$ date
--- stdout ---
Mon Mar 20 05:47:26 UTC 2023
--- end ---
$ git clone file:///srv/git/mediawiki-extensions-WikibaseQualityConstraints.git repo --depth=1 -b REL1_35
--- stderr ---
Cloning into 'repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/REL1_35
--- stdout ---
f32ecad06bbe9dfe11f92e400e471db8f337c3b0 refs/heads/REL1_35
--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"diff": {
"name": "diff",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1085700,
"name": "diff",
"dependency": "diff",
"title": "Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.5.0"
}
],
"effects": [
"unexpected"
],
"range": "<3.5.0",
"nodes": [
"node_modules/unexpected/node_modules/diff"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
},
"json5": {
"name": "json5",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1091148,
"name": "json5",
"dependency": "json5",
"title": "Prototype Pollution in JSON5 via Parse Method",
"url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
"severity": "high",
"cwe": [
"CWE-1321"
],
"cvss": {
"score": 7.1,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
},
"range": ">=2.0.0 <2.2.2"
}
],
"effects": [],
"range": "2.0.0 - 2.2.1",
"nodes": [
"node_modules/json5"
],
"fixAvailable": true
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089143,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
}
],
"effects": [
"nomnom"
],
"range": "1.3.2 - 1.12.0",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
},
"unexpected": {
"name": "unexpected",
"severity": "high",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "5.0.0-beta1 - 11.0.0",
"nodes": [
"node_modules/unexpected"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 3,
"critical": 2,
"total": 5
},
"dependencies": {
"prod": 1,
"dev": 488,
"optional": 0,
"peer": 0,
"peerOptional": 0,
"total": 488
}
}
}
--- end ---
$ /usr/bin/composer install
--- stderr ---
No lock file found. Updating dependencies instead of installing from lock file. Use composer update over composer install if you do not have a lock file.
Loading composer repositories with package information
Info from https://repo.packagist.org: �[37;44m#StandWith�[30;43mUkraine�[0m
Updating dependencies
Lock file operations: 49 installs, 0 updates, 0 removals
- Locking composer/semver (1.5.0)
- Locking composer/spdx-licenses (1.5.2)
- Locking composer/xdebug-handler (1.4.6)
- Locking data-values/common (0.4.3)
- Locking data-values/data-values (2.3.0)
- Locking data-values/geo (4.4.0)
- Locking data-values/interfaces (0.2.5)
- Locking data-values/number (0.10.2)
- Locking data-values/serialization (1.2.5)
- Locking data-values/time (1.1.2)
- Locking diff/diff (3.3.1)
- Locking doctrine/deprecations (v1.0.0)
- Locking felixfbecker/advanced-json-rpc (v3.2.1)
- Locking mediawiki/mediawiki-codesniffer (v29.0.0)
- Locking mediawiki/mediawiki-phan-config (0.10.2)
- Locking mediawiki/minus-x (1.1.0)
- Locking mediawiki/phan-taint-check-plugin (3.0.2)
- Locking microsoft/tolerant-php-parser (v0.0.20)
- Locking netresearch/jsonmapper (v2.1.0)
- Locking phan/phan (2.6.1)
- Locking php-parallel-lint/php-console-color (v0.3)
- Locking php-parallel-lint/php-console-highlighter (v0.5)
- Locking php-parallel-lint/php-parallel-lint (v1.2.0)
- Locking phpdocumentor/reflection-common (2.2.0)
- Locking phpdocumentor/reflection-docblock (5.3.0)
- Locking phpdocumentor/type-resolver (1.7.0)
- Locking phpstan/phpdoc-parser (1.16.1)
- Locking psr/container (1.1.2)
- Locking psr/log (1.1.4)
- Locking sabre/event (5.1.4)
- Locking serialization/serialization (4.0.0)
- Locking squizlabs/php_codesniffer (3.5.3)
- Locking symfony/console (v5.4.21)
- Locking symfony/deprecation-contracts (v2.5.2)
- Locking symfony/polyfill-ctype (v1.27.0)
- Locking symfony/polyfill-intl-grapheme (v1.27.0)
- Locking symfony/polyfill-intl-normalizer (v1.27.0)
- Locking symfony/polyfill-mbstring (v1.27.0)
- Locking symfony/polyfill-php73 (v1.27.0)
- Locking symfony/polyfill-php80 (v1.27.0)
- Locking symfony/service-contracts (v2.5.2)
- Locking symfony/string (v5.4.21)
- Locking webmozart/assert (1.11.0)
- Locking wikibase/data-model (9.6.1)
- Locking wikibase/data-model-serialization (2.9.1)
- Locking wikibase/data-model-services (5.4.0)
- Locking wikibase/wikibase-codesniffer (1.1.0)
- Locking wikimedia/assert (v0.5.1)
- Locking wikimedia/purtle (v1.0.8)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 49 installs, 0 updates, 0 removals
0 [>---------------------------] 0 [->--------------------------] 0 [--->------------------------] - Installing composer/spdx-licenses (1.5.2): Extracting archive
- Installing symfony/polyfill-php80 (v1.27.0): Extracting archive
- Installing data-values/interfaces (0.2.5): Extracting archive
- Installing data-values/data-values (2.3.0): Extracting archive
- Installing data-values/geo (4.4.0): Extracting archive
- Installing data-values/common (0.4.3): Extracting archive
- Installing data-values/number (0.10.2): Extracting archive
- Installing data-values/time (1.1.2): Extracting archive
- Installing symfony/polyfill-mbstring (v1.27.0): Extracting archive
- Installing symfony/polyfill-intl-normalizer (v1.27.0): Extracting archive
- Installing symfony/polyfill-intl-grapheme (v1.27.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.27.0): Extracting archive
- Installing symfony/string (v5.4.21): Extracting archive
- Installing symfony/deprecation-contracts (v2.5.2): Extracting archive
- Installing psr/container (1.1.2): Extracting archive
- Installing symfony/service-contracts (v2.5.2): Extracting archive
- Installing symfony/polyfill-php73 (v1.27.0): Extracting archive
- Installing symfony/console (v5.4.21): Extracting archive
- Installing sabre/event (5.1.4): Extracting archive
- Installing netresearch/jsonmapper (v2.1.0): Extracting archive
- Installing microsoft/tolerant-php-parser (v0.0.20): Extracting archive
- Installing webmozart/assert (1.11.0): Extracting archive
- Installing phpstan/phpdoc-parser (1.16.1): Extracting archive
- Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
- Installing doctrine/deprecations (v1.0.0): Extracting archive
- Installing phpdocumentor/type-resolver (1.7.0): Extracting archive
- Installing phpdocumentor/reflection-docblock (5.3.0): Extracting archive
- Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
- Installing psr/log (1.1.4): Extracting archive
- Installing composer/xdebug-handler (1.4.6): Extracting archive
- Installing composer/semver (1.5.0): Extracting archive
- Installing phan/phan (2.6.1): Extracting archive
- Installing mediawiki/phan-taint-check-plugin (3.0.2): Extracting archive
- Installing mediawiki/mediawiki-phan-config (0.10.2): Extracting archive
- Installing mediawiki/minus-x (1.1.0): Extracting archive
- Installing php-parallel-lint/php-console-color (v0.3): Extracting archive
- Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive
- Installing php-parallel-lint/php-parallel-lint (v1.2.0): Extracting archive
- Installing squizlabs/php_codesniffer (3.5.3): Extracting archive
- Installing wikimedia/assert (v0.5.1): Extracting archive
- Installing wikibase/data-model (9.6.1): Extracting archive
- Installing serialization/serialization (4.0.0): Extracting archive
- Installing data-values/serialization (1.2.5): Extracting archive
- Installing wikibase/data-model-serialization (2.9.1): Extracting archive
- Installing diff/diff (3.3.1): Extracting archive
- Installing wikibase/data-model-services (5.4.0): Extracting archive
- Installing mediawiki/mediawiki-codesniffer (v29.0.0): Extracting archive
- Installing wikibase/wikibase-codesniffer (1.1.0): Extracting archive
- Installing wikimedia/purtle (v1.0.8): Extracting archive
0/39 [>---------------------------] 0%
10/39 [=======>--------------------] 25%
19/39 [=============>--------------] 48%
28/39 [====================>-------] 71%
38/39 [===========================>] 97%
39/39 [============================] 100%4 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package wikibase/wikibase-codesniffer is abandoned, you should avoid using it. Use mediawiki/mediawiki-codesniffer instead.
Generating autoload files
12 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
--- end ---
$ /usr/bin/npm install
--- stderr ---
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated nomnom@1.8.1: Package no longer supported. Contact support@npmjs.com for more info.
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
--- stdout ---
added 551 packages, and audited 552 packages in 13s
80 packages are looking for funding
run `npm fund` for details
4 vulnerabilities (2 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"diff": {
"name": "diff",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1085700,
"name": "diff",
"dependency": "diff",
"title": "Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.5.0"
}
],
"effects": [
"unexpected"
],
"range": "<3.5.0",
"nodes": [
"node_modules/unexpected/node_modules/diff"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089143,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
}
],
"effects": [
"nomnom"
],
"range": "1.3.2 - 1.12.0",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
},
"unexpected": {
"name": "unexpected",
"severity": "high",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "5.0.0-beta1 - 11.0.0",
"nodes": [
"node_modules/unexpected"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 2,
"total": 4
},
"dependencies": {
"prod": 1,
"dev": 551,
"optional": 0,
"peer": 45,
"peerOptional": 0,
"total": 551
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json --legacy-peer-deps
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 0,
"removed": 0,
"changed": 0,
"audited": 552,
"funding": 72,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"diff": {
"name": "diff",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1085700,
"name": "diff",
"dependency": "diff",
"title": "Regular Expression Denial of Service (ReDoS)",
"url": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9",
"severity": "high",
"cwe": [
"CWE-400"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<3.5.0"
}
],
"effects": [
"unexpected"
],
"range": "<3.5.0",
"nodes": [
"node_modules/unexpected/node_modules/diff"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
},
"nomnom": {
"name": "nomnom",
"severity": "critical",
"isDirect": false,
"via": [
"underscore"
],
"effects": [],
"range": ">=1.6.0",
"nodes": [
"node_modules/nomnom"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1089143,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "critical",
"cwe": [
"CWE-94"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"range": ">=1.3.2 <1.12.1"
}
],
"effects": [
"nomnom"
],
"range": "1.3.2 - 1.12.0",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": true
},
"unexpected": {
"name": "unexpected",
"severity": "high",
"isDirect": true,
"via": [
"diff"
],
"effects": [],
"range": "5.0.0-beta1 - 11.0.0",
"nodes": [
"node_modules/unexpected"
],
"fixAvailable": {
"name": "unexpected",
"version": "13.1.0",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 2,
"total": 4
},
"dependencies": {
"prod": 1,
"dev": 551,
"optional": 0,
"peer": 45,
"peerOptional": 0,
"total": 551
}
}
}
}
--- end ---
{"added": 0, "removed": 0, "changed": 0, "audited": 552, "funding": 72, "audit": {"auditReportVersion": 2, "vulnerabilities": {"diff": {"name": "diff", "severity": "high", "isDirect": false, "via": [{"source": 1085700, "name": "diff", "dependency": "diff", "title": "Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", "severity": "high", "cwe": ["CWE-400"], "cvss": {"score": 0, "vectorString": null}, "range": "<3.5.0"}], "effects": ["unexpected"], "range": "<3.5.0", "nodes": ["node_modules/unexpected/node_modules/diff"], "fixAvailable": {"name": "unexpected", "version": "13.1.0", "isSemVerMajor": true}}, "nomnom": {"name": "nomnom", "severity": "critical", "isDirect": false, "via": ["underscore"], "effects": [], "range": ">=1.6.0", "nodes": ["node_modules/nomnom"], "fixAvailable": true}, "underscore": {"name": "underscore", "severity": "critical", "isDirect": false, "via": [{"source": 1089143, "name": "underscore", "dependency": "underscore", "title": "Arbitrary Code Execution in underscore", "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", "severity": "critical", "cwe": ["CWE-94"], "cvss": {"score": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "range": ">=1.3.2 <1.12.1"}], "effects": ["nomnom"], "range": "1.3.2 - 1.12.0", "nodes": ["node_modules/underscore"], "fixAvailable": true}, "unexpected": {"name": "unexpected", "severity": "high", "isDirect": true, "via": ["diff"], "effects": [], "range": "5.0.0-beta1 - 11.0.0", "nodes": ["node_modules/unexpected"], "fixAvailable": {"name": "unexpected", "version": "13.1.0", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 2, "critical": 2, "total": 4}, "dependencies": {"prod": 1, "dev": 551, "optional": 0, "peer": 45, "peerOptional": 0, "total": 551}}}}
$ /usr/bin/npm audit fix --only=dev --legacy-peer-deps
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
up to date, audited 552 packages in 1s
72 packages are looking for funding
run `npm fund` for details
# npm audit report
diff <3.5.0
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-h6ch-v84p-w6p9
fix available via `npm audit fix --force`
Will install unexpected@13.1.0, which is a breaking change
node_modules/unexpected/node_modules/diff
unexpected 5.0.0-beta1 - 11.0.0
Depends on vulnerable versions of diff
node_modules/unexpected
underscore 1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix`
node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom
4 vulnerabilities (2 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci --legacy-peer-deps
--- stderr ---
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated grunt-jasmine-nodejs@1.6.1: Deprecated in favor of npm scripts.
npm WARN deprecated nomnom@1.8.1: Package no longer supported. Contact support@npmjs.com for more info.
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
--- stdout ---
added 551 packages, and audited 552 packages in 5s
72 packages are looking for funding
run `npm fund` for details
4 vulnerabilities (2 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
--- end ---
$ /usr/bin/npm test
--- stdout ---
> test
> grunt test
Running "eslint:all" (eslint) task
Warning: Failed to load plugin 'compat' declared in '.eslintrc.json': Cannot find module 'eslint-plugin-compat'
Require stack:
- /src/repo/__placeholder__.js� Use --force to continue.
Aborted due to warnings.
--- end ---
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1400, in main
libup.run(args.repo, args.output, args.branch)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1344, in run
self.npm_audit_fix(new_npm_audit)
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 242, in npm_audit_fix
self.check_call(['npm', 'test'])
File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/shell2.py", line 54, in check_call
res.check_returncode()
File "/usr/lib/python3.9/subprocess.py", line 460, in check_returncode
raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['/usr/bin/npm', 'test']' returned non-zero exit status 6.