Dependency update

[Saibamen]

Tick the checkbox if you understand [x]:

• I have read and understand the pull request rules.

Description

Fix vulnerabilities + update already installed versions in package.json (ncu --target patch -u - see commit 1c0280f and ncu --target semver -u 7c07f97)

Type of change

• Bug fix (non-breaking change which fixes an issue)

Checklist

• My code follows the style guidelines of this project
• I ran ESLint and other linters for modified files
• I have performed a self-review of my own code and tested it
• I have commented my code, particularly in hard-to-understand areas (including JSDoc for methods)
• My changes generates no new warnings
• My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

Before

After

[Saibamen]

npm audit report:

express  <4.19.2
Severity: moderate

*Currently used version in this PR*: 4.17.3

hoek  *
Severity: high

nodemailer  <=6.9.8
Severity: moderate

*Currently used version in this PR*: 6.6.5

vite  4.0.0 - 4.5.2
Severity: high

*Currently used version in this PR*: 4.4.12

[CommanderStorm]

Let me reiterate my point from #4590 (comment):
Have you read through the changelogs of each update you are proposing carefully?
If not, this is basically just as careless as #4590

Just executing some command is not really a PR, that is just dumping work which needs fixing.
If you have a look at axios-ntlm, they ship their breaking changes in patch releases.

Note

This took me 3.5 hours to review.
Please submit smaller PRs in smaller, thematically linked PRs in the future.
Like this, it is really not managable

[CommanderStorm]

Regarding 0.28.0
Have you looked at if
axios/axios#4624 + axios/axios#4718 make the output different and if this is better/worse

[Saibamen]

Not looked, but better stack trace is always good

[CommanderStorm]

It might not look good or require additional work to look decent.
Please have a look if they are displayed properly

[CommanderStorm]

Includes Catbuttes/axios-ntlm#15 which bumps axios to 1.X.

This likely breaks something
=> change needs to be done in step with bumping axios once migration is possible.

Suggested change

	"axios-ntlm": "1.3.1",
	"axios-ntlm": "1.3.0",

[Saibamen]

axios-ntlm will use its own axios, and we will still use axios 0.X

[CommanderStorm]

This would be still to risky given what this libary does. There might be breaking changes which happened and might make this incompatible:

This is a helper library for NTLM Authentication using the Axios HTTP library on Node. It attaches interceptors to an axios instance to authenticate using NTLM for any resources that offer it.

[CommanderStorm]

4.3.8 is neither documented in the changelog nor has an associated commit tag.
=> what are we migrating to here?

[Saibamen]

4.3.8 was already installed in package-lock before my PR:

[CommanderStorm]

That was not the point. I was asking what 4.3.8 is.

[CommanderStorm]

For these dependencies is somewhat hard to audit what has changed in this bump.
How did you audit this?

[Saibamen]

These dependencies had MINOR update ranges, so it is automatically downloaded. See: https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept

And we already had installed 7.23.7 in package-lock.json 4 months ago by @louislam in 8d847ab:

[CommanderStorm]

So you are suggesting to just not search for breaking changes here?
Have you audited the changes?

[CommanderStorm]

5.7 adds the emitFile (default: false) option.

We use this plugin to generate a file.
Have you checked that the file is still being generated?

[Saibamen]

We already have rollup-plugin-visualizer installed with version 5.12.0 - no changes for this package in package-lock:

[CommanderStorm]

Have you checked that the file is still being generated?
Automatically bumping this in the package-lock might have been a mistake.

[Saibamen]

Have you read through the changelogs of each update you are proposing carefully?

Yes. Only 2 packages were updated in my PR: axios and axios-ntlm. See commits: https://github.com/louislam/uptime-kuma/pull/4647/commits

[CommanderStorm]

Only 2 packages were updated in my PR

Why is this PR then

Looking through the changelog is still an important part of updating.
There might have been breaking changes that have been missed, despite this package being in the package-lock.
I really don't like these responses ("I don't need to look into this, because package-lock") to potentially breaking changes that you are giving.
=> Please actually check the cases I raised instead of handwaving them away.