Outdated dependencies with moderate severity security issues (CVE-2023-45857)

[JamesBurnside]

tl;dr - wait-on dependency needs updated to update axios sub-dependency version

Describe the bug Nested dependency axios needs updated for CVE-2023-45857 (https://github.com/axios/axios/issues/6006) this is fixed in axios. This dependency appears to stem from the wait-on package that has since updated to fix this: https://github.com/jeffbski/wait-on/pull/147

Expected outcome Update wait-on dependency to v7.2.0+

[Roger-Sa]

update-notifier also needs update: https://github.com/yeoman/update-notifier/issues/218

Fixed in 6.0.0 (Jun 23, 2022), latest version 7.0.0 (Oct 27, 2023).

Complete audit report:

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/axios
  wait-on  5.0.0-rc.0 - 7.1.0
  Depends on vulnerable versions of axios
  node_modules/wait-on
    @azure/static-web-apps-cli  >=0.3.0
    Depends on vulnerable versions of update-notifier
    Depends on vulnerable versions of wait-on
    node_modules/@azure/static-web-apps-cli

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @azure/static-web-apps-cli@0.2.1, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

[adrianhall]

Let's generalize this and ensure all "npm audit" packages are upgraded.