From ce8f83c7e7d702988540a9408189f81c53d6961b Mon Sep 17 00:00:00 2001 From: Lukas Taegert-Atkinson Date: Fri, 12 Jul 2024 18:00:49 +0200 Subject: [PATCH] Switch to audit resolver to ignore requirejs vulnerability (#5573) --- .github/workflows/build-and-tests.yml | 2 +- audit-resolve.json | 10 ++ package-lock.json | 225 ++++++++++++++++++++++++++ package.json | 3 + scripts/prepare-release.js | 2 +- 5 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 audit-resolve.json diff --git a/.github/workflows/build-and-tests.yml b/.github/workflows/build-and-tests.yml index 313f77ef7..d4d78c736 100644 --- a/.github/workflows/build-and-tests.yml +++ b/.github/workflows/build-and-tests.yml @@ -48,7 +48,7 @@ jobs: - name: Lint run: npm run ci:lint - name: Vulnerabilities - run: npm audit + run: npm run check-audit - name: Optional Dependencies run: npm run test:package - name: CLI Docs diff --git a/audit-resolve.json b/audit-resolve.json new file mode 100644 index 000000000..ecdf983b5 --- /dev/null +++ b/audit-resolve.json @@ -0,0 +1,10 @@ +{ + "decisions": { + "1098122|requirejs": { + "decision": "ignore", + "madeAt": 1720680883374 + } + }, + "rules": {}, + "version": 1 +} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index e2db79db0..52a9e8c1e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -74,6 +74,7 @@ "magic-string": "^0.30.10", "mocha": "^10.5.2", "nodemon": "^3.1.4", + "npm-audit-resolver": "^3.0.0-RC.0", "nyc": "^17.0.0", "pinia": "^2.1.7", "prettier": "^3.3.2", @@ -1759,6 +1760,13 @@ "@jridgewell/sourcemap-codec": "^1.4.14" } }, + "node_modules/@korzio/djv-draft-04": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@korzio/djv-draft-04/-/djv-draft-04-2.0.1.tgz", + "integrity": "sha512-MeTVcNsfCIYxK6T7jW1sroC7dBAb4IfLmQe6RoCqlxHN5NFkzNpgdnBPR+/0D2wJDUJHM9s9NQv+ouhxKjvUjg==", + "dev": true, + "optional": true + }, "node_modules/@lezer/common": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.2.1.tgz", @@ -1872,6 +1880,16 @@ "node": ">= 8" } }, + "node_modules/@npmcli/ci-detect": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@npmcli/ci-detect/-/ci-detect-3.0.2.tgz", + "integrity": "sha512-P7nZG0skRVa9lH0OQmFG62CrzOySUiuPbKopjVAj3sXP0m1om9XfIvTp46h+NvlpTyd121JekiXFZj+1pnbm9g==", + "deprecated": "this package has been deprecated, use `ci-info` instead", + "dev": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/@pkgjs/parseargs": { "version": "0.11.0", "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", @@ -3723,6 +3741,17 @@ "dev": true, "license": "MIT" }, + "node_modules/audit-resolve-core": { + "version": "3.0.0-3", + "resolved": "https://registry.npmjs.org/audit-resolve-core/-/audit-resolve-core-3.0.0-3.tgz", + "integrity": "sha512-37Qkk1EerVIzSF824BytESWeEtUcbAmdWyTGA/MqnHgVzO+PnU9oNqOpZTMst54xLpJci70Jszq/sLogqfvHmQ==", + "dev": true, + "dependencies": { + "debug": "^4.3.1", + "djv": "^2.1.4", + "yargs-parser": "^21.0.0" + } + }, "node_modules/available-typed-arrays": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz", @@ -4545,6 +4574,21 @@ "dev": true, "license": "MIT" }, + "node_modules/concat-stream": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-2.0.0.tgz", + "integrity": "sha512-MWufYdFw53ccGjCA+Ol7XJYpAlW6/prSMzuPOTRnJGcGzuhLn4Scrz7qf6o8bROZ514ltazcIFJZevcfbo0x7A==", + "dev": true, + "engines": [ + "node >= 6.0" + ], + "dependencies": { + "buffer-from": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.0.2", + "typedarray": "^0.0.6" + } + }, "node_modules/concurrently": { "version": "8.2.2", "resolved": "https://registry.npmjs.org/concurrently/-/concurrently-8.2.2.tgz", @@ -5498,6 +5542,15 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/default-shell": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/default-shell/-/default-shell-1.0.1.tgz", + "integrity": "sha512-/Os8tTMPSriNHCsVj3VLjMZblIl1sIg8EXz3qg7C5K+y9calfTA/qzlfPvCQ+LEgLWmtZ9wCnzE1w+S6TPPFyQ==", + "dev": true, + "engines": { + "node": ">=4" + } + }, "node_modules/defaults": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.4.tgz", @@ -5621,6 +5674,15 @@ "node": ">=8" } }, + "node_modules/djv": { + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/djv/-/djv-2.1.4.tgz", + "integrity": "sha512-giDn+BVbtLlwtkvtcsZjbjzpALHB77skiv3FIu6Wp8b5j8BunDcVJYH0cGUaexp6s0Sb7IkquXXjsLBJhXwQpA==", + "dev": true, + "optionalDependencies": { + "@korzio/djv-draft-04": "^2.0.1" + } + }, "node_modules/doctrine": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz", @@ -8368,6 +8430,12 @@ "graceful-fs": "^4.1.6" } }, + "node_modules/jsonlines": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/jsonlines/-/jsonlines-0.1.1.tgz", + "integrity": "sha512-ekDrAGso79Cvf+dtm+mL8OBI2bmAOt3gssYs833De/C9NmIpWDWyUO4zPgB5x2/OhY366dkhgfPMYfwZF7yOZA==", + "dev": true + }, "node_modules/katex": { "version": "0.16.11", "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.11.tgz", @@ -9199,6 +9267,27 @@ "url": "https://opencollective.com/unified" } }, + "node_modules/merge-options": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/merge-options/-/merge-options-1.0.1.tgz", + "integrity": "sha512-iuPV41VWKWBIOpBsjoxjDZw8/GbSfZ2mk7N1453bwMrfzdrIk7EzBd+8UVR6rkw67th7xnk9Dytl3J+lHPdxvg==", + "dev": true, + "dependencies": { + "is-plain-obj": "^1.1" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/merge-options/node_modules/is-plain-obj": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-1.1.0.tgz", + "integrity": "sha512-yvkRyxmFKEOQ4pNXCmJG5AEQNlXJS5LaONXo5/cLdTZdWvsZ1ioJEonLGAosKlMWE8lwUy/bJzMjcw8az73+Fg==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/merge-stream": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/merge-stream/-/merge-stream-2.0.0.tgz", @@ -10794,6 +10883,89 @@ "node": ">=0.10.0" } }, + "node_modules/npm-audit-resolver": { + "version": "3.0.0-RC.0", + "resolved": "https://registry.npmjs.org/npm-audit-resolver/-/npm-audit-resolver-3.0.0-RC.0.tgz", + "integrity": "sha512-UuVC7HIxGMhkGfj6IcilBO0cbAz/Y1OhRHA49g3ccpyHDy6Bpd4nkPnLe+xuyZmTgUjiac509IIN3YPVdJZ0Hw==", + "dev": true, + "dependencies": { + "@npmcli/ci-detect": "^3.0.2", + "audit-resolve-core": "^3.0.0-3", + "chalk": "^4.1.2", + "concat-stream": "^2.0.0", + "djv": "^2.1.4", + "jsonlines": "^0.1.1", + "read": "^2.0.0", + "spawn-shell": "^2.1.0", + "yargs-parser": "^21.1.1", + "yargs-unparser": "^2.0.0" + }, + "bin": { + "check-audit": "check.js", + "resolve-audit": "resolve.js" + } + }, + "node_modules/npm-audit-resolver/node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/npm-audit-resolver/node_modules/chalk": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", + "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" + } + }, + "node_modules/npm-audit-resolver/node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/npm-audit-resolver/node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "node_modules/npm-audit-resolver/node_modules/supports-color": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", + "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==", + "dev": true, + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/npm-run-path": { "version": "5.3.0", "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz", @@ -12049,6 +12221,18 @@ "safe-buffer": "^5.1.0" } }, + "node_modules/read": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/read/-/read-2.1.0.tgz", + "integrity": "sha512-bvxi1QLJHcaywCAEsAk4DG3nVoqiY2Csps3qzWalhj5hFqRn1d/OixkFXtLO1PrgHUcAP0FNaSY/5GYNfENFFQ==", + "dev": true, + "dependencies": { + "mute-stream": "~1.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/read-pkg": { "version": "5.2.0", "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-5.2.0.tgz", @@ -13112,6 +13296,41 @@ "integrity": "sha512-zC8zGoGkmc8J9ndvml8Xksr1Amk9qBujgbF0JAIWO7kXr43w0h/0GJNM/Vustixu+YE8N/MTrQ7N31FvHUACxQ==", "dev": true }, + "node_modules/spawn-shell": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/spawn-shell/-/spawn-shell-2.1.0.tgz", + "integrity": "sha512-mjlYAQbZPHd4YsoHEe+i0Xbp9sJefMKN09JPp80TqrjC5NSuo+y1RG3NBireJlzl1dDV2NIkIfgS6coXtyqN/A==", + "dev": true, + "dependencies": { + "default-shell": "^1.0.1", + "merge-options": "~1.0.1", + "npm-run-path": "^2.0.2" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/spawn-shell/node_modules/npm-run-path": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-2.0.2.tgz", + "integrity": "sha512-lJxZYlT4DW/bRUtFh1MQIWqmLwQfAxnqWG4HhEdjMlkrJYnJn0Jrr2u3mgxqaWsdiBc76TYkTG/mhrnYTuzfHw==", + "dev": true, + "dependencies": { + "path-key": "^2.0.0" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/spawn-shell/node_modules/path-key": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz", + "integrity": "sha512-fEHGKCSmUSDPv4uoj8AlD+joPlq3peND+HRYyxFz4KPw4z926S/b8rIuFs2FYJg3BwsxJf6A9/3eIdLaYC+9Dw==", + "dev": true, + "engines": { + "node": ">=4" + } + }, "node_modules/spawn-wrap": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/spawn-wrap/-/spawn-wrap-2.0.0.tgz", @@ -14002,6 +14221,12 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/typedarray": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", + "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==", + "dev": true + }, "node_modules/typedarray-to-buffer": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/typedarray-to-buffer/-/typedarray-to-buffer-3.1.5.tgz", diff --git a/package.json b/package.json index 6c3b2fb39..8d2b3074a 100644 --- a/package.json +++ b/package.json @@ -74,6 +74,8 @@ "prepublish:napi": "napi prepublish --skip-gh-release", "release": "node scripts/prepare-release.js", "release:docs": "git fetch --update-head-ok origin master:master && git branch --force documentation-published master && git push origin documentation-published", + "check-audit": "check-audit", + "resolve-audit": "resolve-audit", "test": "npm run build && npm run test:all", "test:update-snapshots": "node scripts/update-snapshots.js", "test:cjs": "npm run build:cjs && npm run test:only", @@ -173,6 +175,7 @@ "magic-string": "^0.30.10", "mocha": "^10.5.2", "nodemon": "^3.1.4", + "npm-audit-resolver": "^3.0.0-RC.0", "nyc": "^17.0.0", "pinia": "^2.1.7", "prettier": "^3.3.2", diff --git a/scripts/prepare-release.js b/scripts/prepare-release.js index 999489020..8ea89c0ef 100755 --- a/scripts/prepare-release.js +++ b/scripts/prepare-release.js @@ -199,7 +199,7 @@ function getDummyLogSection(headline, pr) { async function installDependenciesAndLint() { await Promise.all([ runWithEcho('npm', ['ci', '--ignore-scripts']), - runWithEcho('npm', ['audit']) + runWithEcho('npm', ['run', 'check-audit']) ]); await runWithEcho('npm', ['run', 'ci:lint']); }