vulnerabilities in npm dependencies

ugh, npm.

There are 160 npm security advisories affecting our repositories.

#1087746: cryptiles

Severity: critical

Insufficient Entropy in cryptiles

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1089042: property-expr

Severity: critical

Prototype Pollution in property-expr

Affected repositories (1)

• 🗄mediawiki/extensions/EntitySchema

#1089151: json-pointer

Severity: critical

json-pointer vulnerable to Prototype Pollution

Affected repositories (1)

• ❌wikimedia/toolhub

#1089152: flat

Severity: critical

flat vulnerable to Prototype Pollution

Affected repositories (9)

• ❌🗄mediawiki/extensions/CirrusSearch
• 🗄mediawiki/extensions/EventBus
• ❌🗄🔮mediawiki/extensions/Math
• mediawiki/libs/LangConv
• ❌mediawiki/services/chromium-render
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing

#1089270: ejs

Severity: critical

ejs template injection vulnerability

Affected repositories (6)

• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1089656: immer

Severity: critical

Prototype Pollution in immer

Affected repositories (4)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wvui

#1089900: netmask

Severity: critical

Improper parsing of octal bytes in netmask

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1090114: lodash.template

Severity: critical

Prototype Pollution in lodash

Affected repositories (3)

• oojs/core
• 🦆oojs/ui
• ❌wikimedia/portals

#1090178: @xmldom/xmldom

Severity: critical

xmldom allows multiple root nodes in a DOM

Affected repositories (2)

• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌wikimedia/portals

#1090484: simple-git

Severity: critical

Remote code execution in simple-git

Affected repositories (1)

• 🗄mediawiki/extensions/EntitySchema

#1091172: minimist

Severity: critical

Prototype Pollution in minimist

Affected repositories (16)

• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero

#1091173: minimist

Severity: critical

Prototype Pollution in minimist

Affected repositories (22)

• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub
• ❌wvui

#1091186: loader-utils

Severity: critical

Prototype pollution in webpack loader-utils

Affected repositories (5)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1091187: loader-utils

Severity: critical

Prototype pollution in webpack loader-utils

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wikimedia/toolhub
• ❌wvui

#1091418: shell-quote

Severity: critical

Improper Neutralization of Special Elements used in a Command in Shell-quote

Affected repositories (4)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wvui

#1091470: underscore

Severity: critical

Arbitrary Code Execution in underscore

Affected repositories (3)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/kartotherian
• wikipeg

#1091472: json-schema

Severity: critical

json-schema is vulnerable to Prototype Pollution

Affected repositories (9)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/wikifeeds
• ❌wvui

#1085700: diff

Severity: high

Regular Expression Denial of Service (ReDoS)

Affected repositories (1)

• ❌🗄mediawiki/extensions/WikibaseLexeme

#1087445: prismjs

Severity: high

Cross-Site Scripting in Prism

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1088666: async

Severity: high

Prototype Pollution in async

Affected repositories (1)

• ❌wikimedia/toolhub

#1088667: async

Severity: high

Prototype Pollution in async

Affected repositories (1)

• ❌🗄mediawiki/extensions/MachineVision

#1088696: ua-parser-js

Severity: high

ReDoS Vulnerability in ua-parser-js version

Affected repositories (5)

• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌🗄mediawiki/extensions/Wikistories

#1088697: ua-parser-js

Severity: high

ReDoS Vulnerability in ua-parser-js version

Affected repositories (1)

• ❌🗄mediawiki/extensions/TwoColConflict

#1088761: simple-git

Severity: high

Command injection in simple-git

Affected repositories (1)

• 🗄mediawiki/extensions/EntitySchema

#1088766: express-handlebars

Severity: high

Insecure template handling in Express-handlebars

Affected repositories (1)

• ❌mediawiki/services/parsoid/testreduce

#1088964: jpeg-js

Severity: high

Infinite loop in jpeg-js

Affected repositories (1)

• 🗄mediawiki/extensions/WikibaseMediaInfo

#1088997: dicer

Severity: high

Crash in HeaderParser in dicer

Affected repositories (5)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌wikimedia/toolhub

#1089190: tmpl

Severity: high

tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion

Affected repositories (1)

• ❌wvui

#1089196: redis

Severity: high

Node-Redis potential exponential regex in monitor mode

Affected repositories (1)

• ❌mediawiki/services/change-propagation

#1089281: immer

Severity: high

Prototype Pollution in immer

Affected repositories (4)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wvui

#1089386: taffydb

Severity: high

TaffyDB can allow access to any data items in the DB

Affected repositories (13)

• ❌🗄mediawiki/extensions/GlobalWatchlist
• ❌🗄mediawiki/extensions/MobileFrontend
• 🗄mediawiki/extensions/NearbyPages
• ❌🗄mediawiki/extensions/Popups
• 🗄🔮mediawiki/extensions/TemplateData
• ❌🗄🔮mediawiki/extensions/WikiEditor
• ❌🗄mediawiki/extensions/WikiLambda
• mediawiki/extensions/WikispeechSpeechDataCollector
• mediawiki/libs/LangConv
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌mediawiki/tools/api-testing
• oojs/core

#1089485: marked

Severity: high

Inefficient Regular Expression Complexity in marked

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub

#1089486: marked

Severity: high

Inefficient Regular Expression Complexity in marked

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub

#1089508: libxmljs

Severity: high

Denial of service vulnerability exists in libxmljs

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1089511: simple-git

Severity: high

Command injection in simple-git

Affected repositories (1)

• 🗄mediawiki/extensions/EntitySchema

#1089524: simple-git

Severity: high

simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol

Affected repositories (1)

• 🗄mediawiki/extensions/EntitySchema

#1089535: git-clone

Severity: high

Command injection in git-clone

Affected repositories (1)

• ❌wikimedia/toolhub

#1089539: grunt

Severity: high

Race Condition in Grunt

Affected repositories (3)

• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄mediawiki/extensions/MediaSearch
• ❌🗄mediawiki/extensions/WikibaseLexeme

#1089589: graphiql

Severity: high

GraphiQL introspection schema template injection attack

Affected repositories (1)

• mediawiki/extensions/GraphQL

#1089649: semver-regex

Severity: high

Regular Expression Denial of Service (ReDOS)

Affected repositories (2)

• 🦆🗄🔮mediawiki/extensions/VisualEditor
• oojs/core

#1089682: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Affected repositories (1)

• ❌wvui

#1089684: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Affected repositories (13)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1089685: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1089716: prismjs

Severity: high

Regular Expression Denial of Service (ReDoS) in Prism

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1089867: trim

Severity: high

Regular Expression Denial of Service in trim

Affected repositories (3)

• ❌🗄mediawiki/extensions/GlobalWatchlist
• ❌🗄mediawiki/extensions/Popups
• ❌wvui

#1089875: pathval

Severity: high

Prototype pollution in pathval

Affected repositories (1)

• ❌mediawiki/tools/api-testing

#1089895: chrono-node

Severity: high

Denial of service in chrono-node

Affected repositories (1)

• ❌mediawiki/services/citoid

#1089985: merge

Severity: high

Prototype Pollution in merge

Affected repositories (3)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/geoshapes
• mediawiki/services/recommendation-api

#1090014: prismjs

Severity: high

Denial of service in prismjs

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1090038: immer

Severity: high

Prototype Pollution in immer

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1090135: qs

Severity: high

qs vulnerable to Prototype Pollution

Affected repositories (12)

• ❌🗄mediawiki/extensions/CirrusSearch
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/wikifeeds
• ❌wikibase/javascript-api
• ❌wvui

#1090137: qs

Severity: high

qs vulnerable to Prototype Pollution

Affected repositories (11)

• mediawiki/extensions/MediaUploader
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌wvui

#1090139: qs

Severity: high

qs vulnerable to Prototype Pollution

Affected repositories (4)

• design/codex
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/tools/api-testing

#1090140: qs

Severity: high

qs vulnerable to Prototype Pollution

Affected repositories (4)

• ❌🗄mediawiki/extensions/CirrusSearch
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/service-scaffold-node
• ❌wvui

#1090160: luxon

Severity: high

Luxon Inefficient Regular Expression Complexity vulnerability

Affected repositories (2)

• design/codex
• ❌wikidata/query-builder

#1090384: pac-resolver

Severity: high

Code Injection in pac-resolver

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1090403: degenerator

Severity: high

Code Injection in pac-resolver

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1090420: requestretry

Severity: high

Cookie exposure in requestretry

Affected repositories (17)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• mediawiki/services/cxserver
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/function-evaluator
• ❌mediawiki/services/function-orchestrator
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌wikimedia/portals

#1090424: prismjs

Severity: high

Cross-site Scripting in Prism

Affected repositories (6)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1090445: simple-get

Severity: high

Exposure of Sensitive Information in simple-get

Affected repositories (2)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wvui

#1090532: http-cache-semantics

Severity: high

http-cache-semantics vulnerable to Regular Expression Denial of Service

Affected repositories (13)

• design/codex
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/TwoColConflict
• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌🗄mediawiki/extensions/Wikistories
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/push-notifications
• oojs/core
• ❌wikidata/query-builder
• ❌wikimedia/toolhub

#1091147: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method

Affected repositories (11)

• design/codex
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄mediawiki/extensions/MediaSearch
• ❌🗄mediawiki/extensions/MobileFrontend
• 🗄mediawiki/extensions/NearbyPages
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/SearchVue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1091148: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method

Affected repositories (18)

• design/codex
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/MediaSearch
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/SearchVue
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/Wikistories
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/service-scaffold-node
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/portals
• ❌wikimedia/toolhub
• ❌wvui

#1091174: minimatch

Severity: high

minimatch ReDoS vulnerability

Affected repositories (33)

• ❌🗄mediawiki/extensions/CirrusSearch
• 🗄mediawiki/extensions/EventBus
• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄🔮mediawiki/extensions/Math
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/RelatedArticles
• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌🗄mediawiki/extensions/Wikistories
• mediawiki/libs/LangConv
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• mediawiki/services/parsoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌mediawiki/tools/api-testing
• ❌wikibase/javascript-api
• ❌wikimedia/toolhub
• ❌wvui

#1091181: glob-parent

Severity: high

glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex

Affected repositories (13)

• design/codex
• ❌🗄mediawiki/extensions/GlobalWatchlist
• mediawiki/extensions/GraphQL
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/Popups
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌mediawiki/tools/api-testing
• ❌wikidata/query-builder
• ❌wikimedia/portals
• ❌wvui

#1091185: lodash

Severity: high

Command Injection in lodash

Affected repositories (3)

• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing

#1091188: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex

Affected repositories (8)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub

#1091189: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex

Affected repositories (13)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub
• ❌wvui

#1091190: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex

Affected repositories (10)

• ❌🗄mediawiki/extensions/MachineVision
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• mediawiki/services/recommendation-api
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing
• ❌wikimedia/toolhub
• ❌wvui

#1091234: y18n

Severity: high

Prototype Pollution in y18n

Affected repositories (2)

• ❌mediawiki/services/chromium-render
• ❌mediawiki/tools/api-testing

#1091236: nth-check

Severity: high

Inefficient Regular Expression Complexity in nth-check

Affected repositories (4)

• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌mediawiki/services/citoid
• ❌wikimedia/portals
• ❌wvui

#1091237: ansi-html

Severity: high

Uncontrolled Resource Consumption in ansi-html

Affected repositories (1)

• ❌wvui

#1091238: follow-redirects

Severity: high

Exposure of sensitive information in follow-redirects

Affected repositories (2)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wvui

#1091239: node-fetch

Severity: high

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Affected repositories (4)

• mediawiki/extensions/GraphQL
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/push-notifications
• ❌wvui

#1091247: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wikimedia/toolhub
• ❌wvui

#1091248: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable

Affected repositories (5)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1091250: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wikimedia/toolhub
• ❌wvui

#1091251: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

Affected repositories (5)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikimedia/toolhub
• ❌wvui

#1091252: ini

Severity: high

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Affected repositories (12)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1091307: lodash

Severity: high

Prototype Pollution in lodash

Affected repositories (1)

• ❌mediawiki/services/chromium-render

#1091311: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Affected repositories (1)

• ❌wvui

#1091313: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Affected repositories (13)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1091314: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1091338: normalize-url

Severity: high

ReDoS in normalize-url

Affected repositories (1)

• ❌mediawiki/services/geoshapes

#1091341: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Affected repositories (1)

• ❌wvui

#1091343: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Affected repositories (14)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1091344: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Affected repositories (1)

• ❌wvui

#1091346: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Affected repositories (14)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1091347: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Affected repositories (1)

• ❌wvui

#1091349: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Affected repositories (14)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1091350: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge

Affected repositories (2)

• ❌mediawiki/services/push-notifications
• ❌wikimedia/toolhub

#1091351: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge

Affected repositories (2)

• ❌mediawiki/services/push-notifications
• ❌wikimedia/toolhub

#1091353: node-forge

Severity: high

Prototype Pollution in node-forge

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1091356: terser

Severity: high

Terser insecure use of regular expressions leads to ReDoS

Affected repositories (2)

• ❌wikimedia/toolhub
• ❌wvui

#1091357: terser

Severity: high

Terser insecure use of regular expressions leads to ReDoS

Affected repositories (3)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄🔮mediawiki/skins/Vector
• ❌wvui

#1091360: trim-newlines

Severity: high

Uncontrolled Resource Consumption in trim-newlines

Affected repositories (5)

• ❌🗄mediawiki/extensions/GrowthExperiments
• 🗄mediawiki/extensions/PageTriage
• 🦆🗄🔮mediawiki/extensions/VisualEditor
• oojs/core
• 🦆oojs/ui

#1091366: axios

Severity: high

axios Inefficient Regular Expression Complexity vulnerability

Affected repositories (1)

• ❌wvui

#1091367: webpack

Severity: high

Cross-realm object access in Webpack 5

Affected repositories (2)

• data-values/value-view
• ❌wikimedia/toolhub

#1091426: js-yaml

Severity: high

Code Injection in js-yaml

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1091430: moment

Severity: high

Path Traversal: 'dir/../../filename' in moment.locale

Affected repositories (10)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌wikimedia/toolhub

#1091440: hawk

Severity: high

Uncontrolled Resource Consumption in Hawk

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1091441: moment

Severity: high

Moment.js vulnerable to Inefficient Regular Expression Complexity

Affected repositories (10)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• ❌wikimedia/toolhub

#1091453: shelljs

Severity: high

Improper Privilege Management in shelljs

Affected repositories (1)

• ❌wikimedia/toolhub

#1091475: protobufjs

Severity: high

Prototype Pollution in protobufjs

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1085394: swagger-ui-dist

Severity: moderate

Server side request forgery in SwaggerUI

Affected repositories (14)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/function-evaluator
• ❌mediawiki/services/function-orchestrator
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero

#1085685: mem

Severity: moderate

Denial of Service in mem

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1085724: js-yaml

Severity: moderate

Denial of Service in js-yaml

Affected repositories (1)

• ❌mediawiki/services/kartotherian

#1086450: highlight.js

Severity: moderate

ReDOS vulnerabities: multiple grammars

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1087458: jpeg-js

Severity: moderate

Uncontrolled resource consumption in jpeg-js

Affected repositories (1)

• 🗄mediawiki/extensions/WikibaseMediaInfo

#1088208: shelljs

Severity: moderate

Improper Privilege Management in shelljs

Affected repositories (1)

• ❌wikimedia/toolhub

#1088241: validator

Severity: moderate

Inefficient Regular Expression Complexity in Validator.js

Affected repositories (1)

• ❌mediawiki/services/service-scaffold-node

#1088659: cookiejar

Severity: moderate

cookiejar Regular Expression Denial of Service via Cookie.parse function

Affected repositories (7)

• design/codex
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/Wikibase
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/tools/api-testing

#1088709: cross-fetch

Severity: moderate

Incorrect Authorization in cross-fetch

Affected repositories (1)

• mediawiki/extensions/GraphQL

#1088711: grunt

Severity: moderate

Path Traversal in Grunt

Affected repositories (3)

• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄mediawiki/extensions/MediaSearch
• ❌🗄mediawiki/extensions/WikibaseLexeme

#1088746: node-forge

Severity: moderate

Improper Verification of Cryptographic Signature in `node-forge`

Affected repositories (2)

• ❌mediawiki/services/push-notifications
• ❌wikimedia/toolhub

#1088759: swagger-ui-dist

Severity: moderate

Spoofing attack in swagger-ui-dist

Affected repositories (14)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/function-evaluator
• ❌mediawiki/services/function-orchestrator
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero

#1088811: yargs-parser

Severity: moderate

yargs-parser Vulnerable to Prototype Pollution

Affected repositories (3)

• ❌mediawiki/services/kartotherian
• ❌mediawiki/services/restbase
• mediawiki/services/zotero

#1088818: ms

Severity: moderate

Vercel ms Inefficient Regular Expression Complexity vulnerability

Affected repositories (18)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• mediawiki/services/cxserver
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/function-evaluator
• ❌mediawiki/services/function-orchestrator
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1088856: jose

Severity: moderate

JOSE vulnerable to resource exhaustion via specifically crafted JWE

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1088901: json-pointer

Severity: moderate

Prototype Pollution in json-pointer

Affected repositories (1)

• ❌wikimedia/toolhub

#1088948: got

Severity: moderate

Got allows a redirect to a UNIX socket

Affected repositories (13)

• design/codex
• ❌🗄mediawiki/extensions/GlobalWatchlist
• ❌🗄mediawiki/extensions/GrowthExperiments
• 🗄mediawiki/extensions/PageTriage
• ❌🗄mediawiki/extensions/RelatedArticles
• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/push-notifications
• oojs/core
• ❌wikidata/query-builder
• ❌wikimedia/toolhub

#1089011: nanoid

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in nanoid

Affected repositories (8)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/WikibaseLexeme
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/push-notifications
• ❌wikimedia/toolhub
• ❌wvui

#1089034: ajv

Severity: moderate

Prototype Pollution in Ajv

Affected repositories (3)

• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/kartotherian
• mediawiki/services/recommendation-api

#1089058: lodash

Severity: moderate

Regular Expression Denial of Service (ReDoS) in lodash

Affected repositories (3)

• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing

#1089062: react-dev-utils

Severity: moderate

react-dev-utils OS Command Injection in function `getProcessForPort`

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1089070: jquery

Severity: moderate

Potential XSS vulnerability in jQuery

Affected repositories (1)

• 🗄mediawiki/extensions/WikibaseMediaInfo

#1089071: jquery

Severity: moderate

Potential XSS vulnerability in jQuery

Affected repositories (1)

• 🗄mediawiki/extensions/WikibaseMediaInfo

#1089108: deep-object-diff

Severity: moderate

deep-object-diff vulnerable to Prototype Pollution

Affected repositories (1)

• ❌🗄🔮mediawiki/skins/Vector

#1089122: vite

Severity: moderate

Vitejs Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service

Affected repositories (1)

• ❌wikidata/query-builder

#1089185: jsdom

Severity: moderate

Insufficient Granularity of Access Control in JSDom

Affected repositories (7)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/RelatedArticles
• 🗄mediawiki/extensions/WikibaseMediaInfo
• mediawiki/services/mathjax-node
• mediawiki/services/mathoid
• mediawiki/services/zotero

#1089189: prismjs

Severity: moderate

prismjs Regular Expression Denial of Service vulnerability

Affected repositories (3)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wvui

#1089202: msgpack5

Severity: moderate

Prototype poisoning

Affected repositories (4)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/wikifeeds

#1089240: vuetify

Severity: moderate

Vuetify Cross-site Scripting vulnerability

Affected repositories (1)

• ❌wikimedia/toolhub

#1089434: jsonwebtoken

Severity: moderate

jsonwebtoken unrestricted key type could lead to legacy keys usage

Affected repositories (4)

• design/codex
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌wikidata/query-builder

#1089551: postcss

Severity: moderate

Regular Expression Denial of Service in postcss

Affected repositories (1)

• ❌wikimedia/portals

#1089600: validator

Severity: moderate

Inefficient Regular Expression Complexity in validator.js

Affected repositories (1)

• ❌mediawiki/services/service-scaffold-node

#1089681: path-parse

Severity: moderate

Regular Expression Denial of Service in path-parse

Affected repositories (4)

• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/wikifeeds
• ❌mediawiki/tools/api-testing

#1089718: color-string

Severity: moderate

Regular Expression Denial of Service (ReDOS)

Affected repositories (1)

• ❌wikimedia/portals

#1089720: striptags

Severity: moderate

Passing in a non-string 'html' argument can lead to unsanitized output

Affected repositories (2)

• ❌mediawiki/services/citoid
• ❌mediawiki/services/wikifeeds

#1089762: browserslist

Severity: moderate

Regular Expression Denial of Service in browserslist

Affected repositories (6)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/services/geoshapes
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌mediawiki/tools/api-testing
• ❌wvui

#1089809: hosted-git-info

Severity: moderate

Regular Expression Denial of Service in hosted-git-info

Affected repositories (2)

• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/wikifeeds

#1089963: netmask

Severity: moderate

netmask npm package vulnerable to octal input data

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1090060: highlight.js

Severity: moderate

Prototype Pollution in highlight.js

Affected repositories (2)

• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector

#1090097: minimist

Severity: moderate

Prototype Pollution in minimist

Affected repositories (12)

• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds

#1090098: minimist

Severity: moderate

Prototype Pollution in minimist

Affected repositories (15)

• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• mediawiki/services/mathoid
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/service-scaffold-node
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero

#1090431: follow-redirects

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects

Affected repositories (2)

• ❌🗄mediawiki/extensions/MobileFrontend
• ❌wvui

#1090460: node-forge

Severity: moderate

Open Redirect in node-forge

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1090461: markdown-it

Severity: moderate

Uncontrolled Resource Consumption in markdown-it

Affected repositories (3)

• mediawiki/extensions/GraphQL
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌mediawiki/tools/api-testing

#1090477: ws

Severity: moderate

ReDoS in Sec-Websocket-Protocol header

Affected repositories (1)

• ❌mediawiki/services/chromium-render

#1091026: @sideway/formula

Severity: moderate

@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability

Affected repositories (1)

• ❌wikimedia/toolhub

#1091087: jsonwebtoken

Severity: moderate

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Affected repositories (4)

• design/codex
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌wikidata/query-builder

#1091170: jsonwebtoken

Severity: moderate

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Affected repositories (4)

• design/codex
• ❌mediawiki/services/push-notifications
• ❌mediawiki/services/restbase
• ❌wikidata/query-builder

#1091410: request

Severity: moderate

Server-Side Request Forgery in Request

Affected repositories (1)

• ❌mediawiki/services/service-scaffold-node

#1091459: request

Severity: moderate

Server-Side Request Forgery in Request

Affected repositories (60)

• VisualEditor/VisualEditor
• design/codex
• mediawiki/core
• 🦆🗄🔮mediawiki/extensions/AbuseFilter
• 🗄mediawiki/extensions/AdvancedSearch
• 🗄mediawiki/extensions/CampaignEvents
• 🗄mediawiki/extensions/CentralNotice
• 🗄mediawiki/extensions/CheckUser
• ❌🗄mediawiki/extensions/CirrusSearch
• 🗄🔮mediawiki/extensions/Cite
• ❌🗄mediawiki/extensions/CodeMirror
• 🗄mediawiki/extensions/ContactPage
• 🗄🔮mediawiki/extensions/Echo
• 🗄mediawiki/extensions/ElectronPdfService
• 🗄mediawiki/extensions/EntitySchema
• 🗄mediawiki/extensions/FileImporter
• ❌🗄mediawiki/extensions/GlobalWatchlist
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄🔮mediawiki/extensions/Math
• ❌🗄mediawiki/extensions/MobileFrontend
• 🗄mediawiki/extensions/Newsletter
• 🗄mediawiki/extensions/PageTriage
• ❌🗄mediawiki/extensions/Popups
• 🗄mediawiki/extensions/ProofreadPage
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/RelatedArticles
• 🗄mediawiki/extensions/RevisionSlider
• 🗄mediawiki/extensions/TemplateWizard
• ❌🗄mediawiki/extensions/TwoColConflict
• 🦆🗄🔮mediawiki/extensions/VisualEditor
• ❌🗄mediawiki/extensions/WikiLambda
• ❌🗄mediawiki/extensions/Wikibase
• ❌🗄mediawiki/extensions/WikibaseLexeme
• 🗄mediawiki/extensions/WikibaseMediaInfo
• ❌🗄mediawiki/extensions/Wikistories
• ❌mediawiki/services/change-propagation
• ❌mediawiki/services/chromium-render
• ❌mediawiki/services/citoid
• mediawiki/services/cxserver
• ❌mediawiki/services/eventstreams
• ❌mediawiki/services/example-node-api
• ❌mediawiki/services/function-evaluator
• ❌mediawiki/services/function-orchestrator
• ❌mediawiki/services/geoshapes
• ❌mediawiki/services/image-suggestion-api
• ❌mediawiki/services/kartotherian
• mediawiki/services/mathjax-node
• mediawiki/services/mathoid
• mediawiki/services/parsoid
• ❌mediawiki/services/parsoid/testreduce
• ❌mediawiki/services/push-notifications
• mediawiki/services/recommendation-api
• ❌mediawiki/services/restbase
• ❌mediawiki/services/wikifeeds
• mediawiki/services/zotero
• ❌🗄🔮mediawiki/skins/MinervaNeue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikibase/javascript-api
• ❌wikimedia/portals
• ❌wvui

#1086487: node-fetch

Severity: low

The `size` option isn't honored after following a redirect in node-fetch

Affected repositories (1)

• mediawiki/extensions/GraphQL

#1088227: node-forge

Severity: low

Prototype Pollution in node-forge debug API.

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1088228: node-forge

Severity: low

Prototype Pollution in node-forge util.setPath API

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1088229: node-forge

Severity: low

URL parsing in node-forge could lead to undesired behavior.

Affected repositories (1)

• ❌mediawiki/services/push-notifications

#1088828: decode-uri-component

Severity: low

decode-uri-component vulnerable to Denial of Service (DoS)

Affected repositories (13)

• design/codex
• ❌🗄mediawiki/extensions/GrowthExperiments
• ❌🗄mediawiki/extensions/MachineVision
• ❌🗄mediawiki/extensions/MediaSearch
• ❌🗄mediawiki/extensions/MobileFrontend
• ❌🗄mediawiki/extensions/QuickSurveys
• ❌🗄mediawiki/extensions/RelatedArticles
• ❌🗄mediawiki/extensions/SearchVue
• ❌🗄🔮mediawiki/skins/Vector
• ❌wikidata/query-builder
• ❌wikimedia/portals
• ❌wikimedia/toolhub
• ❌wvui

#1089093: semver-regex

Severity: low

Regular expression denial of service in semver-regex

Affected repositories (2)

• 🦆🗄🔮mediawiki/extensions/VisualEditor
• oojs/core

Source code is licensed under the AGPL.