx7",
"severity": "critical",
"cwe": [
"CWE-77"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<=1.7.2"
}
],
"effects": [
"react-dev-utils"
],
"range": "<=1.7.2",
"nodes": [
"node_modules/shell-quote"
],
"fixAvailable": true
},
"simple-get": {
"name": "simple-get",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1090445,
"name": "simple-get",
"dependency": "simple-get",
"title": "Exposure of Sensitive Information in simple-get",
"url": "https://github.com/advisories/GHSA-wpg7-2c88-r8xv",
"severity": "high",
"cwe": [
"CWE-200"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": ">=3.0.0 <3.1.1"
}
],
"effects": [],
"range": "3.0.0 - 3.1.0",
"nodes": [
"node_modules/simple-get"
],
"fixAvailable": true
},
"stylelint": {
"name": "stylelint",
"severity": "moderate",
"isDirect": false,
"via": [
"autoprefixer",
"postcss",
"postcss-less",
"postcss-safe-parser",
"postcss-sass",
"postcss-scss",
"sugarss"
],
"effects": [
"stylelint-config-wikimedia"
],
"range": "0.1.0 - 13.13.1",
"nodes": [
"node_modules/stylelint"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"stylelint-config-wikimedia": {
"name": "stylelint-config-wikimedia",
"severity": "moderate",
"isDirect": true,
"via": [
"stylelint"
],
"effects": [],
"range": "<=0.11.1",
"nodes": [
"node_modules/stylelint-config-wikimedia"
],
"fixAvailable": {
"name": "stylelint-config-wikimedia",
"version": "0.17.2",
"isSemVerMajor": true
}
},
"sugarss": {
"name": "sugarss",
"severity": "moderate",
"isDirect": false,
"via": [
"postcss"
],
"effects": [],
"range": "<=2.0.0",
"nodes": [
"node_modules/sugarss"
],
"fixAvailable": true
},
"taffydb": {
"name": "taffydb",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1089386,
"name": "taffydb",
"dependency": "taffydb",
"title": "TaffyDB can allow access to any data items in the DB",
"url": "https://github.com/advisories/GHSA-mxhp-79qh-mcx6",
"severity": "high",
"cwe": [
"CWE-20",
"CWE-668"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"range": "<=2.7.3"
}
],
"effects": [
"jsdoc"
],
"range": "*",
"nodes": [
"node_modules/taffydb"
],
"fixAvailable": {
"name": "jsdoc",
"version": "3.6.11",
"isSemVerMajor": false
}
},
"tar": {
"name": "tar",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097493,
"name": "tar",
"dependency": "tar",
"title": "Denial of service while parsing a tar file due to lack of folders count validation",
"url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36",
"severity": "moderate",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"range": "<6.2.1"
}
],
"effects": [],
"range": "<6.2.1",
"nodes": [
"node_modules/tar"
],
"fixAvailable": true
},
"terser": {
"name": "terser",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091691,
"name": "terser",
"dependency": "terser",
"title": "Terser insecure use of regular expressions leads to ReDoS",
"url": "https://github.com/advisories/GHSA-4wf5-vphf-c2xc",
"severity": "high",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": "<4.8.1"
}
],
"effects": [],
"range": "<4.8.1",
"nodes": [
"node_modules/terser"
],
"fixAvailable": true
},
"tough-cookie": {
"name": "tough-cookie",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097682,
"name": "tough-cookie",
"dependency": "tough-cookie",
"title": "tough-cookie Prototype Pollution vulnerability",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"severity": "moderate",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"range": "<4.1.3"
}
],
"effects": [
"jsdom",
"request",
"request-promise-native"
],
"range": "<4.1.3",
"nodes": [
"node_modules/tough-cookie"
],
"fixAvailable": {
"name": "jsdom",
"version": "25.0.1",
"isSemVerMajor": true
}
},
"watchpack": {
"name": "watchpack",
"severity": "high",
"isDirect": false,
"via": [
"watchpack-chokidar2"
],
"effects": [],
"range": "1.7.2 - 1.7.5",
"nodes": [
"node_modules/watchpack"
],
"fixAvailable": true
},
"watchpack-chokidar2": {
"name": "watchpack-chokidar2",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [
"watchpack"
],
"range": "*",
"nodes": [
"node_modules/watchpack-chokidar2"
],
"fixAvailable": true
},
"webpack": {
"name": "webpack",
"severity": "moderate",
"isDirect": true,
"via": [
"micromatch"
],
"effects": [
"@storybook/core-common",
"@storybook/core-server"
],
"range": "4.0.0-alpha.0 - 5.0.0-rc.6",
"nodes": [
"node_modules/webpack"
],
"fixAvailable": {
"name": "webpack",
"version": "5.95.0",
"isSemVerMajor": true
}
},
"webpack-cli": {
"name": "webpack-cli",
"severity": "high",
"isDirect": true,
"via": [
"findup-sync",
"loader-utils"
],
"effects": [],
"range": "3.2.0 - 3.3.12",
"nodes": [
"node_modules/webpack-cli"
],
"fixAvailable": {
"name": "webpack-cli",
"version": "3.3.12",
"isSemVerMajor": false
}
},
"webpack-dev-middleware": {
"name": "webpack-dev-middleware",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1096729,
"name": "webpack-dev-middleware",
"dependency": "webpack-dev-middleware",
"title": "Path traversal in webpack-dev-middleware",
"url": "https://github.com/advisories/GHSA-wr3j-pwj9-hqq6",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
},
"range": "<=5.3.3"
}
],
"effects": [
"@storybook/core-server"
],
"range": "<=5.3.3",
"nodes": [
"node_modules/webpack-dev-middleware"
],
"fixAvailable": {
"name": "@storybook/html",
"version": "8.3.6",
"isSemVerMajor": true
}
},
"word-wrap": {
"name": "word-wrap",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1097681,
"name": "word-wrap",
"dependency": "word-wrap",
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<1.2.4"
}
],
"effects": [],
"range": "<1.2.4",
"nodes": [
"node_modules/word-wrap"
],
"fixAvailable": true
},
"ws": {
"name": "ws",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1098394,
"name": "ws",
"dependency": "ws",
"title": "ws affected by a DoS when handling a request with many HTTP headers",
"url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q",
"severity": "high",
"cwe": [
"CWE-476"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"range": ">=6.0.0 <6.2.3"
}
],
"effects": [],
"range": "6.0.0 - 6.2.2",
"nodes": [
"node_modules/ws"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 46,
"high": 36,
"critical": 8,
"total": 92
},
"dependencies": {
"prod": 1,
"dev": 2059,
"optional": 31,
"peer": 0,
"peerOptional": 0,
"total": 2059
}
}
}
--- end ---
Attempting to npm audit fix
Traceback (most recent call last):
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1864, in main
libup.run(args.repo, args.output, args.branch)
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 1809, in run
self.npm_audit_fix(new_npm_audit)
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/__init__.py", line 209, in npm_audit_fix
prior_lock = PackageLockJson()
^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/runner-0.1.0-py3.11.egg/runner/files.py", line 88, in __init__
raise RuntimeError("lockfileVersion 1 is no longer supported")
RuntimeError: lockfileVersion 1 is no longer supported