Fix 3 high severity vulnerabilities by upgrading all packages to their lastest version.

[emilioplatzer]

Running npm install I got:

added 373 packages, and audited 374 packages in 18s

74 packages are looking for funding
  run `npm fund` for details

3 high severity vulnerabilities

I updated the packages to their last version an run tests again.

Theres was one test failing locally in my Window 11 machine. It still fails the same way after update.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	None	0	31.3 kB	eslintbot
npm/[email protected]	Transitive: environment, eval, filesystem, shell, unsafe	+82	10.6 MB	eslintbot, openjsfoundation
npm/[email protected]	Transitive: environment, eval	+5	70.7 kB	dougwilson
npm/[email protected]	environment, eval, filesystem Transitive: shell	+74	6.21 MB	voxpelli
npm/[email protected]	environment, filesystem, unsafe Transitive: eval, shell	+139	14.8 MB	bcoe

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[UlisesGascon]

@wesleytodd do you know why the report (View full report↗︎) from socket.dev is private?

[UlisesGascon]

Hola @emilioplatzer, thanks for the PR! Currently, serve-index supports very old versions of Node.js, like 0.8, so upgrading dependencies can be challenging. I believe the devDependencies are the ones breaking the CI. Could you remove them from this PR and move them to a separate one?

[wesleytodd]

Hm, I do not know why it is private. I can look into that today.

From the audit report, you can see this is in a dev dep. Additionally it is a redos in a path that is only used to process local markdown files (not in the main exported package). While we would love to get these updated (see @UlisesGascon comments above) it is not considered critical.

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    eslint-plugin-markdown  <=2.1.0
    Depends on vulnerable versions of remark-parse
    node_modules/eslint-plugin-markdown

[wesleytodd]

@UlisesGascon I checked the settings on the socket side and I think you maybe need to be logged in with your GH account on socket to view it. Maybe there is an option to make it public but I did not see it.