From c01fbd3ece80badcf76a3779c7f157199d1fd64f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Jaegervall=20=28J=C3=A4gervall=29?= <30996601+erikbosch@users.noreply.github.com> Date: Wed, 20 Nov 2024 18:42:32 +0100 Subject: [PATCH] Fixing vulnerability (#15) Co-authored-by: BjoernAtBosch --- NOTICE-3RD-PARTY-CONTENT.md | 2 +- README.md | 28 +++++++++++++++++++++++++++- package-lock.json | 7 ++++--- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md index eb28d72..f96cc7a 100644 --- a/NOTICE-3RD-PARTY-CONTENT.md +++ b/NOTICE-3RD-PARTY-CONTENT.md @@ -107,7 +107,7 @@ |commander|9.1.0|MIT| |concat-map|0.0.1|MIT| |create-require|1.1.1|MIT| -|cross-spawn|7.0.3|MIT| +|cross-spawn|7.0.5|MIT| |cucumber-console-formatter|1.0.0|ISC| |cucumber-tsflow|4.4.1|MIT| |date-format|4.0.14|MIT| diff --git a/README.md b/README.md index 688cd38..3724870 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,32 @@ Use the `actions/checkout@v4` action to clone the `release-documentation-action` |sourcePath|true|folder where the action retrieves the raw result files| |packagePath|true|target path where the results are copied to | -## Contributing +# Contributing For guidance on setting up a development environment and how to make a contribution to the Velocitas Release Documentation Action, see the [contributing guidelines](./CONTRIBUTING.md). + +## Updating dependencies + +Sometimes dependencies needs to be updated to address vulnerabilities. +If the vulnerability is known by npm (and a fix is published) you can typically request npm to update all existing vulnerabilities: + +```bash +sudo npm audit fix +``` + +If the vulnerability is not (yet) considered as a vulnerability by npm you can update it manually: + +```bash +sudo npm update cross-spawn +``` + +After updating you should do some basic checks that the tool is still working: + +```bash +npm run build +npm run package +``` + +After updating dependencies the file `NOTICE-3RD-PARTY-CONTENT.md` needs to be updated. +The easiest way to do this is to create a Pull Request (preferably as draft), +then the "Check Licenses" workflow will fail but as output produce content that you can add to the Pull Request. diff --git a/package-lock.json b/package-lock.json index ab2d544..5684884 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1437,10 +1437,11 @@ "dev": true }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.5.tgz", + "integrity": "sha512-ZVJrKKYunU38/76t0RMOulHOnUcbU9GbpWKAOZ0mhjr7CX6FVrH+4FrAapSOekrgFQ3f/8gwMEuIft0aKq6Hug==", "dev": true, + "license": "MIT", "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0",