Address audited vulnerabilites #70
Description
NPM Audit turns up vulnerabilities that require breaking changes; electron update should address them:
electron <35.7.5
Severity: moderate
Electron has ASAR Integrity Bypass via resource modification - GHSA-vmqv-hx8q-j7mg
fix available via npm audit fix --force
Will install electron@40.1.0, which is a breaking change
node_modules/electron
esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install electron-vite@5.0.0, which is a breaking change
node_modules/esbuild
electron-vite <=3.0.0
Depends on vulnerable versions of esbuild
Depends on vulnerable versions of vite
node_modules/electron-vite
vite 0.11.0 - 6.1.6
Depends on vulnerable versions of esbuild
node_modules/vite
eslint <9.26.0
Severity: moderate
eslint has a Stack Overflow when serializing objects with circular references - GHSA-p5wg-g6qr-c7cg
fix available via npm audit fix --force
Will install eslint@9.39.2, which is a breaking change
node_modules/eslint
@typescript-eslint/eslint-plugin <=8.0.0-alpha.62
Depends on vulnerable versions of @typescript-eslint/parser
Depends on vulnerable versions of @typescript-eslint/type-utils
Depends on vulnerable versions of @typescript-eslint/utils
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/eslint-plugin
@typescript-eslint/parser 1.1.1-alpha.0 - 8.0.0-alpha.62
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/parser
@electron-toolkit/eslint-config-ts <=2.0.0
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of @typescript-eslint/parser
node_modules/@electron-toolkit/eslint-config-ts
@typescript-eslint/type-utils 5.9.2-alpha.0 - 8.0.0-alpha.62
Depends on vulnerable versions of @typescript-eslint/utils
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/type-utils
@typescript-eslint/utils <=8.0.0-alpha.62
Depends on vulnerable versions of eslint
node_modules/@typescript-eslint/utils
tar <=7.5.6
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - GHSA-34x7-hfp2-rc4v
fix available via npm audit fix --force
Will install electron-builder@26.6.0, which is a breaking change
node_modules/tar
app-builder-lib 23.0.7 - 26.4.1
Depends on vulnerable versions of dmg-builder
Depends on vulnerable versions of electron-builder-squirrel-windows
Depends on vulnerable versions of tar
node_modules/app-builder-lib
dmg-builder 23.0.7 - 26.4.1
Depends on vulnerable versions of app-builder-lib
node_modules/dmg-builder
electron-builder 19.25.0 || 23.0.7 - 26.4.1
Depends on vulnerable versions of app-builder-lib
Depends on vulnerable versions of dmg-builder
node_modules/electron-builder
electron-builder-squirrel-windows 23.0.7 - 26.4.1
Depends on vulnerable versions of app-builder-lib
node_modules/electron-builder-squirrel-windows
valibot 0.31.0 - 1.1.0
Severity: high
Valibot has a ReDoS vulnerability in EMOJI_REGEX - GHSA-vqpr-j7v3-hqw9
fix available via npm audit fix --force
Will install valibot@1.2.0, which is a breaking change
node_modules/valibot
16 vulnerabilities (10 moderate, 6 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force