[blocked until electron-forge v8.0.0 is released] chore: npm audit

[AndreiRegiani]

• Blocker: waiting for the stable release of electron-forge v8, currently at "8.0.0-alpha.6", v7 patches didn't cover npm audit issues.

---

Before (main branch)

35 vulnerabilities (6 low, 2 moderate, 27 high)

After (PR)

11 vulnerabilities (2 low, 9 high)

---

The ones remaining:

$ npm audit

# npm audit report

@tootallnate/once  <3.0.1
@tootallnate/once vulnerable to Incorrect Control Flow Scoping - https://github.com/advisories/GHSA-vpq2-c234-7xj6
fix available via `npm audit fix`
node_modules/@tootallnate/once
  http-proxy-agent  4.0.1 - 5.0.0
  Depends on vulnerable versions of @tootallnate/once
  node_modules/make-fetch-happen/node_modules/http-proxy-agent
    make-fetch-happen  7.1.1 - 14.0.0
    Depends on vulnerable versions of cacache
    Depends on vulnerable versions of http-proxy-agent
    node_modules/make-fetch-happen

tar  <=7.5.10
Severity: high
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
No fix available
node_modules/@electron-forge/shared-types/node_modules/tar
node_modules/@electron/node-gyp/node_modules/tar
node_modules/cacache/node_modules/tar
  @electron/node-gyp  *
  Depends on vulnerable versions of make-fetch-happen
  Depends on vulnerable versions of tar
  node_modules/@electron/node-gyp
    @electron/rebuild  3.2.10 - 4.0.2
    Depends on vulnerable versions of @electron/node-gyp
    Depends on vulnerable versions of tar
    node_modules/@electron-forge/shared-types/node_modules/@electron/rebuild
      @electron-forge/shared-types  <=8.0.0-alpha.4
      Depends on vulnerable versions of @electron/rebuild
      node_modules/@electron-forge/shared-types
        @electron-forge/plugin-base  <=8.0.0-alpha.4
        Depends on vulnerable versions of @electron-forge/shared-types
        node_modules/@electron-forge/plugin-base
          electron-forge-plugin-prune-prebuilds  *
          Depends on vulnerable versions of @electron-forge/plugin-base
          node_modules/electron-forge-plugin-prune-prebuilds
          electron-forge-plugin-universal-prebuilds  *
          Depends on vulnerable versions of @electron-forge/plugin-base
          node_modules/electron-forge-plugin-universal-prebuilds
  cacache  14.0.0 - 18.0.4
  Depends on vulnerable versions of tar
  node_modules/cacache

11 vulnerabilities (2 low, 9 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.