nextcloud / end_to_end_encryption

:closed_lock_with_key: Server API to support End-to-End Encryption

https://apps.nextcloud.com/apps/end_to_end_encryption

GNU Affero General Public License v3.0

276 stars 34 forks source link

[stable29] Fix npm audit #798

Open nextcloud-command opened 1 month ago

nextcloud-command commented 1 month ago

Audit report

This audit fix resolves 18 of the total 26 vulnerabilities found in your project.

Updated dependencies

@nextcloud/dialogs
@nextcloud/files
@vue/component-compiler-utils
@vue/test-utils
babel-plugin-transform-es2015-modules-commonjs
babel-template
babel-traverse
cookie
cross-spawn
elliptic
express
http-proxy-middleware
postcss
vue
vue-jest
vue-loader
vue-resize
vue-template-compiler
Fixed vulnerabilities

@nextcloud/dialogs #

Caused by vulnerable dependency:
Affected versions: >=2.0.0
Package usage:
- node_modules/@nextcloud/dialogs
- node_modules/@nextcloud/vue/node_modules/@nextcloud/dialogs

@nextcloud/files #

Caused by vulnerable dependency:
- @nextcloud/l10n
Affected versions: >=1.1.0
Package usage:
- node_modules/@nextcloud/files

@vue/component-compiler-utils #

Caused by vulnerable dependency:
- postcss
Affected versions: *
Package usage:
- node_modules/@vue/component-compiler-utils

@vue/test-utils #

Caused by vulnerable dependency:
- vue
- vue-template-compiler
Affected versions: <=1.3.6
Package usage:
- node_modules/@vue/test-utils

babel-plugin-transform-es2015-modules-commonjs #

Caused by vulnerable dependency:
- babel-template
Affected versions: <=7.0.0-beta.0
Package usage:
- node_modules/babel-plugin-transform-es2015-modules-commonjs

babel-template #

Caused by vulnerable dependency:
- babel-traverse
Affected versions: *
Package usage:
- node_modules/babel-template

babel-traverse #

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Severity: critical 🚨 (CVSS 9.4)
Reference: https://github.com/advisories/GHSA-67hx-6x53-jw92
Affected versions: *
Package usage:
- node_modules/babel-traverse

cookie #

cookie accepts cookie name, path, and domain with out of bounds characters
Severity: low
Reference: https://github.com/advisories/GHSA-pxg6-pf52-xh8x
Affected versions: <0.7.0
Package usage:
- node_modules/cookie

cross-spawn #

Regular Expression Denial of Service (ReDoS) in cross-spawn
Severity: high (CVSS 7.5)
Reference: https://github.com/advisories/GHSA-3xgq-45jj-v275
Affected versions: 7.0.0 - 7.0.4
Package usage:
- node_modules/cross-spawn

elliptic #

Valid ECDSA signatures erroneously rejected in Elliptic
Severity: low (CVSS 4.8)
Reference: https://github.com/advisories/GHSA-fc9h-whq2-v747
Affected versions: <6.6.0
Package usage:
- node_modules/elliptic

express #

Caused by vulnerable dependency:
- cookie
Affected versions: 3.0.0-alpha1 - 4.21.0 || 5.0.0-alpha.1 - 5.0.0
Package usage:
- node_modules/express

http-proxy-middleware #

Denial of service in http-proxy-middleware
Severity: high (CVSS 7.5)
Reference: https://github.com/advisories/GHSA-c7qv-q95q-8v27
Affected versions: <2.0.7
Package usage:
- node_modules/http-proxy-middleware

postcss #

PostCSS line return parsing error
Severity: moderate (CVSS 5.3)
Reference: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
Affected versions: <8.4.31
Package usage:
- node_modules/@vue/component-compiler-utils/node_modules/postcss

vue #

ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Severity: low (CVSS 3.7)
Reference: https://github.com/advisories/GHSA-5j4c-8p2g-v4jx
Affected versions: 2.0.0-alpha.1 - 2.7.16
Package usage:
- node_modules/vue

vue-jest #

Caused by vulnerable dependency:
Affected versions: 1.0.0 - 5.0.0-alpha.1
Package usage:
- node_modules/vue-jest

vue-loader #

Caused by vulnerable dependency:
- @vue/component-compiler-utils
Affected versions: 15.0.0-beta.1 - 15.11.1
Package usage:
- node_modules/vue-loader

vue-resize #

Caused by vulnerable dependency:
- vue
Affected versions: 0.4.0 - 1.0.1
Package usage:
- node_modules/vue-resize

vue-template-compiler #

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
Severity: moderate (CVSS 4.2)
Reference: https://github.com/advisories/GHSA-g3ch-rx76-35fx
Affected versions: >=2.0.0
Package usage:
- node_modules/vue-template-compiler