From 21fb757dfb75fb9cf4fe4dcd349d818892bd443c Mon Sep 17 00:00:00 2001 From: "Joakim L. Engeset" Date: Thu, 5 Feb 2026 12:35:39 +0100 Subject: [PATCH] fix: resolve npm audit vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update dependencies to fix high and moderate severity vulnerabilities: - @actions/http-client 3.0.1 → 3.0.2 (fixes undici vulnerability) - undici 5.29.0 → 6.23.0 (unbounded decompression chain) - npm 11.8.0 → 11.9.0 (includes tar and brace-expansion fixes) --- package-lock.json | 121 ++++++++++++++++++---------------------------- 1 file changed, 48 insertions(+), 73 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0eb9eb2f..51ce0e6d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -70,27 +70,24 @@ } }, "node_modules/@actions/http-client": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.1.tgz", - "integrity": "sha512-SbGS8c/vySbNO3kjFgSW77n83C4MQx/Yoe+b1hAdpuvfHxnkHzDq2pWljUpAA56Si1Gae/7zjeZsV0CYjmLo/w==", + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz", + "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==", "dev": true, "license": "MIT", "dependencies": { "tunnel": "^0.0.6", - "undici": "^5.28.5" + "undici": "^6.23.0" } }, "node_modules/@actions/http-client/node_modules/undici": { - "version": "5.29.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz", - "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==", + "version": "6.23.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz", + "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==", "dev": true, "license": "MIT", - "dependencies": { - "@fastify/busboy": "^2.0.0" - }, "engines": { - "node": ">=14.0" + "node": ">=18.17" } }, "node_modules/@actions/io": { @@ -1204,16 +1201,6 @@ "node": ">=18" } }, - "node_modules/@fastify/busboy": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz", - "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=14" - } - }, "node_modules/@jridgewell/resolve-uri": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", @@ -5193,9 +5180,9 @@ } }, "node_modules/npm": { - "version": "11.8.0", - "resolved": "https://registry.npmjs.org/npm/-/npm-11.8.0.tgz", - "integrity": "sha512-n19sJeW+RGKdkHo8SCc5xhSwkKhQUFfZaFzSc+EsYXLjSqIV0tl72aDYQVuzVvfrbysGwdaQsNLNy58J10EBSQ==", + "version": "11.9.0", + "resolved": "https://registry.npmjs.org/npm/-/npm-11.9.0.tgz", + "integrity": "sha512-BBZoU926FCypj4b7V7ElinxsWcy4Kss88UG3ejFYmKyq7Uc5XnT34Me2nEhgCOaL5qY4HvGu5aI92C4OYd7NaA==", "bundleDependencies": [ "@isaacs/string-locale-compare", "@npmcli/arborist", @@ -5275,8 +5262,8 @@ ], "dependencies": { "@isaacs/string-locale-compare": "^1.1.0", - "@npmcli/arborist": "^9.1.10", - "@npmcli/config": "^10.5.0", + "@npmcli/arborist": "^9.2.0", + "@npmcli/config": "^10.6.0", "@npmcli/fs": "^5.0.0", "@npmcli/map-workspaces": "^5.0.3", "@npmcli/metavuln-calculator": "^9.0.3", @@ -5289,7 +5276,7 @@ "archy": "~1.0.0", "cacache": "^20.0.3", "chalk": "^5.6.2", - "ci-info": "^4.3.1", + "ci-info": "^4.4.0", "cli-columns": "^4.0.0", "fastest-levenshtein": "^1.0.16", "fs-minipass": "^3.0.3", @@ -5301,11 +5288,11 @@ "is-cidr": "^6.0.1", "json-parse-even-better-errors": "^5.0.0", "libnpmaccess": "^10.0.3", - "libnpmdiff": "^8.0.13", - "libnpmexec": "^10.1.12", - "libnpmfund": "^7.0.13", + "libnpmdiff": "^8.1.0", + "libnpmexec": "^10.2.0", + "libnpmfund": "^7.0.14", "libnpmorg": "^8.0.1", - "libnpmpack": "^9.0.13", + "libnpmpack": "^9.1.0", "libnpmpublish": "^11.1.3", "libnpmsearch": "^9.0.1", "libnpmteam": "^8.0.2", @@ -5315,7 +5302,7 @@ "minipass": "^7.1.1", "minipass-pipeline": "^1.2.4", "ms": "^2.1.2", - "node-gyp": "^12.1.0", + "node-gyp": "^12.2.0", "nopt": "^9.0.0", "npm-audit-report": "^7.0.0", "npm-install-checks": "^8.0.0", @@ -5325,7 +5312,7 @@ "npm-registry-fetch": "^19.1.1", "npm-user-validate": "^4.0.0", "p-map": "^7.0.4", - "pacote": "^21.0.4", + "pacote": "^21.1.0", "parse-conflict-json": "^5.0.1", "proc-log": "^6.1.0", "qrcode-terminal": "^0.12.0", @@ -5334,7 +5321,7 @@ "spdx-expression-parse": "^4.0.0", "ssri": "^13.0.0", "supports-color": "^10.2.2", - "tar": "^7.5.4", + "tar": "^7.5.7", "text-table": "~0.2.0", "tiny-relative-date": "^2.0.2", "treeverse": "^3.0.0", @@ -5402,7 +5389,7 @@ } }, "node_modules/npm/node_modules/@isaacs/brace-expansion": { - "version": "5.0.0", + "version": "5.0.1", "dev": true, "inBundle": true, "license": "MIT", @@ -5448,7 +5435,7 @@ } }, "node_modules/npm/node_modules/@npmcli/arborist": { - "version": "9.1.10", + "version": "9.2.0", "dev": true, "inBundle": true, "license": "ISC", @@ -5495,7 +5482,7 @@ } }, "node_modules/npm/node_modules/@npmcli/config": { - "version": "10.5.0", + "version": "10.6.0", "dev": true, "inBundle": true, "license": "ISC", @@ -5884,7 +5871,7 @@ } }, "node_modules/npm/node_modules/ci-info": { - "version": "4.3.1", + "version": "4.4.0", "dev": true, "funding": [ { @@ -6038,12 +6025,12 @@ } }, "node_modules/npm/node_modules/glob": { - "version": "13.0.0", + "version": "13.0.1", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", "dependencies": { - "minimatch": "^10.1.1", + "minimatch": "^10.1.2", "minipass": "^7.1.2", "path-scurry": "^2.0.0" }, @@ -6187,12 +6174,12 @@ } }, "node_modules/npm/node_modules/is-cidr": { - "version": "6.0.1", + "version": "6.0.2", "dev": true, "inBundle": true, "license": "BSD-2-Clause", "dependencies": { - "cidr-regex": "5.0.1" + "cidr-regex": "^5.0.1" }, "engines": { "node": ">=20" @@ -6269,12 +6256,12 @@ } }, "node_modules/npm/node_modules/libnpmdiff": { - "version": "8.0.13", + "version": "8.1.0", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.1.10", + "@npmcli/arborist": "^9.2.0", "@npmcli/installed-package-contents": "^4.0.0", "binary-extensions": "^3.0.0", "diff": "^8.0.2", @@ -6288,12 +6275,12 @@ } }, "node_modules/npm/node_modules/libnpmexec": { - "version": "10.1.12", + "version": "10.2.0", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.1.10", + "@npmcli/arborist": "^9.2.0", "@npmcli/package-json": "^7.0.0", "@npmcli/run-script": "^10.0.0", "ci-info": "^4.0.0", @@ -6311,12 +6298,12 @@ } }, "node_modules/npm/node_modules/libnpmfund": { - "version": "7.0.13", + "version": "7.0.14", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.1.10" + "@npmcli/arborist": "^9.2.0" }, "engines": { "node": "^20.17.0 || >=22.9.0" @@ -6336,12 +6323,12 @@ } }, "node_modules/npm/node_modules/libnpmpack": { - "version": "9.0.13", + "version": "9.1.0", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.1.10", + "@npmcli/arborist": "^9.2.0", "@npmcli/run-script": "^10.0.0", "npm-package-arg": "^13.0.0", "pacote": "^21.0.2" @@ -6411,7 +6398,7 @@ } }, "node_modules/npm/node_modules/lru-cache": { - "version": "11.2.4", + "version": "11.2.5", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", @@ -6442,12 +6429,12 @@ } }, "node_modules/npm/node_modules/minimatch": { - "version": "10.1.1", + "version": "10.1.2", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", "dependencies": { - "@isaacs/brace-expansion": "^5.0.0" + "@isaacs/brace-expansion": "^5.0.1" }, "engines": { "node": "20 || >=22" @@ -6478,13 +6465,13 @@ } }, "node_modules/npm/node_modules/minipass-fetch": { - "version": "5.0.0", + "version": "5.0.1", "dev": true, "inBundle": true, "license": "MIT", "dependencies": { "minipass": "^7.0.3", - "minipass-sized": "^1.0.3", + "minipass-sized": "^2.0.0", "minizlib": "^3.0.1" }, "engines": { @@ -6543,24 +6530,12 @@ } }, "node_modules/npm/node_modules/minipass-sized": { - "version": "1.0.3", - "dev": true, - "inBundle": true, - "license": "ISC", - "dependencies": { - "minipass": "^3.0.0" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/npm/node_modules/minipass-sized/node_modules/minipass": { - "version": "3.3.6", + "version": "2.0.0", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "yallist": "^4.0.0" + "minipass": "^7.1.2" }, "engines": { "node": ">=8" @@ -6603,7 +6578,7 @@ } }, "node_modules/npm/node_modules/node-gyp": { - "version": "12.1.0", + "version": "12.2.0", "dev": true, "inBundle": true, "license": "MIT", @@ -6615,7 +6590,7 @@ "nopt": "^9.0.0", "proc-log": "^6.0.0", "semver": "^7.3.5", - "tar": "^7.5.2", + "tar": "^7.5.4", "tinyglobby": "^0.2.12", "which": "^6.0.0" }, @@ -6780,7 +6755,7 @@ } }, "node_modules/npm/node_modules/pacote": { - "version": "21.0.4", + "version": "21.1.0", "dev": true, "inBundle": true, "license": "ISC", @@ -7131,7 +7106,7 @@ } }, "node_modules/npm/node_modules/tar": { - "version": "7.5.4", + "version": "7.5.7", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0",