slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

chore: fix vuln: override autolinker ^4.0.0

Open ramonpetgrave64 opened this issue 7 months ago • 1 comments

fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11

markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time.

This PR overrides one of the other transitive dependencies to a non-vulnerable version.

more info here https://github.com/jonschlinkert/markdown-toc/issues/156#issuecomment-2197630000

Testing process

  • Manually invoked make markdown-toc and it did succeed, while also adding a missing header in the README.
  • Made a few typos in the headers and markdown-toc did fix them.
  • Cloned markdown-toc, added the override, and its unit tests passed

ramonpetgrave64 avatar Jun 28 '24 21:06 ramonpetgrave64