https://libraryupgrader2.wmcloud.org/logs2/268222
Attempting to npm audit fix $ npm audit fix --only=dev > core-js@3.10.1 postinstall /src/repo/node_modules/core-js > node -e "try{require('./postinstall')}catch(e){}" [96mThank you for using core-js ([94m https://github.com/zloirock/core-js [96m) for polyfilling JavaScript standard library![0m [96mThe project needs your help! Please consider supporting of core-js on Open Collective or Patreon: [0m [96m>[94m https://opencollective.com/core-js [0m [96m>[94m https://www.patreon.com/zloirock [0m [96mAlso, the author of core-js ([94m https://github.com/zloirock [96m) is looking for a good job -)[0m added 599 packages from 342 contributors in 14.206s 70 packages are looking for funding run `npm fund` for details fixed 55 of 56 vulnerabilities in 599 scanned packages 1 vulnerability required manual review and could not be updated
It says there is still one issue. But when running it locally again it shows to me:
# npm audit === npm audit security report === # Run npm update hosted-git-info --depth 7 to resolve 1 vulnerability Moderate Regular Expression Denial of Service Package hosted-git-info Dependency of stylelint-config-wikimedia [dev] Path stylelint-config-wikimedia > stylelint > meow > read-pkg-up > read-pkg > normalize-package-data > hosted-git-info More info https://npmjs.com/advisories/1677 found 1 moderate severity vulnerability in 599 scanned packages run `npm audit fix` to fix 1 of them. # npm audit fix updated 1 package in 3s 65 packages are looking for funding run `npm fund` for details fixed 1 of 1 vulnerability in 599 scanned packages # npm audit === npm audit security report === found 0 vulnerabilities in 599 scanned packages
That looks like an issue with npm audit not doing all possible fixes.
In this package-lock.json the package hosted-git-info is with version 3.0.7 => 3.0.8 (directly) and 2.8.9 => 2.8.9 as dependency of read-pkg
When looking at other extensions with stylelint-config-wikimedia there is the same problem.