[stable4] Fix npm audit

[nextcloud-command]

Audit report

This audit fix resolves 25 of the total 41 vulnerabilities found in your project.

Updated dependencies

• @adobe/css-tools
• @nextcloud/capabilities
• @nextcloud/files
• @nextcloud/typings
• @vue/test-utils
• axios
• babel-helper-function-name
• babel-plugin-transform-class-properties
• babel-template
• babel-traverse
• braces
• cross-spawn
• dompurify
• elliptic
• follow-redirects
• happy-dom
• micromatch
• nanoid
• rollup
• serialize-javascript
• vite
• vitest
• vue-resize
• vue-tsc
• webpack

Fixed vulnerabilities

@adobe/css-tools #

• @adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
• Severity: moderate (CVSS 5)
• Reference: GHSA-prr3-c3m5-p7q2
• Affected versions: <4.3.2
• Package usage:
  • node_modules/@adobe/css-tools

@nextcloud/capabilities #

• Caused by vulnerable dependency:
  • babel-plugin-transform-class-properties
• Affected versions: 1.1.0
• Package usage:
  • node_modules/@nextcloud/capabilities

@nextcloud/files #

• Caused by vulnerable dependency:
  • @nextcloud/l10n
• Affected versions: 1.1.0 - 3.2.1
• Package usage:
  • node_modules/@nextcloud/files

@nextcloud/typings #

• Caused by vulnerable dependency:
  • vue
• Affected versions: 1.7.0 - 1.8.0
• Package usage:
  • node_modules/@nextcloud/typings

@vue/test-utils #

• Caused by vulnerable dependency:
  • vue
  • vue-template-compiler
• Affected versions: <=1.3.6
• Package usage:
  • node_modules/@vue/test-utils

axios #

• Axios Cross-Site Request Forgery Vulnerability
• Severity: moderate (CVSS 6.5)
• Reference: GHSA-wf5p-g6vw-rhxx
• Affected versions: 1.0.0 - 1.7.3
• Package usage:
  • node_modules/axios

babel-helper-function-name #

• Caused by vulnerable dependency:
  • babel-template
  • babel-traverse
• Affected versions: *
• Package usage:
  • node_modules/babel-helper-function-name

babel-plugin-transform-class-properties #

• Caused by vulnerable dependency:
  • babel-helper-function-name
  • babel-template
• Affected versions: >=6.11.5
• Package usage:
  • node_modules/babel-plugin-transform-class-properties

babel-template #

• Caused by vulnerable dependency:
  • babel-traverse
• Affected versions: *
• Package usage:
  • node_modules/babel-template

babel-traverse #

• Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
• Severity: critical 🚨 (CVSS 9.4)
• Reference: GHSA-67hx-6x53-jw92
• Affected versions: *
• Package usage:
  • node_modules/babel-traverse

braces #

• Uncontrolled resource consumption in braces
• Severity: high (CVSS 7.5)
• Reference: GHSA-grv7-fg5c-xmjg
• Affected versions: <3.0.3
• Package usage:
  • node_modules/braces

cross-spawn #

• Regular Expression Denial of Service (ReDoS) in cross-spawn
• Severity: high (CVSS 7.5)
• Reference: GHSA-3xgq-45jj-v275
• Affected versions: 7.0.0 - 7.0.4
• Package usage:
  • node_modules/cross-spawn

dompurify #

• DOMPurify allows tampering by prototype pollution
• Severity: high (CVSS 7)
• Reference: GHSA-mmhx-hmjr-r674
• Affected versions: <=3.2.3
• Package usage:
  • node_modules/dompurify

elliptic #

• Elliptic's EDDSA missing signature length check
• Severity: low (CVSS 5.3)
• Reference: GHSA-f7q4-pwc6-w24p
• Affected versions: <=6.6.0
• Package usage:
  • node_modules/elliptic

follow-redirects #

• Follow Redirects improperly handles URLs in the url.parse() function
• Severity: moderate (CVSS 6.1)
• Reference: GHSA-jchw-25xp-jwwc
• Affected versions: <=1.15.5
• Package usage:
  • node_modules/follow-redirects

happy-dom #

• happy-dom allows for server side code to be executed by a <script> tag
• Severity: critical 🚨
• Reference: GHSA-96g7-g7g9-jxw8
• Affected versions: <15.10.2
• Package usage:
  • node_modules/happy-dom

micromatch #

• Regular Expression Denial of Service (ReDoS) in micromatch
• Severity: moderate (CVSS 5.3)
• Reference: GHSA-952p-6rrq-rcjv
• Affected versions: <4.0.8
• Package usage:
  • node_modules/micromatch

nanoid #

• Predictable results in nanoid generation when given non-integer values
• Severity: moderate (CVSS 4.3)
• Reference: GHSA-mwcw-c2x4-8c55
• Affected versions: <3.3.8
• Package usage:
  • node_modules/nanoid

rollup #

• DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
• Severity: high (CVSS 6.4)
• Reference: GHSA-gcx4-mw62-g8wm
• Affected versions: 4.0.0 - 4.22.3
• Package usage:
  • node_modules/rollup

serialize-javascript #

• Cross-site Scripting (XSS) in serialize-javascript
• Severity: moderate (CVSS 5.4)
• Reference: GHSA-76p7-773f-r4q5
• Affected versions: <6.0.2
• Package usage:
  • node_modules/serialize-javascript

vite #

• Vite's server.fs.deny did not deny requests for patterns with directories.
• Severity: moderate (CVSS 5.9)
• Reference: GHSA-8jhw-289h-jh2g
• Affected versions: 0.11.0 - 6.1.1
• Package usage:
  • node_modules/vite

vitest #

• Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
• Severity: critical 🚨 (CVSS 9.7)
• Reference: GHSA-9crc-q9x8-hgqq
• Affected versions: 1.0.0 - 1.6.0
• Package usage:
  • node_modules/vitest

vue-resize #

• Caused by vulnerable dependency:
  • vue
• Affected versions: 0.4.0 - 1.0.1
• Package usage:
  • node_modules/vue-resize

vue-tsc #

• Caused by vulnerable dependency:
  • @vue/language-core
• Affected versions: 1.7.0-alpha.0 - 2.0.28
• Package usage:
  • node_modules/vue-tsc

webpack #

• Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
• Severity: moderate (CVSS 6.4)
• Reference: GHSA-4vvj-4cpr-p986
• Affected versions: 5.0.0-alpha.0 - 5.93.0
• Package usage:
  • node_modules/webpack