chore: bump dependencies & enable Dependabot

Question

chore: bump dependencies & enable Dependabot

dreamorosi opened this issue 7 months ago · 1 comments

npm ci shows a number of moderate severity vulnerabilities

Answer 1 · 2024-06-11T07:40:24.000Z

Working on this - I have fixed all the high severity ones via npm audit fix but there is still one moderate one:

Severity: moderate
phin may include sensitive headers in subsequent requests after redirect - https://github.com/advisories/GHSA-x565-32qp-m3vf
fix available via `npm audit fix --force`
Will install jimp@0.3.11, which is a breaking change
node_modules/phin
  load-bmfont  >=1.4.0
  Depends on vulnerable versions of phin
  node_modules/load-bmfont
    @jimp/plugin-print  >=0.4.0
    Depends on vulnerable versions of load-bmfont
    node_modules/@jimp/plugin-print
      @jimp/plugins  >=0.4.0
      Depends on vulnerable versions of @jimp/plugin-print
      node_modules/@jimp/plugins
        jimp  >=0.4.0
        Depends on vulnerable versions of @jimp/plugins
        node_modules/jimp

This is due to a transitive dependency of jimp - which we use for image generation in Node.js.

For now I'll push this change and address the remaining one later, as well as enabling Dependabot.