[stable5.10] Fix npm audit#13288
Conversation
Signed-off-by: GitHub <noreply@github.com>
|
@coderabbitai review and try to spot any critical updates, the "No fixable problems found" is a bit suspicious |
🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr view 13288 --repo nextcloud/mail --json title,body,files,additions,deletions,commits | jq '.'
echo "-----DIFF STAT-----"
gh pr diff 13288 --repo nextcloud/mail | head -c 200
echo "-----FULL FILE LIST-----"
gh pr view 13288 --repo nextcloud/mail --json files --jq '.files[].path'Length of output: 1582 🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr diff 13288 --repo nextcloud/mailLength of output: 4237 🏁 Script executed: #!/bin/bash
set -euo pipefail
git fetch origin pull/13288/head:pr13288 2>&1 | tail -5 || true
git checkout pr13288 2>&1 | tail -5 || true
echo "----dompurify entries----"
rg -n '"dompurify"' package-lock.json -A3 | head -50
echo "----node_modules/dompurify block----"
rg -n 'node_modules/dompurify"' package-lock.json -A5Length of output: 1435 🤖 web_search executed:
Length of output: 5660 🤖 web_search executed:
Length of output: 4574 🤖 web_search executed:
Length of output: 18767 🤖 web_search executed:
Length of output: 3564 Good, that confirms 4.3.3 is a non-security bugfix release (parsing fixes only), not a further CVE fix.
Real dependency updates (5 lines resolved/version bumped):
Why "No fixable problems found" is not actually suspicious here: Bottom line: I don't see any critical/security-relevant version bump being introduced by this diff that isn't already covered. If you want, I can pull the actual list of the "3 unfixable" and "24 manual" advisories by running ✅ Action performedReview finished.
|
Audit report
No fixable problems found (3 unfixable, 24 only fixable manually using --force)