Update elliptic, @eslint/plugin-kit and cross-spawn to non-vulnerable versions

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile

https://mullvad.net/

GNU General Public License v3.0

5.14k stars 342 forks source link

Update elliptic, @eslint/plugin-kit and cross-spawn to non-vulnerable versions #7191

Closed raksooo closed 1 week ago

raksooo commented 1 week ago

This PR updates these dependencies due to them having known vulnerabilities. All changes to package-lock.json were generated by npm audit fix. The osv-scanner ignore for elliptic has also been removed. None of these vulnerabilities affected the app or users.

This change is

socket-security[bot] commented 1 week ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@eslint/js@9.15.0	None	`0`	14.9 kB	eslintbot, openjsfoundation
npm/eslint@9.15.0	environment Transitive: eval, filesystem, shell, unsafe	`+70`	11.1 MB	eslintbot

🚮 Removed packages: npm/@eslint/js@9.10.0, npm/eslint@9.10.0

View full report↗︎

raksooo commented 1 week ago

Turns out the update of @eslint/plugin-kit is incompatible with the current version of typescript-eslint: https://github.com/typescript-eslint/typescript-eslint/issues/10338

According to the comments a fix will be out in a few days.