From ee673a1020f8052b6098c2e55a3ce25ec9ac9b49 Mon Sep 17 00:00:00 2001
From: Erik Jaegervall <erik.jaegervall@se.bosch.com>
Date: Mon, 25 Nov 2024 08:56:25 +0100
Subject: [PATCH] Fixing vulnerability

---
 NOTICE-3RD-PARTY-CONTENT.md |  2 +-
 README.md                   | 25 +++++++++++++++++++++++++
 package-lock.json           |  6 +++---
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
index 3a415b2..6ebf424 100644
--- a/NOTICE-3RD-PARTY-CONTENT.md
+++ b/NOTICE-3RD-PARTY-CONTENT.md
@@ -151,7 +151,7 @@
 |convert-source-map|2.0.0|MIT|
 |core-util-is|1.0.3|MIT|
 |create-require|1.1.1|MIT|
-|cross-spawn|7.0.3|MIT|
+|cross-spawn|7.0.6|MIT|
 |debug|4.3.7|MIT|
 |decamelize|1.2.0|MIT|
 |decamelize|4.0.0|MIT|
diff --git a/README.md b/README.md
index aa53754..5db2089 100644
--- a/README.md
+++ b/README.md
@@ -449,3 +449,28 @@ chmod -x /usr/bin/velocitas
 - [GitHub Issues](https://github.com/eclipse-velocitas/cli/issues)
 - [Mailing List](https://accounts.eclipse.org/mailing-list/velocitas-dev)
 - [Contribution](CONTRIBUTING.md)
+
+## Updating dependencies
+
+Sometimes dependencies needs to be updated to address vulnerabilities.
+If the vulnerability is known by npm (and a fix is published) you can typically request npm to update all existing vulnerabilities:
+
+```bash
+sudo npm audit fix
+```
+
+If the vulnerability is not (yet) considered as a vulnerability by npm you can update it manually:
+
+```bash
+sudo npm update cross-spawn
+```
+
+After updating you should do some basic checks that the tool is still working:
+
+```bash
+npm run build
+```
+
+After updating dependencies the file `NOTICE-3RD-PARTY-CONTENT.md` needs to be updated.
+The easiest way to do this is to create a Pull Request (preferably as draft),
+then the "Check Licenses" workflow will fail but as output produce content that you can add to the Pull Request.
diff --git a/package-lock.json b/package-lock.json
index 31d487f..ec1cfab 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2276,9 +2276,9 @@
       "license": "MIT"
     },
     "node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "license": "MIT",
       "dependencies": {
         "path-key": "^3.1.0",