chore: fix vuln: override autolinker ^4.0.0 (#785)

fixes
https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11

markdown-toc's latest v1.2.0 is still vulnerable via a transitive
dependency, but hasn't received updates in a long time.

This PR overrides one of the other transitive dependencies to a
non-vulnerable version.

more info here
https://github.com/jonschlinkert/markdown-toc/issues/156#issuecomment-2197630000

# Testing process

- Manually invoked `make markdown-toc` and it did succeed, while also
adding a missing header in the README.
 - Made a few typos in the headers and markdown-toc did fix them.
 - Cloned markdown-toc, added the override, and its unit tests passed

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

README.md

@@ -29,6 +29,7 @@
 - [Verification for GitHub builders](#verification-for-github-builders)
   - [Artifacts](#artifacts)
   - [Containers](#containers)
+    - [The verify-image command](#the-verify-image-command)
   - [npm packages](#npm-packages)
     - [The verify-npm-package command](#the-verify-npm-package-command)
     - [npm packages built using the SLSA3 Node.js builder](#npm-packages-built-using-the-slsa3-nodejs-builder)

package-lock.json

@@ -6019,12 +6019,12 @@
       "dev": true
     },
     "node_modules/autolinker": {
-      "version": "0.28.1",
+      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz",
+      "resolved": "https://registry.npmjs.org/autolinker/-/autolinker-4.0.0.tgz",
-      "integrity": "sha512-zQAFO1Dlsn69eXaO6+7YZc+v84aquQKbwpzCE3L0stj56ERn9hutFxPopViLjo9G+rWwjozRhgS5KJ25Xy19cQ==",
+      "integrity": "sha512-fl5Kh6BmEEZx+IWBfEirnRUU5+cOiV0OK7PEt0RBKvJMJ8GaRseIOeDU3FKf4j3CE5HVefcjHmhYPOcaVt0bZw==",
       "dev": true,
       "dependencies": {
-        "gulp-header": "^1.7.1"
+        "tslib": "^2.3.0"
       }
     },
     "node_modules/available-typed-arrays": {
@@ -6595,15 +6595,6 @@
         "typedarray": "^0.0.6"
       }
     },
-    "node_modules/concat-with-sourcemaps": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/concat-with-sourcemaps/-/concat-with-sourcemaps-1.1.0.tgz",
-      "integrity": "sha512-4gEjHJFT9e+2W/77h/DS5SGUgwDaOwprX8L/gl5+3ixnzkVJJsZWDSelmN3Oilw3LNDZjZV0yqH1hLG3k6nghg==",
-      "dev": true,
-      "dependencies": {
-        "source-map": "^0.6.1"
-      }
-    },
     "node_modules/conventional-commits-detector": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/conventional-commits-detector/-/conventional-commits-detector-1.0.3.tgz",
@@ -8145,18 +8136,6 @@
         "node": ">=14.0.0"
       }
     },
-    "node_modules/gulp-header": {
-      "version": "1.8.12",
-      "resolved": "https://registry.npmjs.org/gulp-header/-/gulp-header-1.8.12.tgz",
-      "integrity": "sha512-lh9HLdb53sC7XIZOYzTXM4lFuXElv3EVkSDhsd7DoJBj7hm+Ni7D3qYbb+Rr8DuM8nRanBvkVO9d7askreXGnQ==",
-      "deprecated": "Removed event-stream from gulp-header",
-      "dev": true,
-      "dependencies": {
-        "concat-with-sourcemaps": "*",
-        "lodash.template": "^4.4.0",
-        "through2": "^2.0.0"
-      }
-    },
     "node_modules/handlebars": {
       "version": "4.7.8",
       "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz",
@@ -9300,37 +9279,12 @@
       "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
       "dev": true
     },
-    "node_modules/lodash._reinterpolate": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz",
-      "integrity": "sha512-xYHt68QRoYGjeeM/XOE1uJtvXQAgvszfBhjV4yvsQH0u2i9I6cI6c6/eG4Hh3UAOVn0y/xAXwmTzEay49Q//HA==",
-      "dev": true
-    },
     "node_modules/lodash.merge": {
       "version": "4.6.2",
       "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
       "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
       "dev": true
     },
-    "node_modules/lodash.template": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz",
-      "integrity": "sha512-84vYFxIkmidUiFxidA/KjjH9pAycqW+h980j7Fuz5qxRtO9pgB7MDFTdys1N7A5mcucRiDyEq4fusljItR1T/A==",
-      "dev": true,
-      "dependencies": {
-        "lodash._reinterpolate": "^3.0.0",
-        "lodash.templatesettings": "^4.0.0"
-      }
-    },
-    "node_modules/lodash.templatesettings": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/lodash.templatesettings/-/lodash.templatesettings-4.2.0.tgz",
-      "integrity": "sha512-stgLz+i3Aa9mZgnjr/O+v9ruKZsPsndy7qPZOchbqk2cnTU1ZaldKK+v7m54WoKIyxiuMZTKT2H81F8BeAc3ZQ==",
-      "dev": true,
-      "dependencies": {
-        "lodash._reinterpolate": "^3.0.0"
-      }
-    },
     "node_modules/longest-streak": {
       "version": "2.0.4",
       "resolved": "https://registry.npmjs.org/longest-streak/-/longest-streak-2.0.4.tgz",

package.json

@@ -6,5 +6,8 @@
   "devDependencies": {
     "markdown-toc": "1.2.0",
     "renovate": "37.374.1"
+  },
+  "overrides": {
+    "autolinker": "^4.0.0"
   }
 }