You can run npm audit fix after the npm ci command. However, this version (10.3.0) does not build if this command is ran.
Search Criteria
Package Details: web-ext 10.5.0-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/web-ext.git (read-only, click to copy) |
|---|---|
| Package Base: | web-ext |
| Description: | A command line tool to help build, run, and test web extensions |
| Upstream URL: | https://developer.mozilla.org/en-US/Add-ons/WebExtensions |
| Keywords: | nodejs, web-ext |
| Licenses: | MPL-2.0 |
| Conflicts: | nodejs-web-ext |
| Provides: | nodejs-web-ext |
| Replaces: | nodejs-web-ext |
| Submitter: | arojas |
| Maintainer: | Everything2067 |
| Last Packager: | Everything2067 |
| Votes: | 4 |
| Popularity: | 0.002613 |
| First Submitted: | 2025-03-31 20:36 (UTC) |
| Last Updated: | 2026-07-12 14:35 (UTC) |
Dependencies (4)
- nodejs (nodejs-gitAUR, nodejs-lts-hydrogenAUR, python-nodejs-wheelAUR, nodejs-lts-iron, nodejs-lts-jod, nodejs-lts-krypton)
- python
- node-gyp (make)
- npm (npm-corepackAUR, python-nodejs-wheelAUR) (make)
Required by (9)
- chromium-extension-privacy-redirect-av (make)
- firedragon-extension-plasma-integration (make)
- firefox-developer-edition-i18n-zh-cm (make)
- firefox-esr-extension-plasma-integration (make)
- firefox-extension-canvasblocker (make)
- firefox-extension-plasma-integration (make)
- firefox-video-speed-setter-git (make)
- librewolf-extension-plasma-integration (make)
- privacy-redirect-git (requires nodejs-web-ext) (make)
Sources (1)
Everything2067 commented on 2026-06-13 16:47 (UTC)
Markus.N commented on 2026-06-13 02:07 (UTC)
It's not only the current AUR attack ... independently of this, npm is being attacked more or less constantly since quite a while ... speaking of "Shai Hulud" etc ...
web-ext needs to have access to my amo-upload-uuid in order to work at all, so if this package (or its dependencies) has vulnerabilities, it may steal it. Making this a sensitive package.
How do I do a "audit fix" during package build?
Everything2067 commented on 2026-06-12 07:13 (UTC)
Hi, The affected npm package is atomic-lockfile, which, according to npm, was created 2 days ago. So web-ext should certainly not be affected by this attack. It is affecting AUR packages that were created/adopted by the attacker themselves.
The audit is not performed, because it may break package dependencies. You can either run npm audit fix yourself, or you can wait for Mozilla for a new release, so that these vulnerabilities are fixed.
Markus.N commented on 2026-06-12 03:57 (UTC) (edited on 2026-06-12 03:58 (UTC) by Markus.N)
During build, I get these messages:
8 vulnerabilities (1 low, 4 moderate, 1 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
but I could not find out if the audit is actually performed. I also could not find out what these vulnerabilities exactly are.
Because of the current npm supply chain attack situation, I'd like to be better safe than sorry. Can someone shed some light on it?
Everything2067 commented on 2026-04-04 12:44 (UTC) (edited on 2026-04-05 11:45 (UTC) by Everything2067)
@binarynoise, I am able to reproduce this with LANG=de_DE.UTF-8. Looks like it fails the testing process. I will update this comment with the issue I will be creating upstream. Thanks.
Edit: https://github.com/mozilla/web-ext/issues/3676
Edit 2: I have added a workaround to the PKGBUILD, by running npm test with LANG=C, until the issue is resolved upstream.
binarynoise commented on 2026-04-04 12:23 (UTC)
I currently have nodejs-lts-krypton installed. I have set my locale to German.
Everything2067 commented on 2026-04-04 12:19 (UTC)
@binarynoise, try using the LTS version (nodejs-lts). Also, which locale are you using?
binarynoise commented on 2026-04-04 11:42 (UTC)
I can't build the package:
AssertionError: expected 'Unbekanntes Argument: nope' to match /Unknown argument: nope/
Is this fixable here or does this need to be fixed upstream?
export LANG=C before building works around that problem but is quite annoying
Everything2067 commented on 2026-03-28 15:14 (UTC)
@sun_lmao I have updated the PKGBUILD to allow all versions of nodejs. However, Mozilla recommends using the LTS version, so if there are any problems in building in the future, also try using the LTS version.
sun_lmao commented on 2026-03-28 14:51 (UTC)
Please change dependency nodejs-lts to nodejs. This is a real annoyance and I don't see why it would need to be the LTS version.
Pinned Comments
Everything2067 commented on 2026-03-28 15:14 (UTC)
@sun_lmao I have updated the PKGBUILD to allow all versions of nodejs. However, Mozilla recommends using the LTS version, so if there are any problems in building in the future, also try using the LTS version.