search

electron / website

:electron: The Electron website
https://electronjs.org
Apache License 2.0
117 stars 126 forks source link

[UNSAFE] build: update yarn.lock to fix audit output #481

Closed up-up-and-away[bot] closed 5 months ago

up-up-and-away[bot] commented 11 months ago

We ran uuaw --audit and it resulted in a clean yarn audit.

Attempting to fix advisory: GHSA-wf5p-g6vw-rhxx - Axios Cross-Site Request Forgery Vulnerability
Scanning dependency chain:
     @docusaurus/preset-classic --> @docusaurus/theme-classic --> @docusaurus/theme-common --> @docusaurus/plugin-content-blog --> @docusaurus/core --> wait-on --> axios
[1/8] Trying from: axios@^0.25.0
    Resolving: axios@^0.25.0 --> 0.25.0
[1/8] Chain results in vulnerable version: axios@0.25.0
[2/8] Trying from: wait-on@^6.0.1
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[2/8] Chain results in vulnerable version: axios@0.25.0
[3/8] Trying from: @docusaurus/core@2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[3/8] Chain results in vulnerable version: axios@0.25.0
[4/8] Trying from: @docusaurus/plugin-content-blog@2.4.3
    Resolving: @docusaurus/plugin-content-blog@2.4.3 --> 2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[4/8] Chain results in vulnerable version: axios@0.25.0
[5/8] Trying from: @docusaurus/theme-common@2.4.3
    Resolving: @docusaurus/theme-common@2.4.3 --> 2.4.3
    Resolving: @docusaurus/plugin-content-blog@2.4.3 --> 2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[5/8] Chain results in vulnerable version: axios@0.25.0
[6/8] Trying from: @docusaurus/theme-classic@2.4.3
    Resolving: @docusaurus/theme-classic@2.4.3 --> 2.4.3
    Resolving: @docusaurus/theme-common@2.4.3 --> 2.4.3
    Resolving: @docusaurus/plugin-content-blog@2.4.3 --> 2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[6/8] Chain results in vulnerable version: axios@0.25.0
[7/8] Trying from: @docusaurus/preset-classic@^2.4.3
    Resolving: @docusaurus/preset-classic@^2.4.3 --> 2.4.3
    Resolving: @docusaurus/theme-classic@2.4.3 --> 2.4.3
    Resolving: @docusaurus/theme-common@2.4.3 --> 2.4.3
    Resolving: @docusaurus/plugin-content-blog@2.4.3 --> 2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[7/8] Chain results in vulnerable version: axios@0.25.0
[8/8] [UNSAFE] Trying from: @docusaurus/preset-classic@^3.0.0
    Resolving: @docusaurus/preset-classic@^3.0.0 --> 3.1.0
    Resolving: @docusaurus/theme-classic@3.1.0 --> 3.1.0
    Resolving: @docusaurus/theme-common@3.1.0 --> 3.1.0
    Resolving: @docusaurus/plugin-content-blog@3.1.0 --> 3.1.0
    Resolving: @docusaurus/core@3.1.0 --> 3.1.0
[8/8] [UNSAFE] Updating chain to latest starting at: @docusaurus/preset-classic@^3.0.0 results in cutting the known chain
[8/8] [UNSAFE] Running yarn install now

Attempting to fix advisory: GHSA-wf5p-g6vw-rhxx - Axios Cross-Site Request Forgery Vulnerability
Scanning dependency chain:
     @docusaurus/plugin-google-analytics --> @docusaurus/core --> wait-on --> axios
[1/5] Trying from: axios@^0.25.0
    Resolving: axios@^0.25.0 --> 0.25.0
[1/5] Chain results in vulnerable version: axios@0.25.0
[2/5] Trying from: wait-on@^6.0.1
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[2/5] Chain results in vulnerable version: axios@0.25.0
[3/5] Trying from: @docusaurus/core@2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[3/5] Chain results in vulnerable version: axios@0.25.0
[4/5] Trying from: @docusaurus/plugin-google-analytics@^2.4.3
    Resolving: @docusaurus/plugin-google-analytics@^2.4.3 --> 2.4.3
    Resolving: @docusaurus/core@2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[4/5] Chain results in vulnerable version: axios@0.25.0
[5/5] [UNSAFE] Trying from: @docusaurus/plugin-google-analytics@^3.0.0
    Resolving: @docusaurus/plugin-google-analytics@^3.0.0 --> 3.1.0
    Resolving: @docusaurus/core@3.1.0 --> 3.1.0
[5/5] [UNSAFE] Updating chain to latest starting at: @docusaurus/plugin-google-analytics@^3.0.0 results in cutting the known chain
[5/5] [UNSAFE] Running yarn install now

Attempting to fix advisory: GHSA-wf5p-g6vw-rhxx - Axios Cross-Site Request Forgery Vulnerability
Scanning dependency chain:
     @docusaurus/core --> wait-on --> axios
[1/4] Trying from: axios@^0.25.0
    Resolving: axios@^0.25.0 --> 0.25.0
[1/4] Chain results in vulnerable version: axios@0.25.0
[2/4] Trying from: wait-on@^6.0.1
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[2/4] Chain results in vulnerable version: axios@0.25.0
[3/4] Trying from: @docusaurus/core@^2.4.3
    Resolving: @docusaurus/core@^2.4.3 --> 2.4.3
    Resolving: wait-on@^6.0.1 --> 6.0.1
    Resolving: axios@^0.25.0 --> 0.25.0
[3/4] Chain results in vulnerable version: axios@0.25.0
[4/4] [UNSAFE] Trying from: @docusaurus/core@^3.0.0
    Resolving: @docusaurus/core@^3.0.0 --> 3.1.0
[4/4] [UNSAFE] Updating chain to latest starting at: @docusaurus/core@^3.0.0 results in cutting the known chain
[4/4] [UNSAFE] Running yarn install now

Audit is clean, looking good cap'n