chore: fix vuln: override autolinker ^4.0.0 (#785)

fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11 markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time. This PR overrides one of the other transitive dependencies to a non-vulnerable version. more info here jonschlinkert/markdown-toc#156 (comment) # Testing process - Manually invoked `make markdown-toc` and it did succeed, while also adding a missing header in the README. - Made a few typos in the headers and markdown-toc did fix them. - Cloned markdown-toc, added the override, and its unit tests passed --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
slsa-framework · Aug 13, 2024 · 3f37511 · 3f37511
1 parent e827585
commit 3f37511
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@
 - [Verification for GitHub builders](#verification-for-github-builders)
   - [Artifacts](#artifacts)
   - [Containers](#containers)
+    - [The verify-image command](#the-verify-image-command)
   - [npm packages](#npm-packages)
     - [The verify-npm-package command](#the-verify-npm-package-command)
     - [npm packages built using the SLSA3 Node.js builder](#npm-packages-built-using-the-slsa3-nodejs-builder)

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -6,5 +6,8 @@
   "devDependencies": {
     "markdown-toc": "1.2.0",
     "renovate": "37.374.1"
+  },
+  "overrides": {
+    "autolinker": "^4.0.0"
   }
 }