[stable34] Fix npm audit#1062
Conversation
9bb88f7 to
87b1a05
Compare
Signed-off-by: GitHub <noreply@github.com>
87b1a05 to
0e5cedd
Compare
|
@coderabbitai review for any suspicious bumps, like dependencies updated without a purpose, because it says "0 unfixable" |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr view 1062 --repo nextcloud/recommendations --json title,body,baseRefName,headRefName,files
echo "---DIFF---"
gh pr diff 1062 --repo nextcloud/recommendations > /tmp/pr.diff
wc -l /tmp/pr.diff
cat /tmp/pr.diffLength of output: 287539 🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr diff 1062 --repo nextcloud/recommendations -- package-lock.json > /tmp/lock.diff || true
wc -l /tmp/lock.diff
# Show only version-change lines
rg -n '^[+-]\s*"version"' /tmp/lock.diff | head -100
echo "---resolved lines---"
rg -n '^[+-]\s*"resolved"' /tmp/lock.diff | head -100
echo "---package name headers---"
rg -n '^[+-]\s*"node_modules/' /tmp/lock.diff | head -100Length of output: 767 🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr diff 1062 --repo nextcloud/recommendations > /tmp/full.diff
wc -l /tmp/full.diff
awk '/^diff --git a\/package-lock.json/{flag=1} /^diff --git a\/(?!package-lock.json)/{flag=0} flag' /tmp/full.diff > /tmp/lock.diff 2>/dev/null || true
# fallback with sed since awk regex lookahead not supported in POSIX awk
python3 - <<'EOF'
import re
with open('/tmp/full.diff') as f:
content = f.read()
parts = re.split(r'(?=^diff --git )', content, flags=re.M)
for p in parts:
if p.startswith('diff --git a/package-lock.json'):
with open('/tmp/lock.diff','w') as out:
out.write(p)
break
EOF
wc -l /tmp/lock.diff
grep -n '"version"' /tmp/lock.diff | head -200
echo "---resolved---"
grep -n '"resolved"' /tmp/lock.diff | head -200Length of output: 14003 🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr view 1062 --repo nextcloud/recommendations --json files --jq '.files[].path'
echo "---check package.json diff (should be none)---"
gh pr diff 1062 --repo nextcloud/recommendations | grep -c '^diff --git a/package.json' || trueLength of output: 846
None of these are major-version jumps, none appear to be arbitrary/unrelated bumps, and the same list of updates appears twice in the lockfile (once for the root workspace, once duplicated for a nested workspace entry), which is expected lockfile structure and not a sign of duplication issues. Given that "0 unfixable" in the audit report, these transitive bumps were likely picked up by regenerating the lockfile (e.g., The compiled |
Audit report
No fixable problems found (0 unfixable, 30 only fixable manually using --force)