Skip to content

[stable5.6] Fix npm audit #12270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nextcloud-command wants to merge 1 commit into
base: stable5.6
Choose a base branch
from
Open

[stable5.6] Fix npm audit #12270

nextcloud-command wants to merge 1 commit into from
+408 −296

Conversation

@nextcloud-command
Copy link
Contributor

@nextcloud-command nextcloud-command commented Jan 20, 2026
edited
Loading

Audit report

This audit fix resolves 2 of the total 30 vulnerabilities found in your project.

Updated dependencies

Fixed vulnerabilities

lodash #

  • Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions
  • Severity: moderate (CVSS 6.5)
  • Reference: GHSA-xxjr-mmjv-4gpg
  • Affected versions: 4.0.0 - 4.17.21
  • Package usage:
    • node_modules/lodash

webpack #

  • webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
  • Severity: low (CVSS 3.7)
  • Reference: GHSA-8fgc-7cc6-rx7x
  • Affected versions: 5.49.0 - 5.104.0
  • Package usage:
    • node_modules/webpack

@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.6-fix-npm-audit branch from 3b69b32 to 84c09fb Compare January 27, 2026 03:13
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.6-fix-npm-audit branch from 84c09fb to 8459465 Compare February 3, 2026 03:24
@nextcloud-command
fix(deps): Fix npm audit
d179e48 
Signed-off-by: GitHub <noreply@github.com>
@nextcloud-command nextcloud-command force-pushed the automated/noid/stable5.6-fix-npm-audit branch from 8459465 to d179e48 Compare February 10, 2026 03:34
ChristophWurst
ChristophWurst requested changes Feb 10, 2026
View reviewed changes
package-lock.json
"version": "8.35.0",
"resolved": "https://registry.npmjs.org/@nextcloud/vue/-/vue-8.35.0.tgz",
"integrity": "sha512-qPm0aaPbnt7n694WQ97T+EMQTxCa3+RPKDzsBVD6vb01N4uGYwjvrEEOLVmBMlEWqkFy+ks3tpeOjkDPOoJbNA==",
"version": "8.36.0",
Copy link
Member

@ChristophWurst ChristophWurst Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The usual unrelated suspect

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst requested changes

@GretaD GretaD Awaiting requested review from GretaD GretaD is a code owner

@kesselb kesselb Awaiting requested review from kesselb kesselb is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

3. to review dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nextcloud-command @ChristophWurst