Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Update next-intl to support latest release #1048

Merged
merged 3 commits into from
May 31, 2024
Merged

feat: Update next-intl to support latest release #1048

merged 3 commits into from
May 31, 2024

Conversation

amannn
Copy link
Contributor

@amannn amannn commented Nov 9, 2023

Adds support for:

  • getTranslations
  • t.markup

Thanks!

@robin-ln robin-ln mentioned this pull request Nov 22, 2023
Open
robin-ln
robin-ln approved these changes Nov 22, 2023
View reviewed changes
@ajnart
Copy link

ajnart commented Nov 27, 2023
edited
Loading

Is it possible to make a temporary patch to the extension while this is not merged ?

Edit:
By following this wiki entry I was able to come up with the following
.vscode/i18n-ally-custom-framework.yml

languageIds:
  - javascript
  - typescript
  - javascriptreact
  - typescriptreact

usageMatchRegex:

  - "[^\\w\\d]t\\(['\"`]({key})['\"`]"

scopeRangeRegex: "getTranslations\\(\\s*\\[?\\s*['\"`](.*?)['\"`]"
monopoly: true

@amannn amannn changed the title feat: Update next-intl to support latest release candidate feat: Update next-intl to support latest release Nov 27, 2023
@amannn
Copy link
Contributor Author

amannn commented Dec 20, 2023

@terales Any chance this could be reviewed and possibly released? Thank you for your help!

@amannn amannn mentioned this pull request Dec 20, 2023
Closed
@QinjianZheng
Copy link

Is it possible to make a temporary patch to the extension while this is not merged ?

Edit: By following this wiki entry I was able to come up with the following .vscode/i18n-ally-custom-framework.yml

languageIds:
  - javascript
  - typescript
  - javascriptreact
  - typescriptreact

usageMatchRegex:

  - "[^\\w\\d]t\\(['\"`]({key})['\"`]"

scopeRangeRegex: "getTranslations\\(\\s*\\[?\\s*['\"`](.*?)['\"`]"
monopoly: true

This one doesn't work for me.

I wrote this one based on the changes in the PR.

languageIds:
  - javascript
  - typescript
  - javascriptreact
  - typescriptreact

usageMatchRegex:
  - "[^\\w\\d]t\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.rich\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.markup\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.raw\\s*\\(\\s*['\"`]({key})['\"`]"

scopeRangeRegex: "(?:useTranslations|getTranslations)\\(\\s*\\[?\\s*['\"`](.*?)['\"`]"
monopoly: true

Key thing here is to group useTranslations and getTranslations without capturing it.

@felixhaeberle
Copy link

felixhaeberle commented Jan 24, 2024
edited
Loading

Alternative: VS Code extension Sherlock i18n does now also support next-intl 🎉

Guide: Setting up next-intl with Sherlock VS Code extension

@felixhaeberle felixhaeberle mentioned this pull request Jan 25, 2024
Closed
@felixhaeberle felixhaeberle mentioned this pull request Feb 4, 2024
Open
@stijn-vk
Copy link

stijn-vk commented Feb 7, 2024

Is it possible to make a temporary patch to the extension while this is not merged ?
Edit: By following this wiki entry I was able to come up with the following .vscode/i18n-ally-custom-framework.yml

languageIds:
  - javascript
  - typescript
  - javascriptreact
  - typescriptreact

usageMatchRegex:

  - "[^\\w\\d]t\\(['\"`]({key})['\"`]"

scopeRangeRegex: "getTranslations\\(\\s*\\[?\\s*['\"`](.*?)['\"`]"
monopoly: true

This one doesn't work for me.

I wrote this one based on the changes in the PR.

languageIds:
  - javascript
  - typescript
  - javascriptreact
  - typescriptreact

usageMatchRegex:
  - "[^\\w\\d]t\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.rich\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.markup\\s*\\(\\s*['\"`]({key})['\"`]"
  - "[^\\w\\d]t\\s*\\.raw\\s*\\(\\s*['\"`]({key})['\"`]"

scopeRangeRegex: "(?:useTranslations|getTranslations)\\(\\s*\\[?\\s*['\"`](.*?)['\"`]"
monopoly: true

Key thing here is to group useTranslations and getTranslations without capturing it.

I was having issues when I used getTranslations({ namespace: 'page' }) so I replaced the scopeRangeRegex

scopeRangeRegex: "(?:getTranslations|useTranslations)\\((?:\\s*['\"`]|{\\s*namespace:\\s*['\"`])(.*?)['\"`]"

Now it matches this as long as you pass in namespace as the first key of the object.

It still does not match something like getTranslations({ locale: 'en', namespace: 'page' }), maybe some regex genius can figure that one out!

@LarsFlieger
Copy link

@kibertoad we need this :)

@mmarseu mmarseu mentioned this pull request Feb 28, 2024
Closed
@amannn amannn mentioned this pull request Mar 7, 2024
Closed
@mvdbastos
Copy link

UP! Looking forward to use this feature!

@tecoad
Copy link

tecoad commented Apr 18, 2024

@kibertoad Can you look into this? Support for getTranslations is very much needed.

Thanks!

@thomaslenaour
Copy link

Hey, I'm waiting for this support too!

Thanks

@tecoad
Copy link

tecoad commented Apr 19, 2024

Seems that this extension is no longer maintained. Anyways, I forked the PR repo and build / installed the custom version myself!

@felixhaeberle felixhaeberle mentioned this pull request May 2, 2024
Merged
@ScreamZ ScreamZ mentioned this pull request May 3, 2024
Closed
@ScreamZ
Copy link

ScreamZ commented May 3, 2024

@antfu No longer works at lokalise, now part of Nuxt team it seems... Maybe you could add some people as maintainer, like @amannn Anthony, therefore some PR could be merged.

For others, you might try https://next-intl-docs.vercel.app/docs/workflows/vscode-integration#sherlock ?

@felixhaeberle
Copy link

@ScreamZ Hi, Felix from Sherlock team here, happy to help anyone onboard if there are any issues, just hmu 🤙

@ScreamZ
Copy link

ScreamZ commented May 3, 2024

@ScreamZ Hi, Felix from Sherlock team here, happy to help anyone onboard if there are any issues, just hmu 🤙

Just installed IT, works like a charm. Thank you
Different display but this is okay, fine enough and working well. I'm pretty sure your tool will be better than i18n ally really soon, you just lack the interface in vscode, the fink monorepo cloning is a bit too obstrusive for my requirements atm. :)

Also could've been better if options were in .vscode folder, but this is not really important.

@felixhaeberle
Copy link

felixhaeberle commented May 3, 2024
edited
Loading

@ScreamZ Feel free to open issues & PR's if anything is missing what you have loved in i18n-ally.

A lot of decisions in Sherlock are based in "convention over configuration" so we handle a lot of things ootb with minimal upfront configuration.

At the same time, we want to offer great flexibility where it makes sense. We still testing the amount of flexibility and are keen to invest resources into making Sherlock the best i18n extension in VS Code.

@ScreamZ What do you refer to with "fink monorepo cloning"? 😅

@felixhaeberle felixhaeberle mentioned this pull request May 8, 2024
Open
@ixartz
Copy link

ixartz commented May 9, 2024

In case you want to keep using this extension (i18n-ally), I just found a solution to make it work with next-intl using the "Custom Framework" feature. And, no need to install another extension with a different display or fork the extension.

The solution works with useTranslations and getTranslations (including getTranslations('page') and getTranslations({ locale: 'en', namespace: 'page' })

You can find the solution at Next.js Boilerplate and you just need to copy the file i18n-ally-custom-framework.yml

PS: @stijn-vk, I found a solution to make it work with getTranslations({ locale: 'en', namespace: 'page' })

@ScreamZ
Copy link

ScreamZ commented May 14, 2024

In case you want to keep using this extension (i18n-ally), I just found a solution to make it work with next-intl using the "Custom Framework" feature. And, no need to install another extension with a different display or fork the extension.

The solution works with useTranslations and getTranslations (including getTranslations('page') and getTranslations({ locale: 'en', namespace: 'page' })

You can find the solution at Next.js Boilerplate and you just need to copy the file i18n-ally-custom-framework.yml

PS: @stijn-vk, I found a solution to make it work with getTranslations({ locale: 'en', namespace: 'page' })

@amannn you could add this to the doc, it works :)

@amannn
Copy link
Contributor Author

amannn commented May 14, 2024
edited
Loading

@ScreamZ The plugin support from i18n-ally does a bit more than the custom config, e.g. providing more options for replacement upon extraction, so generally a merged PR would be preferable :).

Thanks to @ixartz for the idea with matching namespace: too in the regex! I've updated the PR accordingly.

@ixartz ixartz mentioned this pull request May 31, 2024
Closed
@felixhaeberle
Copy link

felixhaeberle commented May 31, 2024
edited
Loading

Out of curiosity, I did a security check for i18n-ally: and it seems at this point, you have to be VERY careful to use it.

Caution

There are several critical vulnerabilities (at this point 4) and lots of high ones (over 40), that said – please go for an alternative.

106 vulnerabilities (60 moderate, 42 high, 4 critical)

npm audit report

@antfu/utils <0.7.3
Severity: moderate
antfu/utils vulnerable to prototype pollution - GHSA-p2fh-2h23-6grg
fix available via npm audit fix --force
Will install @antfu/[email protected], which is a breaking change
node_modules/@antfu/utils

@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - GHSA-67hx-6x53-jw92
fix available via npm audit fix
node_modules/@babel/traverse

ansi-regex 3.0.0 || 4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix
node_modules/ansi-align/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
node_modules/webpack-cli/node_modules/ansi-regex

axios <=0.27.2
Severity: high
axios Inefficient Regular Expression Complexity vulnerability - GHSA-cph5-m8f7-6c5x
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix
node_modules/axios

browserify-sign 2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in dsaVerify leads to a signature forgery attack - GHSA-x9w5-v3q2-3rhw
fix available via npm audit fix
node_modules/browserify-sign

decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - GHSA-w573-4hg7-7wgq
fix available via npm audit fix
node_modules/decode-uri-component

dot-prop <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - GHSA-ff7x-qrg7-qggm
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
node_modules/conventional-changelog
conventional-github-releaser >=1.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of gh-got
Depends on vulnerable versions of git-semver-tags
Depends on vulnerable versions of semver-regex
node_modules/conventional-github-releaser

follow-redirects <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - GHSA-cxjh-pqwp-8mfp
fix available via npm audit fix
node_modules/follow-redirects

get-func-name <2.0.1
Severity: high
Chaijs/get-func-name vulnerable to ReDoS - GHSA-4q6p-r6v2-jvc5
fix available via npm audit fix
node_modules/get-func-name

glob-parent <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/@parcel/watcher/node_modules/glob-parent
node_modules/parcel-bundler/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/@parcel/watcher/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
@parcel/watcher <=1.12.1
Depends on vulnerable versions of chokidar
node_modules/@parcel/watcher
parcel-bundler *
Depends on vulnerable versions of @parcel/watcher
Depends on vulnerable versions of css-modules-loader-core
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of fast-glob
Depends on vulnerable versions of node-forge
Depends on vulnerable versions of postcss
Depends on vulnerable versions of terser
node_modules/parcel-bundler
parcel-plugin-inliner *
Depends on vulnerable versions of parcel-bundler
node_modules/parcel-plugin-inliner
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.47.0
Depends on vulnerable versions of watchpack
node_modules/webpack
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/parcel-bundler/node_modules/fast-glob

got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
gh-got <=9.0.0
Depends on vulnerable versions of got
node_modules/gh-got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of update-notifier
node_modules/nodemon

http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - GHSA-rc47-6667-2j5j
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/http-cache-semantics
node_modules/package-json/node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request

jsdom <=16.5.3
Severity: moderate
Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix
node_modules/jsdom
uncss >=0.7.0
Depends on vulnerable versions of jsdom
Depends on vulnerable versions of postcss
Depends on vulnerable versions of request
node_modules/uncss
htmlnano >=0.1.1
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of purgecss
Depends on vulnerable versions of svgo
Depends on vulnerable versions of uncss
node_modules/htmlnano

json-schema <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - GHSA-896r-f27r-55mw
fix available via npm audit fix
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim

json5 <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix
node_modules/json5
node_modules/loader-utils/node_modules/json5
node_modules/parcel-bundler/node_modules/json5

loader-utils <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-hhq3-ff78-jv3g
fix available via npm audit fix
node_modules/loader-utils
node_modules/ts-loader/node_modules/loader-utils

lodash.template *
Severity: high
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
fix available via npm audit fix
node_modules/lodash.template
git-raw-commits 0.0.6 - 2.0.9
Depends on vulnerable versions of lodash.template
Depends on vulnerable versions of meow
node_modules/git-raw-commits
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core

markdown-it <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - GHSA-6vfc-qv3f-vr6c
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/markdown-it
vsce 1.26.0 - 2.6.3
Depends on vulnerable versions of markdown-it
node_modules/vsce

minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - GHSA-f8q6-p94x-37v3
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/minimatch
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of nanoid
node_modules/mocha

nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - GHSA-qrpm-p2h7-hrv2
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mocha/node_modules/nanoid
node_modules/nanoid

node-fetch <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - GHSA-r683-j2x4-v87g
fix available via npm audit fix
node_modules/node-fetch

node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in node-forge - GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
No fix available
node_modules/node-forge

nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix
node_modules/cheerio-select/node_modules/nth-check
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo <=5.0.0-rc.2
Depends on vulnerable versions of postcss
Depends on vulnerable versions of svgo
node_modules/postcss-svgo

postcss <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - GHSA-hwj9-h5mp-3pm3
Regular Expression Denial of Service in postcss - GHSA-566m-qj78-rww5
PostCSS line return parsing error - GHSA-7fh5-64p2-3v2j
No fix available
node_modules/@vue/component-compiler-utils/node_modules/postcss
node_modules/css-declaration-sorter/node_modules/postcss
node_modules/css-modules-loader-core/node_modules/postcss
node_modules/cssnano-preset-default/node_modules/postcss
node_modules/cssnano-util-raw-cache/node_modules/postcss
node_modules/cssnano/node_modules/postcss
node_modules/parcel-bundler/node_modules/postcss
node_modules/postcss
node_modules/postcss-calc/node_modules/postcss
node_modules/postcss-colormin/node_modules/postcss
node_modules/postcss-convert-values/node_modules/postcss
node_modules/postcss-discard-comments/node_modules/postcss
node_modules/postcss-discard-duplicates/node_modules/postcss
node_modules/postcss-discard-empty/node_modules/postcss
node_modules/postcss-discard-overridden/node_modules/postcss
node_modules/postcss-merge-longhand/node_modules/postcss
node_modules/postcss-merge-rules/node_modules/postcss
node_modules/postcss-minify-font-values/node_modules/postcss
node_modules/postcss-minify-gradients/node_modules/postcss
node_modules/postcss-minify-params/node_modules/postcss
node_modules/postcss-minify-selectors/node_modules/postcss
node_modules/postcss-modules-extract-imports/node_modules/postcss
node_modules/postcss-modules-local-by-default/node_modules/postcss
node_modules/postcss-modules-scope/node_modules/postcss
node_modules/postcss-modules-values/node_modules/postcss
node_modules/postcss-normalize-charset/node_modules/postcss
node_modules/postcss-normalize-display-values/node_modules/postcss
node_modules/postcss-normalize-positions/node_modules/postcss
node_modules/postcss-normalize-repeat-style/node_modules/postcss
node_modules/postcss-normalize-string/node_modules/postcss
node_modules/postcss-normalize-timing-functions/node_modules/postcss
node_modules/postcss-normalize-unicode/node_modules/postcss
node_modules/postcss-normalize-url/node_modules/postcss
node_modules/postcss-normalize-whitespace/node_modules/postcss
node_modules/postcss-ordered-values/node_modules/postcss
node_modules/postcss-reduce-initial/node_modules/postcss
node_modules/postcss-reduce-transforms/node_modules/postcss
node_modules/postcss-svgo/node_modules/postcss
node_modules/postcss-unique-selectors/node_modules/postcss
node_modules/purgecss/node_modules/postcss
node_modules/stylehacks/node_modules/postcss
node_modules/uncss/node_modules/postcss
@vue/component-compiler-utils *
Depends on vulnerable versions of postcss
node_modules/@vue/component-compiler-utils
vue-i18n-locale-message <=1.16.0
Depends on vulnerable versions of @vue/component-compiler-utils
node_modules/vue-i18n-locale-message
css-declaration-sorter <=5.1.2
Depends on vulnerable versions of postcss
node_modules/css-declaration-sorter
css-modules-loader-core *
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-modules-extract-imports
Depends on vulnerable versions of postcss-modules-local-by-default
Depends on vulnerable versions of postcss-modules-scope
Depends on vulnerable versions of postcss-modules-values
node_modules/css-modules-loader-core
cssnano <=4.1.11
Depends on vulnerable versions of cssnano-preset-default
Depends on vulnerable versions of postcss
node_modules/cssnano
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of css-declaration-sorter
Depends on vulnerable versions of cssnano-util-raw-cache
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-calc
Depends on vulnerable versions of postcss-colormin
Depends on vulnerable versions of postcss-convert-values
Depends on vulnerable versions of postcss-discard-comments
Depends on vulnerable versions of postcss-discard-duplicates
Depends on vulnerable versions of postcss-discard-empty
Depends on vulnerable versions of postcss-discard-overridden
Depends on vulnerable versions of postcss-merge-longhand
Depends on vulnerable versions of postcss-merge-rules
Depends on vulnerable versions of postcss-minify-font-values
Depends on vulnerable versions of postcss-minify-gradients
Depends on vulnerable versions of postcss-minify-params
Depends on vulnerable versions of postcss-minify-selectors
Depends on vulnerable versions of postcss-normalize-charset
Depends on vulnerable versions of postcss-normalize-display-values
Depends on vulnerable versions of postcss-normalize-positions
Depends on vulnerable versions of postcss-normalize-repeat-style
Depends on vulnerable versions of postcss-normalize-string
Depends on vulnerable versions of postcss-normalize-timing-functions
Depends on vulnerable versions of postcss-normalize-unicode
Depends on vulnerable versions of postcss-normalize-url
Depends on vulnerable versions of postcss-normalize-whitespace
Depends on vulnerable versions of postcss-ordered-values
Depends on vulnerable versions of postcss-reduce-initial
Depends on vulnerable versions of postcss-reduce-transforms
Depends on vulnerable versions of postcss-svgo
Depends on vulnerable versions of postcss-unique-selectors
node_modules/cssnano-preset-default
cssnano-util-raw-cache *
Depends on vulnerable versions of postcss
node_modules/cssnano-util-raw-cache
postcss-calc 4.1.0 - 7.0.5
Depends on vulnerable versions of postcss
node_modules/postcss-calc
postcss-colormin <=4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-colormin
postcss-convert-values <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-convert-values
postcss-discard-comments <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-comments
postcss-discard-duplicates 1.1.0 - 4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-discard-duplicates
postcss-discard-empty 1.1.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-empty
postcss-discard-overridden <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-discard-overridden
postcss-merge-longhand <=4.0.11
Depends on vulnerable versions of postcss
Depends on vulnerable versions of stylehacks
node_modules/postcss-merge-longhand
postcss-merge-rules <=4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-merge-rules
postcss-minify-font-values <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-font-values
postcss-minify-gradients <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-gradients
postcss-minify-params <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-params
postcss-minify-selectors <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-minify-selectors
postcss-modules-extract-imports <=1.2.1
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-local-by-default <=1.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-scope <=1.1.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-modules-values <=1.3.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-normalize-charset <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-charset
postcss-normalize-display-values <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-display-values
postcss-normalize-positions <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-positions
postcss-normalize-repeat-style <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-repeat-style
postcss-normalize-string <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-string
postcss-normalize-timing-functions <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-timing-functions
postcss-normalize-unicode <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-unicode
postcss-normalize-url 1.1.0 - 4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-url
postcss-normalize-whitespace <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-normalize-whitespace
postcss-ordered-values <=4.1.2
Depends on vulnerable versions of postcss
node_modules/postcss-ordered-values
postcss-reduce-initial <=4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-unique-selectors <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
purgecss <=1.0.1 || 2.0.1-beta.0 - 3.0.0
Depends on vulnerable versions of postcss
node_modules/purgecss
stylehacks <=4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks

pug <=3.0.2
Severity: high
Pug allows JavaScript code execution if an application accepts untrusted input - GHSA-3965-hpx2-q597
fix available via npm audit fix
node_modules/pug

qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available via npm audit fix
node_modules/request/node_modules/qs

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix
node_modules/request
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native

semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix
node_modules/@babel/core/node_modules/semver
node_modules/@babel/eslint-parser/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/conventional-changelog-writer/node_modules/read-pkg/node_modules/semver
node_modules/conventional-changelog-writer/node_modules/semver
node_modules/conventional-commits-parser/node_modules/read-pkg/node_modules/semver
node_modules/conventional-github-releaser/node_modules/semver
node_modules/conventional-recommended-bump/node_modules/read-pkg/node_modules/semver
node_modules/conventional-recommended-bump/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/eslint-plugin-node/node_modules/semver
node_modules/find-cache-dir/node_modules/semver
node_modules/git-semver-tags/node_modules/semver
node_modules/jsonc-eslint-parser/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/nodemon/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/npm-run-all/node_modules/semver
node_modules/package-json/node_modules/semver
node_modules/parcel-bundler/node_modules/semver
node_modules/parse-semver/node_modules/semver
node_modules/semver-diff/node_modules/semver
node_modules/standard-version/node_modules/conventional-changelog-writer/node_modules/read-pkg/node_modules/semver
node_modules/standard-version/node_modules/conventional-changelog-writer/node_modules/semver
node_modules/standard-version/node_modules/git-raw-commits/node_modules/semver
node_modules/standard-version/node_modules/git-semver-tags/node_modules/read-pkg/node_modules/semver
node_modules/standard-version/node_modules/git-semver-tags/node_modules/semver
node_modules/stylus/node_modules/semver
node_modules/vsce/node_modules/semver
node_modules/vue-eslint-parser/node_modules/semver
node_modules/webpack-cli/node_modules/semver
core-js-compat 3.6.0 - 3.25.0
Depends on vulnerable versions of semver
node_modules/core-js-compat

semver-regex <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - GHSA-4x5v-gmq8-25ch
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/semver-regex

tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - GHSA-f5x3-32g6-xq36
fix available via npm audit fix
node_modules/tar

terser >=5.0.0 <5.14.2 || <4.8.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - GHSA-4wf5-vphf-c2xc
Terser insecure use of regular expressions leads to ReDoS - GHSA-4wf5-vphf-c2xc
No fix available
node_modules/htmlnano/node_modules/terser
node_modules/terser
node_modules/terser-webpack-plugin/node_modules/terser

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix
node_modules/tough-cookie

trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - GHSA-7p7h-4mm5-852v
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/git-raw-commits/node_modules/trim-newlines
node_modules/git-semver-tags/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/get-pkg-repo/node_modules/meow
node_modules/git-raw-commits/node_modules/meow
node_modules/git-semver-tags/node_modules/meow
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags

trim-off-newlines <1.0.3
Severity: moderate
Uncontrolled Resource Consumption in trim-off-newlines - GHSA-38fc-wpqx-33j7
fix available via npm audit fix
node_modules/trim-off-newlines

106 vulnerabilities (60 moderate, 42 high, 4 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@kibertoad kibertoad merged commit b5b16b2 into lokalise:main May 31, 2024
1 of 3 checks passed
@kibertoad
Copy link
Collaborator

thanks a lot!

@amannn amannn mentioned this pull request Dec 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kibertoad kibertoad kibertoad approved these changes

@robin-ln robin-ln robin-ln approved these changes

@ajnart ajnart ajnart approved these changes

@terales terales Awaiting requested review from terales terales is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.