From f8867bf076d774d8f4ddd377a0505cae55a917f5 Mon Sep 17 00:00:00 2001 From: Adam Stachowicz Date: Thu, 4 Apr 2024 18:10:57 +0200 Subject: [PATCH 1/2] Update `axios`, `axios-ntlm`, `@actions/github` and `dompurify` No `package-lock.json` refresh, no other changes in `package.json`. 11 vulnerabilities with 1 critical... --- package-lock.json | 65 ++++++++++++++++++++++++++++------------------- package.json | 8 +++--- 2 files changed, 43 insertions(+), 30 deletions(-) diff --git a/package-lock.json b/package-lock.json index 56ae47a36a..f0191b7f6f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,8 +13,8 @@ "@louislam/ping": "~0.4.4-mod.1", "@louislam/sqlite3": "15.1.6", "args-parser": "~1.3.0", - "axios": "~0.27.0", - "axios-ntlm": "1.3.0", + "axios": "~0.28.1", + "axios-ntlm": "1.3.1", "badge-maker": "~3.3.1", "bcryptjs": "~2.4.3", "cacheable-lookup": "~6.0.4", @@ -78,7 +78,7 @@ "ws": "^8.13.0" }, "devDependencies": { - "@actions/github": "~5.0.1", + "@actions/github": "~5.1.1", "@babel/eslint-parser": "^7.22.7", "@babel/preset-env": "^7.15.8", "@fortawesome/fontawesome-svg-core": "~1.2.36", @@ -102,7 +102,7 @@ "cypress": "^13.2.0", "delay": "^5.0.0", "dns2": "~2.0.1", - "dompurify": "~2.4.3", + "dompurify": "~3.0.11", "eslint": "~8.14.0", "eslint-plugin-vue": "~8.7.1", "favico.js": "~0.3.10", @@ -153,9 +153,9 @@ } }, "node_modules/@actions/github": { - "version": "5.0.3", - "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.0.3.tgz", - "integrity": "sha512-myjA/pdLQfhUGLtRZC/J4L1RXOG4o6aYdiEq+zr5wVVKljzbFld+xv10k1FX6IkIJtNxbAq44BdwSNpQ015P0A==", + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz", + "integrity": "sha512-Nk59rMDoJaV+mHCOJPXuvB1zIbomlKS0dmSIqPGxd0enAXBnOfn4VWF+CGtRCwXZG9Epa54tZA7VIRlJDS8A6g==", "dev": true, "dependencies": { "@actions/http-client": "^2.0.1", @@ -6510,31 +6510,44 @@ "dev": true }, "node_modules/axios": { - "version": "0.27.2", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.27.2.tgz", - "integrity": "sha512-t+yRIyySRTp/wua5xEr+z1q60QmLq8ABsS5O9Me1AsE5dfKqgnCFzwiCZZ/cGNd1lq4/7akDWMxdhVlucjmnOQ==", + "version": "0.28.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.28.1.tgz", + "integrity": "sha512-iUcGA5a7p0mVb4Gm/sy+FSECNkPFT4y7wt6OM/CDpO/OnNCvSs3PoMG8ibrC9jRoGYU0gUK5pXVC4NPXq6lHRQ==", "dependencies": { - "follow-redirects": "^1.14.9", - "form-data": "^4.0.0" + "follow-redirects": "^1.15.0", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" } }, "node_modules/axios-ntlm": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.3.0.tgz", - "integrity": "sha512-NPNsIMO1SGX5scs3ZWJqsV7iRLvET+DlRl94aZ7Sx14zA8RTQh9EDxsJmxB9cKjardKfp2Vge444uYYLfvWC0Q==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.3.1.tgz", + "integrity": "sha512-YhjZj6UUzFzGirh7SiKbyvoXCWiZFMjjx2WJ8ouUUGNrqw/QgTc4H3M+7a6CTGENfLgXi2OiEhVeHmqoCffdYQ==", "dependencies": { - "axios": "^0.21.3", + "axios": "^1.2.0", "dev-null": "^0.1.1" } }, "node_modules/axios-ntlm/node_modules/axios": { - "version": "0.21.4", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz", - "integrity": "sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==", + "version": "1.6.8", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", + "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", "dependencies": { - "follow-redirects": "^1.14.0" + "follow-redirects": "^1.15.6", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" } }, + "node_modules/axios-ntlm/node_modules/proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, + "node_modules/axios/node_modules/proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, "node_modules/babel-jest": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz", @@ -8790,9 +8803,9 @@ } }, "node_modules/dompurify": { - "version": "2.4.7", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz", - "integrity": "sha512-kxxKlPEDa6Nc5WJi+qRgPbOAbgTpSULL+vI3NUXsZMlkJxTqYI9wg5ZTay2sFrdZRWHPWNi+EdAhcJf81WtoMQ==", + "version": "3.0.11", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.11.tgz", + "integrity": "sha512-Fan4uMuyB26gFV3ovPoEoQbxRRPfTu3CvImyZnhGq5fsIEO+gEFLp45ISFt+kQBWsK5ulDdT0oV28jS1UrwQLg==", "dev": true }, "node_modules/domutils": { @@ -10035,9 +10048,9 @@ "dev": true }, "node_modules/follow-redirects": { - "version": "1.15.4", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.4.tgz", - "integrity": "sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==", + "version": "1.15.6", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz", + "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==", "funding": [ { "type": "individual", diff --git a/package.json b/package.json index 3c4d048caa..0540634412 100644 --- a/package.json +++ b/package.json @@ -82,8 +82,8 @@ "@louislam/ping": "~0.4.4-mod.1", "@louislam/sqlite3": "15.1.6", "args-parser": "~1.3.0", - "axios": "~0.27.0", - "axios-ntlm": "1.3.0", + "axios": "~0.28.1", + "axios-ntlm": "1.3.1", "badge-maker": "~3.3.1", "bcryptjs": "~2.4.3", "cacheable-lookup": "~6.0.4", @@ -147,7 +147,7 @@ "ws": "^8.13.0" }, "devDependencies": { - "@actions/github": "~5.0.1", + "@actions/github": "~5.1.1", "@babel/eslint-parser": "^7.22.7", "@babel/preset-env": "^7.15.8", "@fortawesome/fontawesome-svg-core": "~1.2.36", @@ -171,7 +171,7 @@ "cypress": "^13.2.0", "delay": "^5.0.0", "dns2": "~2.0.1", - "dompurify": "~2.4.3", + "dompurify": "~3.0.11", "eslint": "~8.14.0", "eslint-plugin-vue": "~8.7.1", "favico.js": "~0.3.10", From 4748c1bb8526e8a68ead186aad22e82248c5e8cb Mon Sep 17 00:00:00 2001 From: Adam Stachowicz Date: Thu, 4 Apr 2024 23:02:19 +0200 Subject: [PATCH 2/2] Revert `axios-ntlm` to 1.3.0. 1.3.1 uses Axios 1.x --- package-lock.json | 25 +++++++++---------------- package.json | 2 +- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/package-lock.json b/package-lock.json index f0191b7f6f..477ca2caae 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,7 @@ "@louislam/sqlite3": "15.1.6", "args-parser": "~1.3.0", "axios": "~0.28.1", - "axios-ntlm": "1.3.1", + "axios-ntlm": "1.3.0", "badge-maker": "~3.3.1", "bcryptjs": "~2.4.3", "cacheable-lookup": "~6.0.4", @@ -6520,29 +6520,22 @@ } }, "node_modules/axios-ntlm": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.3.1.tgz", - "integrity": "sha512-YhjZj6UUzFzGirh7SiKbyvoXCWiZFMjjx2WJ8ouUUGNrqw/QgTc4H3M+7a6CTGENfLgXi2OiEhVeHmqoCffdYQ==", + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.3.0.tgz", + "integrity": "sha512-NPNsIMO1SGX5scs3ZWJqsV7iRLvET+DlRl94aZ7Sx14zA8RTQh9EDxsJmxB9cKjardKfp2Vge444uYYLfvWC0Q==", "dependencies": { - "axios": "^1.2.0", + "axios": "^0.21.3", "dev-null": "^0.1.1" } }, "node_modules/axios-ntlm/node_modules/axios": { - "version": "1.6.8", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", - "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", + "version": "0.21.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz", + "integrity": "sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.0", - "proxy-from-env": "^1.1.0" + "follow-redirects": "^1.14.0" } }, - "node_modules/axios-ntlm/node_modules/proxy-from-env": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", - "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" - }, "node_modules/axios/node_modules/proxy-from-env": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", diff --git a/package.json b/package.json index 0540634412..0a28b784e4 100644 --- a/package.json +++ b/package.json @@ -83,7 +83,7 @@ "@louislam/sqlite3": "15.1.6", "args-parser": "~1.3.0", "axios": "~0.28.1", - "axios-ntlm": "1.3.1", + "axios-ntlm": "1.3.0", "badge-maker": "~3.3.1", "bcryptjs": "~2.4.3", "cacheable-lookup": "~6.0.4",