https://libraryupgrader2.wmcloud.org/logs2/268222
Attempting to npm audit fix
$ npm audit fix --only=dev
> core-js@3.10.1 postinstall /src/repo/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
[96mThank you for using core-js ([94m https://github.com/zloirock/core-js [96m) for polyfilling JavaScript standard library![0m
[96mThe project needs your help! Please consider supporting of core-js on Open Collective or Patreon: [0m
[96m>[94m https://opencollective.com/core-js [0m
[96m>[94m https://www.patreon.com/zloirock [0m
[96mAlso, the author of core-js ([94m https://github.com/zloirock [96m) is looking for a good job -)[0m
added 599 packages from 342 contributors in 14.206s
70 packages are looking for funding
run `npm fund` for details
fixed 55 of 56 vulnerabilities in 599 scanned packages
1 vulnerability required manual review and could not be updatedIt says there is still one issue. But when running it locally again it shows to me:
# npm audit
=== npm audit security report ===
# Run npm update hosted-git-info --depth 7 to resolve 1 vulnerability
Moderate Regular Expression Denial of Service
Package hosted-git-info
Dependency of stylelint-config-wikimedia [dev]
Path stylelint-config-wikimedia > stylelint > meow > read-pkg-up
> read-pkg > normalize-package-data > hosted-git-info
More info https://npmjs.com/advisories/1677
found 1 moderate severity vulnerability in 599 scanned packages
run `npm audit fix` to fix 1 of them.
# npm audit fix
updated 1 package in 3s
65 packages are looking for funding
run `npm fund` for details
fixed 1 of 1 vulnerability in 599 scanned packages
# npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 599 scanned packagesThat looks like an issue with npm audit not doing all possible fixes.
In this package-lock.json the package hosted-git-info is with version 3.0.7 => 3.0.8 (directly) and 2.8.9 => 2.8.9 as dependency of read-pkg
When looking at other extensions with stylelint-config-wikimedia there is the same problem.