mediawiki/services/parsoid (REL1_37)

sourcepatches
$ date
--- stdout ---
Fri Apr 15 18:29:30 UTC 2022

--- end ---
$ git clone file:///srv/git/mediawiki-services-parsoid.git repo --depth=1 -b REL1_37
--- stderr ---
Cloning into 'repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/REL1_37
--- stdout ---
1e26e953327b355c448e76e9e6f37cd5917b00aa refs/heads/REL1_37

--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "async": {
      "name": "async",
      "severity": "high",
      "via": [
        {
          "source": 1069985,
          "name": "async",
          "dependency": "async",
          "title": "Prototype Pollution in async",
          "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25",
          "severity": "high",
          "range": "<2.6.4"
        }
      ],
      "effects": [],
      "range": "<2.6.4",
      "nodes": [
        "node_modules/async"
      ],
      "fixAvailable": true
    },
    "mocha": {
      "name": "mocha",
      "severity": "moderate",
      "via": [
        "nanoid"
      ],
      "effects": [],
      "range": "8.2.0 - 9.1.4",
      "nodes": [
        "node_modules/mocha"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "9.2.2",
        "isSemVerMajor": true
      }
    },
    "moment": {
      "name": "moment",
      "severity": "high",
      "via": [
        {
          "source": 1069972,
          "name": "moment",
          "dependency": "moment",
          "title": "Path Traversal: 'dir/../../filename' in moment.locale",
          "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4",
          "severity": "high",
          "range": "<2.29.2"
        }
      ],
      "effects": [],
      "range": "<2.29.2",
      "nodes": [
        "node_modules/moment"
      ],
      "fixAvailable": true
    },
    "nanoid": {
      "name": "nanoid",
      "severity": "moderate",
      "via": [
        {
          "source": 1067367,
          "name": "nanoid",
          "dependency": "nanoid",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
          "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
          "severity": "moderate",
          "range": ">=3.0.0 <3.1.31"
        }
      ],
      "effects": [
        "mocha"
      ],
      "range": "3.0.0 - 3.1.30",
      "nodes": [
        "node_modules/nanoid"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "9.2.2",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 2,
      "high": 2,
      "critical": 0,
      "total": 4
    },
    "dependencies": {
      "prod": 185,
      "dev": 230,
      "optional": 15,
      "peer": 0,
      "peerOptional": 0,
      "total": 428
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No lock file found. Updating dependencies instead of installing from lock file. Use composer update over composer install if you do not have a lock file.
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Lock file operations: 83 installs, 0 updates, 0 removals
  - Locking composer/ca-bundle (1.3.1)
  - Locking composer/composer (1.10.26)
  - Locking composer/semver (1.7.2)
  - Locking composer/spdx-licenses (1.5.6)
  - Locking composer/xdebug-handler (1.4.6)
  - Locking doctrine/instantiator (1.4.1)
  - Locking felixfbecker/advanced-json-rpc (v3.2.1)
  - Locking justinrainbow/json-schema (5.2.12)
  - Locking liuggio/statsd-php-client (v1.0.18)
  - Locking mediawiki/mediawiki-codesniffer (v36.0.0)
  - Locking mediawiki/mediawiki-phan-config (0.10.6)
  - Locking mediawiki/minus-x (1.1.1)
  - Locking mediawiki/phan-taint-check-plugin (3.2.1)
  - Locking microsoft/tolerant-php-parser (v0.0.23)
  - Locking monolog/monolog (2.5.0)
  - Locking myclabs/deep-copy (1.11.0)
  - Locking netresearch/jsonmapper (v3.1.1)
  - Locking ockcyp/covers-validator (v1.3.3)
  - Locking phan/phan (3.2.6)
  - Locking phar-io/manifest (2.0.3)
  - Locking phar-io/version (3.2.1)
  - Locking php-parallel-lint/php-console-color (v0.3)
  - Locking php-parallel-lint/php-console-highlighter (v0.5)
  - Locking php-parallel-lint/php-parallel-lint (v1.3.0)
  - Locking phpdocumentor/reflection-common (2.2.0)
  - Locking phpdocumentor/reflection-docblock (5.3.0)
  - Locking phpdocumentor/type-resolver (1.6.1)
  - Locking phpspec/prophecy (v1.15.0)
  - Locking phpunit/php-code-coverage (7.0.15)
  - Locking phpunit/php-file-iterator (2.0.5)
  - Locking phpunit/php-text-template (1.2.1)
  - Locking phpunit/php-timer (2.1.3)
  - Locking phpunit/php-token-stream (4.0.4)
  - Locking phpunit/phpunit (8.5.26)
  - Locking psr/container (1.1.1)
  - Locking psr/log (1.1.4)
  - Locking sabre/event (5.1.4)
  - Locking sebastian/code-unit-reverse-lookup (1.0.2)
  - Locking sebastian/comparator (3.0.3)
  - Locking sebastian/diff (3.0.3)
  - Locking sebastian/environment (4.2.4)
  - Locking sebastian/exporter (3.1.4)
  - Locking sebastian/global-state (3.0.2)
  - Locking sebastian/object-enumerator (3.0.4)
  - Locking sebastian/object-reflector (1.1.2)
  - Locking sebastian/recursion-context (3.0.1)
  - Locking sebastian/resource-operations (2.0.2)
  - Locking sebastian/type (1.1.4)
  - Locking sebastian/version (2.0.1)
  - Locking seld/jsonlint (1.9.0)
  - Locking seld/phar-utils (1.2.0)
  - Locking squizlabs/php_codesniffer (3.6.0)
  - Locking symfony/console (v5.4.7)
  - Locking symfony/deprecation-contracts (v2.5.1)
  - Locking symfony/filesystem (v5.4.7)
  - Locking symfony/finder (v5.4.3)
  - Locking symfony/polyfill-ctype (v1.25.0)
  - Locking symfony/polyfill-intl-grapheme (v1.25.0)
  - Locking symfony/polyfill-intl-normalizer (v1.25.0)
  - Locking symfony/polyfill-mbstring (v1.25.0)
  - Locking symfony/polyfill-php73 (v1.25.0)
  - Locking symfony/polyfill-php80 (v1.25.0)
  - Locking symfony/process (v5.4.7)
  - Locking symfony/service-contracts (v2.5.1)
  - Locking symfony/string (v5.4.3)
  - Locking theseer/tokenizer (1.2.1)
  - Locking webmozart/assert (1.10.0)
  - Locking wikimedia/alea (0.9.3)
  - Locking wikimedia/assert (v0.5.1)
  - Locking wikimedia/at-ease (v2.1.0)
  - Locking wikimedia/base-convert (v2.0.1)
  - Locking wikimedia/dodo (v0.3.0)
  - Locking wikimedia/idle-dom (v0.10.0)
  - Locking wikimedia/ip-set (3.0.0)
  - Locking wikimedia/ip-utils (3.0.2)
  - Locking wikimedia/langconv (0.4.2)
  - Locking wikimedia/object-factory (v3.0.2)
  - Locking wikimedia/remex-html (2.3.2)
  - Locking wikimedia/scoped-callback (v3.0.0)
  - Locking wikimedia/testing-access-wrapper (1.0.0)
  - Locking wikimedia/utfnormal (3.0.2)
  - Locking wikimedia/wikipeg (2.0.6)
  - Locking wikimedia/zest-css (2.0.2)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 83 installs, 0 updates, 0 removals
  - Downloading wikimedia/dodo (v0.3.0)
 0/1 [>---------------------------]   0%
 1/1 [============================] 100%  - Installing symfony/polyfill-php80 (v1.25.0): Extracting archive
  - Installing symfony/process (v5.4.7): Extracting archive
  - Installing symfony/deprecation-contracts (v2.5.1): Extracting archive
  - Installing symfony/finder (v5.4.3): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.25.0): Extracting archive
  - Installing symfony/polyfill-ctype (v1.25.0): Extracting archive
  - Installing symfony/filesystem (v5.4.7): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.25.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.25.0): Extracting archive
  - Installing symfony/string (v5.4.3): Extracting archive
  - Installing psr/container (1.1.1): Extracting archive
  - Installing symfony/service-contracts (v2.5.1): Extracting archive
  - Installing symfony/polyfill-php73 (v1.25.0): Extracting archive
  - Installing symfony/console (v5.4.7): Extracting archive
  - Installing seld/phar-utils (1.2.0): Extracting archive
  - Installing seld/jsonlint (1.9.0): Extracting archive
  - Installing psr/log (1.1.4): Extracting archive
  - Installing justinrainbow/json-schema (5.2.12): Extracting archive
  - Installing composer/xdebug-handler (1.4.6): Extracting archive
  - Installing composer/spdx-licenses (1.5.6): Extracting archive
  - Installing composer/semver (1.7.2): Extracting archive
  - Installing composer/ca-bundle (1.3.1): Extracting archive
  - Installing composer/composer (1.10.26): Extracting archive
  - Installing liuggio/statsd-php-client (v1.0.18): Extracting archive
  - Installing squizlabs/php_codesniffer (3.6.0): Extracting archive
  - Installing mediawiki/mediawiki-codesniffer (v36.0.0): Extracting archive
  - Installing sabre/event (5.1.4): Extracting archive
  - Installing netresearch/jsonmapper (v3.1.1): Extracting archive
  - Installing microsoft/tolerant-php-parser (v0.0.23): Extracting archive
  - Installing webmozart/assert (1.10.0): Extracting archive
  - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
  - Installing phpdocumentor/type-resolver (1.6.1): Extracting archive
  - Installing phpdocumentor/reflection-docblock (5.3.0): Extracting archive
  - Installing felixfbecker/advanced-json-rpc (v3.2.1): Extracting archive
  - Installing phan/phan (3.2.6): Extracting archive
  - Installing mediawiki/phan-taint-check-plugin (3.2.1): Extracting archive
  - Installing mediawiki/mediawiki-phan-config (0.10.6): Extracting archive
  - Installing mediawiki/minus-x (1.1.1): Extracting archive
  - Installing monolog/monolog (2.5.0): Extracting archive
  - Installing sebastian/version (2.0.1): Extracting archive
  - Installing sebastian/type (1.1.4): Extracting archive
  - Installing sebastian/resource-operations (2.0.2): Extracting archive
  - Installing sebastian/recursion-context (3.0.1): Extracting archive
  - Installing sebastian/object-reflector (1.1.2): Extracting archive
  - Installing sebastian/object-enumerator (3.0.4): Extracting archive
  - Installing sebastian/global-state (3.0.2): Extracting archive
  - Installing sebastian/exporter (3.1.4): Extracting archive
  - Installing sebastian/environment (4.2.4): Extracting archive
  - Installing sebastian/diff (3.0.3): Extracting archive
  - Installing sebastian/comparator (3.0.3): Extracting archive
  - Installing phpunit/php-timer (2.1.3): Extracting archive
  - Installing phpunit/php-text-template (1.2.1): Extracting archive
  - Installing phpunit/php-file-iterator (2.0.5): Extracting archive
  - Installing theseer/tokenizer (1.2.1): Extracting archive
  - Installing sebastian/code-unit-reverse-lookup (1.0.2): Extracting archive
  - Installing phpunit/php-token-stream (4.0.4): Extracting archive
  - Installing phpunit/php-code-coverage (7.0.15): Extracting archive
  - Installing doctrine/instantiator (1.4.1): Extracting archive
  - Installing phpspec/prophecy (v1.15.0): Extracting archive
  - Installing phar-io/version (3.2.1): Extracting archive
  - Installing phar-io/manifest (2.0.3): Extracting archive
  - Installing myclabs/deep-copy (1.11.0): Extracting archive
  - Installing phpunit/phpunit (8.5.26): Extracting archive
  - Installing ockcyp/covers-validator (v1.3.3): Extracting archive
  - Installing php-parallel-lint/php-console-color (v0.3): Extracting archive
  - Installing php-parallel-lint/php-console-highlighter (v0.5): Extracting archive
  - Installing php-parallel-lint/php-parallel-lint (v1.3.0): Extracting archive
  - Installing wikimedia/alea (0.9.3): Extracting archive
  - Installing wikimedia/at-ease (v2.1.0): Extracting archive
  - Installing wikimedia/zest-css (2.0.2): Extracting archive
  - Installing wikimedia/utfnormal (3.0.2): Extracting archive
  - Installing wikimedia/remex-html (2.3.2): Extracting archive
  - Installing wikimedia/idle-dom (v0.10.0): Extracting archive
  - Installing wikimedia/dodo (v0.3.0): Extracting archive
  - Installing wikimedia/ip-set (3.0.0): Extracting archive
  - Installing wikimedia/base-convert (v2.0.1): Extracting archive
  - Installing wikimedia/ip-utils (3.0.2): Extracting archive
  - Installing wikimedia/assert (v0.5.1): Extracting archive
  - Installing wikimedia/langconv (0.4.2): Extracting archive
  - Installing wikimedia/object-factory (v3.0.2): Extracting archive
  - Installing wikimedia/scoped-callback (v3.0.0): Extracting archive
  - Installing wikimedia/testing-access-wrapper (1.0.0): Extracting archive
  - Installing wikimedia/wikipeg (2.0.6): Extracting archive
  0/73 [>---------------------------]   0%
 10/73 [===>------------------------]  13%
 18/73 [======>---------------------]  24%
 28/73 [==========>-----------------]  38%
 37/73 [==============>-------------]  50%
 47/73 [==================>---------]  64%
 55/73 [=====================>------]  75%
 65/73 [========================>---]  89%
 72/73 [===========================>]  98%
 73/73 [============================] 100%20 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested.
Generating optimized autoload files
39 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---

--- end ---
$ /usr/bin/npm audit --json --legacy-peer-deps
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "async": {
      "name": "async",
      "severity": "high",
      "via": [
        {
          "source": 1069985,
          "name": "async",
          "dependency": "async",
          "title": "Prototype Pollution in async",
          "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25",
          "severity": "high",
          "range": "<2.6.4"
        }
      ],
      "effects": [],
      "range": "<2.6.4",
      "nodes": [
        "node_modules/async"
      ],
      "fixAvailable": true
    },
    "mocha": {
      "name": "mocha",
      "severity": "moderate",
      "via": [
        "nanoid"
      ],
      "effects": [],
      "range": "8.2.0 - 9.1.4",
      "nodes": [
        "node_modules/mocha"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "9.2.2",
        "isSemVerMajor": true
      }
    },
    "moment": {
      "name": "moment",
      "severity": "high",
      "via": [
        {
          "source": 1069972,
          "name": "moment",
          "dependency": "moment",
          "title": "Path Traversal: 'dir/../../filename' in moment.locale",
          "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4",
          "severity": "high",
          "range": "<2.29.2"
        }
      ],
      "effects": [],
      "range": "<2.29.2",
      "nodes": [
        "node_modules/moment"
      ],
      "fixAvailable": true
    },
    "nanoid": {
      "name": "nanoid",
      "severity": "moderate",
      "via": [
        {
          "source": 1067367,
          "name": "nanoid",
          "dependency": "nanoid",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
          "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
          "severity": "moderate",
          "range": ">=3.0.0 <3.1.31"
        }
      ],
      "effects": [
        "mocha"
      ],
      "range": "3.0.0 - 3.1.30",
      "nodes": [
        "node_modules/nanoid"
      ],
      "fixAvailable": {
        "name": "mocha",
        "version": "9.2.2",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 2,
      "high": 2,
      "critical": 0,
      "total": 4
    },
    "dependencies": {
      "prod": 185,
      "dev": 230,
      "optional": 15,
      "peer": 0,
      "peerOptional": 0,
      "total": 428
    }
  }
}

--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json --legacy-peer-deps
--- stdout ---
{
  "added": 427,
  "removed": 0,
  "changed": 0,
  "audited": 429,
  "funding": 5,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "async": {
        "name": "async",
        "severity": "high",
        "via": [
          {
            "source": 1069985,
            "name": "async",
            "dependency": "async",
            "title": "Prototype Pollution in async",
            "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25",
            "severity": "high",
            "range": "<2.6.4"
          }
        ],
        "effects": [],
        "range": "<2.6.4",
        "nodes": [
          "node_modules/async"
        ],
        "fixAvailable": true
      },
      "mocha": {
        "name": "mocha",
        "severity": "moderate",
        "via": [
          "nanoid"
        ],
        "effects": [],
        "range": "8.2.0 - 9.1.4",
        "nodes": [
          "node_modules/mocha"
        ],
        "fixAvailable": {
          "name": "mocha",
          "version": "9.2.2",
          "isSemVerMajor": true
        }
      },
      "moment": {
        "name": "moment",
        "severity": "high",
        "via": [
          {
            "source": 1069972,
            "name": "moment",
            "dependency": "moment",
            "title": "Path Traversal: 'dir/../../filename' in moment.locale",
            "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4",
            "severity": "high",
            "range": "<2.29.2"
          }
        ],
        "effects": [],
        "range": "<2.29.2",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      },
      "nanoid": {
        "name": "nanoid",
        "severity": "moderate",
        "via": [
          {
            "source": 1067367,
            "name": "nanoid",
            "dependency": "nanoid",
            "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid",
            "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2",
            "severity": "moderate",
            "range": ">=3.0.0 <3.1.31"
          }
        ],
        "effects": [
          "mocha"
        ],
        "range": "3.0.0 - 3.1.30",
        "nodes": [
          "node_modules/nanoid"
        ],
        "fixAvailable": {
          "name": "mocha",
          "version": "9.2.2",
          "isSemVerMajor": true
        }
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 0,
        "moderate": 2,
        "high": 2,
        "critical": 0,
        "total": 4
      },
      "dependencies": {
        "prod": 185,
        "dev": 230,
        "optional": 15,
        "peer": 0,
        "peerOptional": 0,
        "total": 428
      }
    }
  }
}

--- end ---
{"added": 427, "removed": 0, "changed": 0, "audited": 429, "funding": 5, "audit": {"auditReportVersion": 2, "vulnerabilities": {"async": {"name": "async", "severity": "high", "via": [{"source": 1069985, "name": "async", "dependency": "async", "title": "Prototype Pollution in async", "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", "severity": "high", "range": "<2.6.4"}], "effects": [], "range": "<2.6.4", "nodes": ["node_modules/async"], "fixAvailable": true}, "mocha": {"name": "mocha", "severity": "moderate", "via": ["nanoid"], "effects": [], "range": "8.2.0 - 9.1.4", "nodes": ["node_modules/mocha"], "fixAvailable": {"name": "mocha", "version": "9.2.2", "isSemVerMajor": true}}, "moment": {"name": "moment", "severity": "high", "via": [{"source": 1069972, "name": "moment", "dependency": "moment", "title": "Path Traversal: 'dir/../../filename' in moment.locale", "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", "severity": "high", "range": "<2.29.2"}], "effects": [], "range": "<2.29.2", "nodes": [""], "fixAvailable": true}, "nanoid": {"name": "nanoid", "severity": "moderate", "via": [{"source": 1067367, "name": "nanoid", "dependency": "nanoid", "title": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "url": "https://github.com/advisories/GHSA-qrpm-p2h7-hrv2", "severity": "moderate", "range": ">=3.0.0 <3.1.31"}], "effects": ["mocha"], "range": "3.0.0 - 3.1.30", "nodes": ["node_modules/nanoid"], "fixAvailable": {"name": "mocha", "version": "9.2.2", "isSemVerMajor": true}}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 2, "high": 2, "critical": 0, "total": 4}, "dependencies": {"prod": 185, "dev": 230, "optional": 15, "peer": 0, "peerOptional": 0, "total": 428}}}}
$ /usr/bin/npm audit fix --only=dev --legacy-peer-deps
--- stderr ---
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
npm WARN tar TAR_ENTRY_INFO stripping / from absolute path
--- stdout ---

added 427 packages, and audited 429 packages in 17s

5 packages are looking for funding
  run `npm fund` for details

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install mocha@9.2.2, which is a breaking change
node_modules/nanoid
  mocha  8.2.0 - 9.1.4
  Depends on vulnerable versions of nanoid
  node_modules/mocha

3 vulnerabilities (2 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

--- end ---
$ package-lock-lint package-lock.json
--- stdout ---
Checking package-lock.json
node_modules/service-runner/node_modules/gc-stats@unknown: "resolved" is not a valid URL: "node_modules/service-runner/gc-stats@git+https:/github.com/dainis/node-gcstats.git#5be60dfd24293d6cefbc8a459c1537611373fac5" (relative URL without a base)
node_modules/service-runner/gc-stats@git+https:/github.com/dainis/node-gcstats.git#5be60dfd24293d6cefbc8a459c1537611373fac5@unknown: Neither "resolved" nor "version" are present

--- end ---
Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1396, in main
    libup.run(args.repo, args.output, args.branch)
  File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 1340, in run
    self.npm_audit_fix(new_npm_audit)
  File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 237, in npm_audit_fix
    self.check_package_lock()
  File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/__init__.py", line 286, in check_package_lock
    self.check_call(['package-lock-lint', 'package-lock.json'])
  File "/venv/lib/python3.9/site-packages/runner-0.1.0-py3.9.egg/runner/shell2.py", line 54, in check_call
    res.check_returncode()
  File "/usr/lib/python3.9/subprocess.py", line 460, in check_returncode
    raise CalledProcessError(self.returncode, self.args, self.stdout,
subprocess.CalledProcessError: Command '['package-lock-lint', 'package-lock.json']' returned non-zero exit status 1.

composer dependencies

Dependencies
Development dependencies

npm dependencies

Dependencies
Development dependencies

Logs

Source code is licensed under the AGPL.