Skip to content

[stable5.10] Fix npm audit#13288

Merged
ChristophWurst merged 1 commit into
stable5.10from
automated/noid/stable5.10-fix-npm-audit
Jul 14, 2026
Merged

[stable5.10] Fix npm audit#13288
ChristophWurst merged 1 commit into
stable5.10from
automated/noid/stable5.10-fix-npm-audit

Conversation

@nextcloud-command

Copy link
Copy Markdown
Contributor

Audit report

No fixable problems found (3 unfixable, 24 only fixable manually using --force)

Signed-off-by: GitHub <noreply@github.com>
@ChristophWurst

Copy link
Copy Markdown
Member

@coderabbitai review and try to spot any critical updates, the "No fixable problems found" is a bit suspicious

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

gh pr view 13288 --repo nextcloud/mail --json title,body,files,additions,deletions,commits | jq '.'
echo "-----DIFF STAT-----"
gh pr diff 13288 --repo nextcloud/mail | head -c 200
echo "-----FULL FILE LIST-----"
gh pr view 13288 --repo nextcloud/mail --json files --jq '.files[].path'

Length of output: 1582


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 13288 --repo nextcloud/mail

Length of output: 4237


🏁 Script executed:

#!/bin/bash
set -euo pipefail
git fetch origin pull/13288/head:pr13288 2>&1 | tail -5 || true
git checkout pr13288 2>&1 | tail -5 || true
echo "----dompurify entries----"
rg -n '"dompurify"' package-lock.json -A3 | head -50
echo "----node_modules/dompurify block----"
rg -n 'node_modules/dompurify"' package-lock.json -A5

Length of output: 1435


🤖 web_search executed:

GHSA advisory linkifyjs 4.3.2 vulnerability npm

Length of output: 5660


🤖 web_search executed:

GHSA advisory tabbable 6.4.0 vulnerability npm

Length of output: 4574


🤖 web_search executed:

npm audit dompurify unfixable 3 vulnerabilities nextcloud mail known issues

Length of output: 18767


🤖 web_search executed:

linkifyjs 4.3.3 changelog release notes github

Length of output: 3564


Good, that confirms 4.3.3 is a non-security bugfix release (parsing fixes only), not a further CVE fix.

@ChristophWurst I've dug into the actual package-lock.json diff — here's the summary of what changed:

Real dependency updates (5 lines resolved/version bumped):

  1. @nextcloud/vue 8.39.0 → 8.40.0 — pulls in the requirement bumps below.
  2. linkifyjs / linkify-string 4.3.2 → 4.3.3 — this is a follow-up bugfix release (parsing fixes for special encoded URLs, email port-number handling, stricter version pinning between linkify core/plugins). The actual security fix (CVE-2025-8101, prototype-pollution → stored/reflected XSS, GHSA-95jq-xph2-cx9h) was already patched in 4.3.2, which was already in your lockfile before this PR. So no new CVE is being closed here — 4.3.3 is just hygiene.
  3. tabbable 6.4.0 → 6.5.0 — no known CVEs against tabbable in the OSV/Snyk/GitHub advisory databases; this looks like a minor feature/compat release (re-enabling CSS :inert selector matching for JSDOM ≥26).
  4. dompurify requirement string ^3.4.2^3.4.11 in @nextcloud/vue's manifest — but the installed dompurify was already resolved to 3.4.11 in your lockfile prior to this PR (from earlier PRs #13043/fix(deps): bump dompurify from ^3.4.2 to v3.4.11 (stable5.9) #13092/fix(deps): bump dompurify from ^3.4.8 to v3.4.11 (main) #13122), which already covers CVE-2025-26791 (mXSS) and the more recent setConfig()/ALLOWED_ATTR pollution issue. So this is just tightening the declared range to match what's already installed — not an actual version bump.

Why "No fixable problems found" is not actually suspicious here:
npm audit classifies advisories as auto-fixable only when a compatible in-range bump exists. Since the transitively-vulnerable packages (dompurify, linkifyjs) were already at their patched versions from prior maintenance PRs, and the 3 "unfixable" + 24 "manual --force" entries are almost certainly deep transitive dev-dependencies (build tooling) that would require breaking major version bumps to resolve — npm audit correctly reports nothing left to auto-fix. This PR is essentially just reconciling package-lock.json metadata/requirement strings with the already-patched tree, plus one real (non-security) bump to @nextcloud/vue/tabbable.

Bottom line: I don't see any critical/security-relevant version bump being introduced by this diff that isn't already covered. If you want, I can pull the actual list of the "3 unfixable" and "24 manual" advisories by running npm audit --json against this branch's lockfile so you can see exactly which packages they refer to — let me know and I can walk through gathering that (would need network access to npm registry from the sandbox, which may not be available; alternatively you can paste the npm audit JSON output here and I'll analyze it).

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ChristophWurst ChristophWurst merged commit c0932fb into stable5.10 Jul 14, 2026
45 checks passed
@ChristophWurst ChristophWurst deleted the automated/noid/stable5.10-fix-npm-audit branch July 14, 2026 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants