Fixing vulnerability

eclipse-velocitas · Nov 25, 2024 · ee673a1 · ee673a1
1 parent 1242bc9
commit ee673a1
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -151,7 +151,7 @@
 |convert-source-map|2.0.0|MIT|
 |core-util-is|1.0.3|MIT|
 |create-require|1.1.1|MIT|
-|cross-spawn|7.0.3|MIT|
+|cross-spawn|7.0.6|MIT|
 |debug|4.3.7|MIT|
 |decamelize|1.2.0|MIT|
 |decamelize|4.0.0|MIT|

diff --git a/README.md b/README.md
@@ -449,3 +449,28 @@ chmod -x /usr/bin/velocitas
 - [GitHub Issues](https://github.com/eclipse-velocitas/cli/issues)
 - [Mailing List](https://accounts.eclipse.org/mailing-list/velocitas-dev)
 - [Contribution](CONTRIBUTING.md)
+
+## Updating dependencies
+
+Sometimes dependencies needs to be updated to address vulnerabilities.
+If the vulnerability is known by npm (and a fix is published) you can typically request npm to update all existing vulnerabilities:
+
+```bash
+sudo npm audit fix
+```
+
+If the vulnerability is not (yet) considered as a vulnerability by npm you can update it manually:
+
+```bash
+sudo npm update cross-spawn
+```
+
+After updating you should do some basic checks that the tool is still working:
+
+```bash
+npm run build
+```
+
+After updating dependencies the file `NOTICE-3RD-PARTY-CONTENT.md` needs to be updated.
+The easiest way to do this is to create a Pull Request (preferably as draft),
+then the "Check Licenses" workflow will fail but as output produce content that you can add to the Pull Request.
diff --git a/package-lock.json b/package-lock.json