Skip to content

Update github actions package.json for reported vulnerabilities#13356

Merged
bobbrow merged 1 commit intomainfrom
bobbrow/audit
Mar 10, 2025
Merged

Update github actions package.json for reported vulnerabilities#13356
bobbrow merged 1 commit intomainfrom
bobbrow/audit

Conversation

@bobbrow
Copy link
Member

@bobbrow bobbrow commented Mar 10, 2025

update axios and cross-spawn

@bobbrow bobbrow requested a review from a team as a code owner March 10, 2025 17:07
@github-project-automation github-project-automation bot moved this to Pull Request in cpptools Mar 10, 2025
@bobbrow bobbrow enabled auto-merge (squash) March 10, 2025 17:09
sean-mcmanus
sean-mcmanus reviewed Mar 10, 2025
View reviewed changes
Copy link
Contributor

@sean-mcmanus sean-mcmanus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't you update the

"resolutions": {
    "minimatch": "^3.0.5"
  }

?

I'm not sure if there are any issues with these updates without updating the resolutions.

@bobbrow
Copy link
Member Author

bobbrow commented Mar 10, 2025
edited
Loading

Shouldn't you update the

"resolutions": {
    "minimatch": "^3.0.5"
  }

?

I'm not sure if there are any issues with these updates without updating the resolutions.

I fixed axios manually and cross-spawn was done with npm audit fix. If you think I should update something else, I can do that too.

@sean-mcmanus
Copy link
Contributor

sean-mcmanus commented Mar 10, 2025

I fixed axios manually and cross-spawn was done with npm audit fix. If you think I should update something else, I can do that too.

I'm not sure, because I can't seem to run npm audit.

Unable to authenticate, need: Basic realm="https://pkgsprodwus21.pkgs.visualstudio.com/"

When I get rid of the .npmrc I get different npm audit warnings unrelated to cross-spawn/axios.

@bobbrow bobbrow merged commit 3a837ec into main Mar 10, 2025
6 checks passed
@bobbrow bobbrow deleted the bobbrow/audit branch March 10, 2025 17:42
@github-project-automation github-project-automation bot moved this from Pull Request to Done in cpptools Mar 10, 2025
@lukka
Copy link
Member

lukka commented Mar 10, 2025

@bobbrow was DependaBot ever considered? It would create PR automatically to fix vulnerabilities in package.json.

@bobbrow
Copy link
Member Author

bobbrow commented Mar 10, 2025

@bobbrow was DependaBot ever considered? It would create PR automatically to fix vulnerabilities in package.json.

dependabot is supposed to be running already. We get PR's from it sometimes. I don't know what its schedule is relative to the scans that run and open bugs in Azure Dev Ops though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sean-mcmanus sean-mcmanus sean-mcmanus approved these changes

Assignees

No one assigned

Labels

None yet

Projects

cpptools
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bobbrow @sean-mcmanus @lukka