Skip to content

[stable34] Fix npm audit#1062

Merged
ChristophWurst merged 1 commit into
stable34from
automated/noid/stable34-fix-npm-audit
Jul 8, 2026
Merged

[stable34] Fix npm audit#1062
ChristophWurst merged 1 commit into
stable34from
automated/noid/stable34-fix-npm-audit

Conversation

@nextcloud-command

Copy link
Copy Markdown
Contributor

Audit report

No fixable problems found (0 unfixable, 30 only fixable manually using --force)

@nextcloud-command nextcloud-command added 3. to review dependencies Pull requests that update a dependency file labels Jun 21, 2026
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable34-fix-npm-audit branch from 9bb88f7 to 87b1a05 Compare June 28, 2026 04:28
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable34-fix-npm-audit branch from 87b1a05 to 0e5cedd Compare July 5, 2026 04:18
@ChristophWurst

Copy link
Copy Markdown
Member

@coderabbitai review for any suspicious bumps, like dependencies updated without a purpose, because it says "0 unfixable"

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 1062 --repo nextcloud/recommendations --json title,body,baseRefName,headRefName,files
echo "---DIFF---"
gh pr diff 1062 --repo nextcloud/recommendations > /tmp/pr.diff
wc -l /tmp/pr.diff
cat /tmp/pr.diff

Length of output: 287539


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 1062 --repo nextcloud/recommendations -- package-lock.json > /tmp/lock.diff || true
wc -l /tmp/lock.diff
# Show only version-change lines
rg -n '^[+-]\s*"version"' /tmp/lock.diff | head -100
echo "---resolved lines---"
rg -n '^[+-]\s*"resolved"' /tmp/lock.diff | head -100
echo "---package name headers---"
rg -n '^[+-]\s*"node_modules/' /tmp/lock.diff | head -100

Length of output: 767


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 1062 --repo nextcloud/recommendations > /tmp/full.diff
wc -l /tmp/full.diff
awk '/^diff --git a\/package-lock.json/{flag=1} /^diff --git a\/(?!package-lock.json)/{flag=0} flag' /tmp/full.diff > /tmp/lock.diff 2>/dev/null || true
# fallback with sed since awk regex lookahead not supported in POSIX awk
python3 - <<'EOF'
import re
with open('/tmp/full.diff') as f:
    content = f.read()
parts = re.split(r'(?=^diff --git )', content, flags=re.M)
for p in parts:
    if p.startswith('diff --git a/package-lock.json'):
        with open('/tmp/lock.diff','w') as out:
            out.write(p)
        break
EOF
wc -l /tmp/lock.diff
grep -n '"version"' /tmp/lock.diff | head -200
echo "---resolved---"
grep -n '"resolved"' /tmp/lock.diff | head -200

Length of output: 14003


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 1062 --repo nextcloud/recommendations --json files --jq '.files[].path'
echo "---check package.json diff (should be none)---"
gh pr diff 1062 --repo nextcloud/recommendations | grep -c '^diff --git a/package.json' || true

Length of output: 846


@ChristophWurst: I checked the package-lock.json diff closely — package.json itself is untouched, so no direct dependency ranges changed. All the version bumps are transitive/dev-dependency updates within the same major version (i.e., these are compatible per existing semver ranges, likely resolved via npm install/npm update rather than a manual pin change):

  • @babel/* packages (code-frame, compat-data, core, generator, helper-*, parser, template, traverse, types) → all consolidated to 7.29.7 (previously a mix of 7.27.x7.29.3). This is a dev-only build toolchain dependency.
  • dompurify 3.4.23.4.11 (patch releases, includes known XSS hardening fixes)
  • fast-xml-parser 4.5.64.5.7
  • form-data 4.0.54.0.6
  • hasown 2.0.22.0.4
  • http-proxy-middleware 2.0.92.0.10
  • js-yaml 4.1.14.3.0
  • launch-editor 2.9.12.14.1
  • shell-quote 1.8.41.9.0
  • webpack-dev-server 5.2.55.2.6

None of these are major-version jumps, none appear to be arbitrary/unrelated bumps, and the same list of updates appears twice in the lockfile (once for the root workspace, once duplicated for a nested workspace entry), which is expected lockfile structure and not a sign of duplication issues.

Given that "0 unfixable" in the audit report, these transitive bumps were likely picked up by regenerating the lockfile (e.g., npm install) against the existing package.json ranges rather than npm audit fix --force, so they naturally resolved to the latest compatible patch/minor versions — several of which (dompurify, form-data, fast-xml-parser) do correspond to published security advisories. I don't see any suspicious or unrelated bumps (e.g., unrelated major version jumps, unexpected new packages, or unrelated dependency additions) in this diff.

The compiled js/recommendations-*.js and .map/.license files are just the expected build artifacts reflecting these updated transitive dependencies (webpack chunk hashes changed accordingly).

@ChristophWurst ChristophWurst merged commit c9b3ad2 into stable34 Jul 8, 2026
39 checks passed
@ChristophWurst ChristophWurst deleted the automated/noid/stable34-fix-npm-audit branch July 8, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants