[master] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 45 of the total 49 vulnerabilities found in your project.

Updated dependencies

• @nextcloud/l10n
• @nextcloud/typings
• @nextcloud/vite-config
• @nextcloud/webpack-vue-config
• @vitejs/plugin-vue2
• @vue/component-compiler-utils
• @vue/test-utils
• anymatch
• bonjour
• braces
• chokidar
• css-loader
• dns-packet
• express
• floating-vue
• http-proxy-middleware
• icss-utils
• ip
• markdown-to-jsx
• micromatch
• multicast-dns
• node-forge
• node-gettext
• path-to-regexp
• postcss
• postcss-modules-extract-imports
• postcss-modules-local-by-default
• postcss-modules-scope
• postcss-modules-values
• react-styleguidist
• readdirp
• selfsigned
• vue
• vue-frag
• vue-inbrowser-compiler
• vue-inbrowser-compiler-demi
• vue-inbrowser-compiler-utils
• vue-inbrowser-prismjs-highlighter
• vue-loader
• vue-resize
• vue-styleguidist
• vue-template-compiler
• vue2-datepicker
• webpack-dev-middleware
• webpack-dev-server

Fixed vulnerabilities

@nextcloud/l10n #

• Caused by vulnerable dependency:
  • node-gettext
• Affected versions: >=1.1.0
• Package usage:
  • node_modules/@nextcloud/l10n

@nextcloud/typings #

• Caused by vulnerable dependency:
  • vue
• Affected versions: 1.7.0 - 1.8.0
• Package usage:
  • node_modules/@nextcloud/typings

@nextcloud/vite-config #

• Caused by vulnerable dependency:
  • @vitejs/plugin-vue2
• Affected versions: <=1.5.1
• Package usage:
  • node_modules/@nextcloud/vite-config

@nextcloud/webpack-vue-config #

• Caused by vulnerable dependency:
  • vue
  • vue-loader
  • vue-template-compiler
• Affected versions: *
• Package usage:
  • node_modules/@nextcloud/webpack-vue-config

@vitejs/plugin-vue2 #

• Caused by vulnerable dependency:
  • vue
• Affected versions: *
• Package usage:
  • node_modules/@vitejs/plugin-vue2

@vue/component-compiler-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: *
• Package usage:
  • node_modules/@vue/component-compiler-utils

@vue/test-utils #

• Caused by vulnerable dependency:
  • vue
  • vue-template-compiler
• Affected versions: <=1.3.6
• Package usage:
  • node_modules/@vue/test-utils

anymatch #

• Caused by vulnerable dependency:
  • micromatch
• Affected versions: 1.2.0 - 2.0.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/anymatch

bonjour #

• Caused by vulnerable dependency:
  • multicast-dns
• Affected versions: >=3.3.1
• Package usage:
  • node_modules/bonjour

braces #

• Uncontrolled resource consumption in braces
• Severity: high (CVSS 7.5)
• Reference: GHSA-grv7-fg5c-xmjg
• Affected versions: <3.0.3
• Package usage:
  • node_modules/vue-styleguidist/node_modules/braces

chokidar #

• Caused by vulnerable dependency:
  • anymatch
  • braces
  • readdirp
• Affected versions: 1.3.0 - 2.1.8
• Package usage:
  • node_modules/vue-styleguidist/node_modules/chokidar

css-loader #

• Caused by vulnerable dependency:
  • icss-utils
  • postcss
  • postcss-modules-extract-imports
  • postcss-modules-local-by-default
  • postcss-modules-scope
  • postcss-modules-values
• Affected versions: 0.15.0 - 4.3.0
• Package usage:
  • node_modules/vue-styleguidist/node_modules/css-loader

dns-packet #

• Caused by vulnerable dependency:
  • ip
• Affected versions: <=5.2.4
• Package usage:
  • node_modules/bonjour/node_modules/dns-packet

express #

• Caused by vulnerable dependency:
  • path-to-regexp
• Affected versions: 4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
• Package usage:
  • node_modules/express

floating-vue #

• Caused by vulnerable dependency:
  • vue
  • vue-resize
• Affected versions: <=1.0.0-beta.19
• Package usage:
  • node_modules/floating-vue

http-proxy-middleware #

• Denial of service in http-proxy-middleware
• Severity: high (CVSS 7.5)
• Reference: GHSA-c7qv-q95q-8v27
• Affected versions: <=2.0.7-beta.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/http-proxy-middleware

icss-utils #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=4.1.1
• Package usage:
  • node_modules/icss-utils

ip #

• ip SSRF improper categorization in isPublic
• Severity: high (CVSS 8.1)
• Reference: GHSA-2p57-rm9w-gvfp
• Affected versions: *
• Package usage:
  • node_modules/ip

markdown-to-jsx #

• Cross site scripting in markdown-to-jsx
• Severity: moderate (CVSS 6.1)
• Reference: GHSA-4wx3-54gh-9fr9
• Affected versions: <7.4.0
• Package usage:
  • node_modules/markdown-to-jsx

micromatch #

• Regular Expression Denial of Service (ReDoS) in micromatch
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-952p-6rrq-rcjv
• Affected versions: <=4.0.7
• Package usage:
  • node_modules/vue-styleguidist/node_modules/micromatch

multicast-dns #

• Caused by vulnerable dependency:
  • dns-packet
• Affected versions: 6.0.0 - 7.2.2
• Package usage:
  • node_modules/bonjour/node_modules/multicast-dns

node-forge #

• Prototype Pollution in node-forge debug API.
• Severity: low
• Reference: GHSA-5rrq-pxf6-6jx5
• Affected versions: <=1.2.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/node-forge

node-gettext #

• node-gettext vulnerable to Prototype Pollution
• Severity: high (CVSS 5.9)
• Reference: GHSA-g974-hxvm-x689
• Affected versions: *
• Package usage:
  • node_modules/node-gettext

path-to-regexp #

• Unpatched path-to-regexp ReDoS in 0.1.x
• Severity: moderate
• Reference: GHSA-rhx6-c78j-4q9w
• Affected versions: <0.1.12
• Package usage:
  • node_modules/path-to-regexp

postcss #

• PostCSS line return parsing error
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-7fh5-64p2-3v2j
• Affected versions: <8.4.31
• Package usage:
  • node_modules/@vue/component-compiler-utils/node_modules/postcss
  • node_modules/icss-utils/node_modules/postcss
  • node_modules/postcss-modules-extract-imports/node_modules/postcss
  • node_modules/postcss-modules-local-by-default/node_modules/postcss
  • node_modules/postcss-modules-scope/node_modules/postcss
  • node_modules/postcss-modules-values/node_modules/postcss
  • node_modules/vue-styleguidist/node_modules/postcss

postcss-modules-extract-imports #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=2.0.0
• Package usage:
  • node_modules/postcss-modules-extract-imports

postcss-modules-local-by-default #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=3.0.3
• Package usage:
  • node_modules/postcss-modules-local-by-default

postcss-modules-scope #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=2.2.0
• Package usage:
  • node_modules/postcss-modules-scope

postcss-modules-values #

• Caused by vulnerable dependency:
  • postcss
• Affected versions: <=3.0.0
• Package usage:
  • node_modules/postcss-modules-values

react-styleguidist #

• Caused by vulnerable dependency:
  • markdown-to-jsx
  • webpack-dev-server
• Affected versions: >=5.0.0-beta.9
• Package usage:
  • node_modules/vue-styleguidist/node_modules/react-styleguidist

readdirp #

• Caused by vulnerable dependency:
  • micromatch
• Affected versions: 2.2.0 - 2.2.1
• Package usage:
  • node_modules/vue-styleguidist/node_modules/readdirp

selfsigned #

• Caused by vulnerable dependency:
  • node-forge
• Affected versions: 1.1.1 - 1.10.14
• Package usage:
  • node_modules/vue-styleguidist/node_modules/selfsigned

vue #

• ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
• Severity: low (CVSS 3.7)
• Reference: GHSA-5j4c-8p2g-v4jx
• Affected versions: 2.0.0-alpha.1 - 2.7.16
• Package usage:
  • node_modules/vue

vue-frag #

• Caused by vulnerable dependency:
  • vue
• Affected versions: >=1.3.1
• Package usage:
  • node_modules/vue-frag

vue-inbrowser-compiler #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-utils
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler

vue-inbrowser-compiler-demi #

• Caused by vulnerable dependency:
  • vue-template-compiler
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler-demi

vue-inbrowser-compiler-utils #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-demi
• Affected versions: >=4.50.0
• Package usage:
  • node_modules/vue-inbrowser-compiler-utils

vue-inbrowser-prismjs-highlighter #

• Caused by vulnerable dependency:
  • vue-inbrowser-compiler-utils
• Affected versions: *
• Package usage:
  • node_modules/vue-inbrowser-prismjs-highlighter

vue-loader #

• Caused by vulnerable dependency:
  • @vue/component-compiler-utils
• Affected versions: 15.0.0-beta.1 - 15.11.1
• Package usage:
  • node_modules/vue-loader

vue-resize #

• Caused by vulnerable dependency:
  • vue
• Affected versions: 0.4.0 - 1.0.1
• Package usage:
  • node_modules/vue-resize

vue-styleguidist #

• Caused by vulnerable dependency:
  • css-loader
  • react-styleguidist
  • vue-inbrowser-compiler
  • vue-inbrowser-compiler-utils
  • vue-inbrowser-prismjs-highlighter
  • vue-template-compiler
  • webpack-dev-server
• Affected versions: *
• Package usage:
  • node_modules/vue-styleguidist

vue-template-compiler #

• vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
• Severity: moderate (CVSS 4.2)
• Reference: GHSA-g3ch-rx76-35fx
• Affected versions: >=2.0.0
• Package usage:
  • node_modules/vue-template-compiler

vue2-datepicker #

• Caused by vulnerable dependency:
  • vue
• Affected versions: <=1.9.8 || 3.0.2 - 3.11.1
• Package usage:
  • node_modules/vue2-datepicker

webpack-dev-middleware #

• Path traversal in webpack-dev-middleware
• Severity: high (CVSS 7.4)
• Reference: GHSA-wr3j-pwj9-hqq6
• Affected versions: <=5.3.3
• Package usage:
  • node_modules/vue-styleguidist/node_modules/webpack-dev-middleware

webpack-dev-server #

• Caused by vulnerable dependency:
  • bonjour
  • chokidar
  • http-proxy-middleware
  • ip
  • selfsigned
  • webpack-dev-middleware
• Affected versions: <=4.7.4
• Package usage:
  • node_modules/vue-styleguidist/node_modules/webpack-dev-server