Integrate retire.js into GitHub Actions CI

.github/workflows/test.yaml

@@ -85,6 +85,12 @@ jobs:
       - name: Node tests
         run: npm test
 
+      - name: Install retire.js
+        run: npm install -g retire
+
+      - name: Run retire.js
+        run: retire --severity high
+
       - name: Extract coverage info
         run: npm run coverage
 

.gitignore

@@ -78,3 +78,6 @@ test.sh
 dump.rdb
 .archiver_shadow/
 .snapshots/
+
+# stryker temp files
+.stryker-tmp

install/package.json

@@ -170,7 +170,6 @@
         "eslint-config-nodebb": "1.1.11",
         "eslint-plugin-import": "2.32.0",
         "grunt": "1.6.1",
-        "grunt-contrib-watch": "1.1.0",
         "husky": "8.0.3",
         "jsdom": "27.4.0",
         "lint-staged": "16.2.7",

retire-report.json

@@ -0,0 +1 @@
+{"version":"5.4.2","start":"2026-03-11T21:20:43.864Z","data":[{"file":"/workspaces/nodebb-spring-26-team-bing/node_modules/faker/locale/.publish/scripts/docstrap.lib.js","results":[{"version":"2.1.4","component":"jquery","npmname":"jquery","detection":"filecontent","vulnerabilities":[{"info":["http://research.insecurelabs.org/jquery/test/","https://bugs.jquery.com/ticket/11974"],"below":"2.2.0","atOrAbove":"1.8.0","severity":"medium","identifiers":{"summary":"parseHTML() executes scripts in event handlers","issue":"11974"},"cwe":["CWE-79"]},{"info":["https://github.com/jquery/jquery.com/issues/162"],"below":"2.999.999","severity":"low","identifiers":{"summary":"jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates","retid":"73","issue":"162"},"cwe":["CWE-1104"]},{"info":["http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/","https://github.com/advisories/GHSA-rmxg-73gg-4p98","https://github.com/jquery/jquery/issues/2432","https://nvd.nist.gov/vuln/detail/CVE-2015-9251"],"below":"3.0.0-beta1","atOrAbove":"1.12.3","severity":"medium","identifiers":{"summary":"3rd party CORS request may execute","issue":"2432","CVE":["CVE-2015-9251"],"githubID":"GHSA-rmxg-73gg-4p98"},"cwe":["CWE-79"]},{"info":["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/","https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b","https://nvd.nist.gov/vuln/detail/CVE-2019-11358"],"below":"3.4.0","atOrAbove":"1.1.4","severity":"medium","identifiers":{"summary":"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution","CVE":["CVE-2019-11358"],"PR":"4333","githubID":"GHSA-6c3j-c64m-qhgq"},"cwe":["CWE-1321","CWE-79"]},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.0.3","severity":"medium","identifiers":{"summary":"passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.","CVE":["CVE-2020-11023"],"issue":"4647","githubID":"GHSA-jpcq-cgw6-v4j6"},"cwe":["CWE-79"]},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.2.0","severity":"medium","identifiers":{"summary":"Regex in its jQuery.htmlPrefilter sometimes may introduce XSS","CVE":["CVE-2020-11022"],"issue":"4642","githubID":"GHSA-gxr4-xjj5-5px2"},"cwe":["CWE-79"]}],"licenses":["MIT"]},{"version":"3.3.6","component":"bootstrap","detection":"filecontent","vulnerabilities":[{"info":["https://nvd.nist.gov/vuln/detail/CVE-2018-20676"],"below":"3.4.0","severity":"medium","identifiers":{"summary":"In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.","issue":"27044","CVE":["CVE-2018-20676"],"githubID":"GHSA-3mgp-fx93-9xv5"},"cwe":["CWE-79"]},{"info":["https://github.com/twbs/bootstrap/issues/20184"],"below":"3.4.0","severity":"medium","identifiers":{"summary":"XSS in data-container property of tooltip","issue":"20184","CVE":["CVE-2018-14042"],"githubID":"GHSA-7mvr-5x2g-wfc8"},"cwe":["CWE-79"]},{"info":["https://github.com/advisories/GHSA-ph58-4vrj-w6hr"],"below":"3.4.0","severity":"medium","identifiers":{"summary":"In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.","CVE":["CVE-2018-20677"],"githubID":"GHSA-ph58-4vrj-w6hr"},"cwe":["CWE-79"]},{"info":["https://github.com/advisories/GHSA-4p24-vmcr-4gqj"],"below":"3.4.0","atOrAbove":"3.0.0","severity":"medium","identifiers":{"summary":"XSS is possible in the data-target attribute.","CVE":["CVE-2016-10735"],"githubID":"GHSA-4p24-vmcr-4gqj"},"cwe":["CWE-79"]},{"info":["https://github.com/advisories/GHSA-vxmc-5x29-h64v","https://nvd.nist.gov/vuln/detail/CVE-2024-6485","https://github.com/twbs/bootstrap","https://www.herodevs.com/vulnerability-directory/cve-2024-6485"],"below":"3.4.1","atOrAbove":"1.4.0","severity":"medium","identifiers":{"summary":"Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes","CVE":["CVE-2024-6485"],"githubID":"GHSA-vxmc-5x29-h64v"},"cwe":["CWE-79"]},{"info":["https://github.com/advisories/GHSA-9v3m-8fp8-mj99","https://github.com/twbs/bootstrap/issues/28236"],"below":"3.4.1","atOrAbove":"3.0.0","severity":"medium","identifiers":{"summary":"XSS in data-template, data-content and data-title properties of tooltip/popover","issue":"28236","CVE":["CVE-2019-8331"],"githubID":"GHSA-9v3m-8fp8-mj99"},"cwe":["CWE-79"]},{"info":["https://github.com/twbs/bootstrap/issues/20631"],"below":"3.999.999","severity":"low","identifiers":{"summary":"Bootstrap before 4.0.0 is end-of-life and no longer maintained.","retid":"72"},"cwe":["CWE-1104"]}],"licenses":["MIT"]}]},{"file":"/workspaces/nodebb-spring-26-team-bing/node_modules/faker/locale/.publish/scripts/prettify/jquery.min.js","results":[{"version":"2.0.0","component":"jquery","npmname":"jquery","detection":"filecontent","vulnerabilities":[{"info":["http://research.insecurelabs.org/jquery/test/","https://bugs.jquery.com/ticket/11974"],"below":"2.2.0","atOrAbove":"1.8.0","severity":"medium","identifiers":{"summary":"parseHTML() executes scripts in event handlers","issue":"11974"},"cwe":["CWE-79"]},{"info":["https://github.com/jquery/jquery.com/issues/162"],"below":"2.999.999","severity":"low","identifiers":{"summary":"jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates","retid":"73","issue":"162"},"cwe":["CWE-1104"]},{"info":["http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/","https://github.com/advisories/GHSA-rmxg-73gg-4p98","https://github.com/jquery/jquery/issues/2432","https://nvd.nist.gov/vuln/detail/CVE-2015-9251"],"below":"3.0.0-beta1","atOrAbove":"1.12.3","severity":"medium","identifiers":{"summary":"3rd party CORS request may execute","issue":"2432","CVE":["CVE-2015-9251"],"githubID":"GHSA-rmxg-73gg-4p98"},"cwe":["CWE-79"]},{"info":["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/","https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b","https://nvd.nist.gov/vuln/detail/CVE-2019-11358"],"below":"3.4.0","atOrAbove":"1.1.4","severity":"medium","identifiers":{"summary":"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution","CVE":["CVE-2019-11358"],"PR":"4333","githubID":"GHSA-6c3j-c64m-qhgq"},"cwe":["CWE-1321","CWE-79"]},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.0.3","severity":"medium","identifiers":{"summary":"passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.","CVE":["CVE-2020-11023"],"issue":"4647","githubID":"GHSA-jpcq-cgw6-v4j6"},"cwe":["CWE-79"]},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.2.0","severity":"medium","identifiers":{"summary":"Regex in its jQuery.htmlPrefilter sometimes may introduce XSS","CVE":["CVE-2020-11022"],"issue":"4642","githubID":"GHSA-gxr4-xjj5-5px2"},"cwe":["CWE-79"]}],"licenses":["MIT"]}]}],"messages":[],"errors":["Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/core/inter","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/core/poppins","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/nodebb-plugin-emoji/emoji","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/nodebb-plugin-markdown/styles","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/nodebb-plugin-web-push/static","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/nodebb-theme-harmony/inter","Could not follow symlink: /workspaces/nodebb-spring-26-team-bing/.docker/build/public/plugins/nodebb-theme-harmony/poppins"],"time":32.036}

stryker.config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "./node_modules/@stryker-mutator/core/schema/stryker-schema.json",
+  "_comment": "This config was generated using 'stryker init'. Please take a look at: https://stryker-mutator.io/docs/stryker-js/configuration/ for more information.",
+  "packageManager": "npm",
+  "reporters": [
+    "html",
+    "clear-text"
+  ],
+  "testRunner": "mocha",
+  "testRunner_comment": "Take a look at https://stryker-mutator.io/docs/stryker-js/mocha-runner for information about the mocha plugin.",
+  "coverageAnalysis": "perTest",
+  "ignorePatterns": [
+    ".docker/**",
+    "src/cli/**"
+  ]
+}