Skip to content

[stable32] Fix npm audit#1061

Merged
ChristophWurst merged 1 commit into
stable32from
automated/noid/stable32-fix-npm-audit
Jul 8, 2026
Merged

[stable32] Fix npm audit#1061
ChristophWurst merged 1 commit into
stable32from
automated/noid/stable32-fix-npm-audit

Conversation

@nextcloud-command

Copy link
Copy Markdown
Contributor

Audit report

No fixable problems found (0 unfixable, 30 only fixable manually using --force)

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 21, 2026
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from f3d942f to 26ca782 Compare June 28, 2026 04:26
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable32-fix-npm-audit branch from 26ca782 to fc40cf0 Compare July 5, 2026 04:23
@ChristophWurst

Copy link
Copy Markdown
Member

@coderabbitai review for any suspicious bumps, like dependencies updated without a purpose, because it says "0 unfixable"

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 1061 --repo nextcloud/recommendations --json title,body,files -q '.files[].path'
echo "---DIFF package.json---"
gh pr diff 1061 --repo nextcloud/recommendations -- package.json || true

Length of output: 821


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 1061 --repo nextcloud/recommendations > /tmp/pr.diff
wc -l /tmp/pr.diff
echo "---package-lock.json diff (name/version lines only)---"
awk '/^diff --git a\/package-lock.json/,/^diff --git a\/(?!package-lock.json)/' /tmp/pr.diff | head -400

Length of output: 18293


🏁 Script executed:

#!/bin/bash
set -euo pipefail
grep -B2 '"version":' /tmp/pr.diff | grep -E '^\+|^-' | grep '"version"' > /tmp/versions.txt
paste -d'|' <(grep '^-' /tmp/versions.txt) <(grep '^+' /tmp/versions.txt) | head -100
echo "---count---"
grep -c '^-.*"version"' /tmp/pr.diff
grep -c '^+.*"version"' /tmp/pr.diff
echo "---new packages added---"
grep '^\+.*"node_modules/' /tmp/pr.diff
echo "---removed packages---"
grep '^\-.*"node_modules/' /tmp/pr.diff

Length of output: 792


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "---count old/new version lines---"
grep -c '^-.*"version"' /tmp/pr.diff || true
grep -c '^+.*"version"' /tmp/pr.diff || true
echo "---new packages added (node_modules paths)---"
grep '^\+.*"node_modules/' /tmp/pr.diff || true
echo "---removed packages (node_modules paths)---"
grep '^\-.*"node_modules/' /tmp/pr.diff || true
echo "---all version bump pairs---"
python3 - <<'EOF'
import re
with open('/tmp/pr.diff') as f:
    lines = f.readlines()
i = 0
pkg = None
for line in lines:
    m = re.match(r'^\s*"(node_modules/[^"]+)":\s*\{', line.lstrip('+-'))
    if m:
        pkg = m.group(1)
    m2 = re.match(r'^-\s*"version":\s*"([^"]+)"', line)
    if m2 and pkg:
        old = m2.group(1)
    m3 = re.match(r'^\+\s*"version":\s*"([^"]+)"', line)
    if m3 and pkg:
        new = m3.group(1)
        print(f"{pkg}: {old if 'old' in dir() else '?'} -> {new}")
EOF

Length of output: 3853


@ChristophWurst I reviewed the package-lock.json diff (no package.json changes) for the 56 version bumps. Summary:

Babel toolchain (all peer/dev, aligned to a single new baseline 7.29.7):
@babel/code-frame, compat-data, core, generator, helper-compilation-targets, helper-globals, helper-module-imports, helper-module-transforms, helper-string-parser, helper-validator-identifier, helper-validator-option, helpers, parser, template, traverse, types — all bumped from various 7.27.x–7.29.x to 7.29.7. This looks like a consistent, coordinated babel-core update rather than a stray bump.

Notable dependency swap:

  • @ampproject/remapping@2.2.1 removed, @jridgewell/remapping@2.3.5 added — this is an internal change in @babel/core's dependency graph (babel switched remapping implementations upstream), not an unrelated addition.

Other transitive bumps (all patch/minor, no majors):

  • dompurify 3.4.2 → 3.4.11 (XSS fixes)
  • fast-xml-parser 4.5.6 → 4.5.7 (prototype-pollution related fix)
  • form-data 4.0.5 → 4.0.6 (predictable multipart boundary CVE fix)
  • hasown 2.0.2 → 2.0.4
  • http-proxy-middleware 2.0.9 → 2.0.10
  • js-yaml 4.1.1 → 4.3.0
  • launch-editor 2.9.1 → 2.14.1
  • shell-quote 1.8.4 → 1.9.0
  • webpack-dev-server 5.2.5 → 5.2.6

I didn't find any suspicious, unrelated, or majorly-jumped dependency — all changes are patch/minor bumps to transitive dev/build dependencies, consistent with an npm audit fix / lockfile regeneration. No new unrelated top-level packages were introduced. This looks safe to merge as a routine security lockfile refresh.

@ChristophWurst ChristophWurst merged commit 9f728f6 into stable32 Jul 8, 2026
41 checks passed
@ChristophWurst ChristophWurst deleted the automated/noid/stable32-fix-npm-audit branch July 8, 2026 06:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants