Skip to content

[stable32] Fix npm audit#2540

Open
nextcloud-command wants to merge 1 commit into
stable32from
automated/noid/stable32-fix-npm-audit
Open

[stable32] Fix npm audit#2540
nextcloud-command wants to merge 1 commit into
stable32from
automated/noid/stable32-fix-npm-audit

Conversation

@nextcloud-command

@nextcloud-command nextcloud-command commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

Audit report

This audit fix resolves 5 of the total 34 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

@nextcloud/cypress #

  • Caused by vulnerable dependency:
  • Affected versions:
  • Package usage:
    • node_modules/@nextcloud/cypress

@testing-library/cypress #

  • Caused by vulnerable dependency:
  • Affected versions: 9.0.0 - 10.0.3
  • Package usage:
    • node_modules/@testing-library/cypress

@vitest/coverage-v8 #

  • Caused by vulnerable dependency:
  • Affected versions: 4.0.0-beta.1 - 4.1.0-beta.6
  • Package usage:
    • node_modules/@vitest/coverage-v8

vite #

  • launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
  • Severity: moderate
  • Reference: GHSA-v6wh-96g9-6wx3
  • Affected versions: 7.0.0 - 7.3.3
  • Package usage:
    • node_modules/vite

vitest #

  • When Vitest UI server is listening, arbitrary file can be read and executed
  • Severity: critical 🚨 (CVSS 9.8)
  • Reference: GHSA-5xrq-8626-4rwp
  • Affected versions: >=4.0.0 <4.1.0
  • Package usage:
    • node_modules/vitest

Full npm audit report

# npm audit report

elliptic  *
Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84
No fix available
node_modules/elliptic
  browserify-sign  >=2.4.0
  Depends on vulnerable versions of elliptic
  node_modules/browserify-sign
    crypto-browserify  >=3.4.0
    Depends on vulnerable versions of browserify-sign
    Depends on vulnerable versions of create-ecdh
    node_modules/crypto-browserify
      node-stdlib-browser  *
      Depends on vulnerable versions of crypto-browserify
      node_modules/node-stdlib-browser
        vite-plugin-node-polyfills  >=0.3.0
        Depends on vulnerable versions of node-stdlib-browser
        node_modules/vite-plugin-node-polyfills
          @nextcloud/vite-config  *
          Depends on vulnerable versions of vite-plugin-node-polyfills
          node_modules/@nextcloud/vite-config
  create-ecdh  *
  Depends on vulnerable versions of elliptic
  node_modules/create-ecdh

esbuild  0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix`
node_modules/vite/node_modules/esbuild

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs
  @cypress/request  <=4.0.0
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of uuid
  node_modules/@cypress/request
    cypress  4.3.0 - 15.14.2
    Depends on vulnerable versions of @cypress/request
    node_modules/cypress
      @nextcloud/cypress  
      Depends on vulnerable versions of cypress
      node_modules/@nextcloud/cypress

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install dockerode@5.0.0, which is a breaking change
node_modules/dockerode/node_modules/uuid
node_modules/uuid
  dockerode  4.0.3 - 4.0.12
  Depends on vulnerable versions of uuid
  node_modules/dockerode

14 vulnerabilities (8 low, 6 moderate)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Node.js: v22.22.3 | npm: 10.9.8 | Branch: stable32

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Apr 26, 2026
@codecov

codecov Bot commented Apr 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@cypress

cypress Bot commented Apr 26, 2026

Copy link
Copy Markdown

Activity    Run #3877

Run Properties:  status check passed Passed #3877  •  git commit 88bf98afbb: [stable32] Fix npm audit
Project Activity
Branch Review automated/noid/stable32-fix-npm-audit
Run status status check passed Passed #3877
Run duration 02m 14s
Commit git commit 88bf98afbb: [stable32] Fix npm audit
Committer Nextcloud Command Bot
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 1
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 9
View all changes introduced in this branch ↗︎

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from bb72b5a to f6c145b Compare May 3, 2026 04:09
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from f6c145b to 8c97e47 Compare May 10, 2026 04:12
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from 8c97e47 to ff8e36c Compare May 17, 2026 04:17
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch 2 times, most recently from b283b3b to 2376162 Compare May 31, 2026 04:22
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from 2376162 to 8e7d8d2 Compare June 7, 2026 04:23
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from 8e7d8d2 to 5cb93df Compare June 21, 2026 04:22
@AndyScherzinger AndyScherzinger added this to the Nextcloud 32.0.13 milestone Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants