Fixing vulnerability (eclipse-velocitas#15)

erikbosch · BjoernAtBosch · web-flow · commit c01fbd3ece80 · 2024-11-20T18:42:32.000+01:00
Co-authored-by: BjoernAtBosch &lt;Bjoern.Hornburg@de.bosch.com&gt;
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -107,7 +107,7 @@
 |commander|9.1.0|MIT|
 |concat-map|0.0.1|MIT|
 |create-require|1.1.1|MIT|
-|cross-spawn|7.0.3|MIT|
+|cross-spawn|7.0.5|MIT|
 |cucumber-console-formatter|1.0.0|ISC|
 |cucumber-tsflow|4.4.1|MIT|
 |date-format|4.0.14|MIT|
diff --git a/README.md b/README.md
@@ -63,6 +63,32 @@ Use the `actions/checkout@v4` action to clone the `release-documentation-action`
 |sourcePath|true|folder where the action retrieves the raw result files|
 |packagePath|true|target path where the results are copied to |
 
-## Contributing
+# Contributing
 
 For guidance on setting up a development environment and how to make a contribution to the Velocitas Release Documentation Action, see the [contributing guidelines](./CONTRIBUTING.md).
+
+## Updating dependencies
+
+Sometimes dependencies needs to be updated to address vulnerabilities.
+If the vulnerability is known by npm (and a fix is published) you can typically request npm to update all existing vulnerabilities:
+
+```bash
+sudo npm audit fix
+```
+
+If the vulnerability is not (yet) considered as a vulnerability by npm you can update it manually:
+
+```bash
+sudo npm update cross-spawn
+```
+
+After updating you should do some basic checks that the tool is still working:
+
+```bash
+npm run build
+npm run package
+```
+
+After updating dependencies the file `NOTICE-3RD-PARTY-CONTENT.md` needs to be updated.
+The easiest way to do this is to create a Pull Request (preferably as draft),
+then the "Check Licenses" workflow will fail but as output produce content that you can add to the Pull Request.
diff --git a/package-lock.json b/package-lock.json
