build(deps): bump the npm_and_yarn group across 3 directories with 12 updates

[dependabot[bot]]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
aws-cdk-lib	2.79.1	2.80.0
electron	23.3.13	24.8.5
next	13.4.19	13.5.0
postcss	8.4.31	8.4.32
express	4.18.2	4.19.2
fast-jwt	3.3.1	3.3.3
follow-redirects	1.15.3	1.15.6
ip	1.1.8	1.1.9
jose	4.15.4	4.15.5
tar	6.2.0	6.2.1
undici	5.26.4	5.28.4
webpack-dev-middleware	5.3.3	5.3.4

Bumps the npm_and_yarn group with 2 updates in the /apps/desktop directory: aws-cdk-lib and electron. Bumps the npm_and_yarn group with 1 update in the /apps/home directory: next.

Updates aws-cdk-lib from 2.79.1 to 2.80.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.80.0

⚠ BREAKING CHANGES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#25630) (ecb59fd)
• appmesh: access log format support for app mesh (#25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#25555) (5ccc569)
• cli: assets can now depend on stacks (#25536) (25d5d60)
• cli: logging can be corked (#25644) (0643020), closes #25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#24536) (b60876f), closes #24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#25330) (83c4c36), closes #25307
• msk: Kafka version 3.4.0 (#25557) (6317518), closes #25522
• scheduler: schedule expression construct (#25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#25540) (8854739), closes aws/aws-cdk#19380 #25272 #25273 #25507
• eks: overly permissive trust policies (#25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

---

Alpha modules (2.80.0-alpha.0)

Changelog

Sourced from aws-cdk-lib's changelog.

2.80.0 (2023-05-19)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#25630) (ecb59fd)
• appmesh: access log format support for app mesh (#25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#25555) (5ccc569)
• cli: assets can now depend on stacks (#25536) (25d5d60)
• cli: logging can be corked (#25644) (0643020), closes #25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#24536) (b60876f), closes #24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#25330) (83c4c36), closes #25307
• msk: Kafka version 3.4.0 (#25557) (6317518), closes #25522
• scheduler: schedule expression construct (#25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#25540) (8854739), closes aws/aws-cdk#19380 #25272 #25273 #25507
• eks: overly permissive trust policies (#25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

Commits

• ecb59fd feat(apigateway): add grantExecute to API Methods (#25630)
• b60876f feat(codepipeline-actions): add KMSEncryptionKeyARN for S3DeployAction (#24536)
• f48515f docs(ssm): explain that SecretValue.ssmSecure() lives in core now (#25581)
• 60a7e1e chore: npm-check-updates && yarn upgrade (#25631)
• 28914bd docs(assertions): add more detail about migrating from the old assert library...
• d7e263d feat(appsync): Add Private API support when creating a GraphqlApi (#25569)
• a2e6324 chore: npm-check-updates && yarn upgrade (#25613)
• 25d5d60 feat(cli): assets can now depend on stacks (#25536)
• b885ece docs(assertions): update link to migration guide (#25602)
• 83c4c36 feat(eks): alb controller include versions 2.4.2 - 2.5.1 (#25330)
• Additional commits viewable in compare view

Updates electron from 23.3.13 to 24.8.5

Commits

• 543f7c3 chore: cherry-pick 3fbd1dca6a4d from libvpx (#40025)
• e51dee4 fix: use generic capturer to list both screens and windows when possible (#39...
• 384f44d ci: fix linux builds of forks (#39942)
• edb117a build: use afs on aks instead of circle cache (#39913)
• 3f864b2 build: fixup autoninja (#39901)
• 97bf8c8 build: run on circle hosts for forks (#39864)
• 4a9b367 build: use aks backed runners for linux builds (#39837)
• 0508e25 chore: cherry-pick b2eab7500a18 from chromium (#39826)
• 0641412 fix: ensure app load is limited to real asar files when appropriate (#39810)
• c574fed chore: cherry-pick 3 changes from Release-3-M116 (#39757)
• Additional commits viewable in compare view

Updates next from 13.4.19 to 13.5.0

Commits

• ffafad2 v13.5.0
• 4a589ed v13.4.20-canary.41
• deb81cf fix styled-jsx alias (#55581)
• 1a9b0f6 improve internal error logging (#55582)
• 0631549 Fix react packages are not bundled for metadata routes (#55579)
• bad5365 Update supported config options for Turbopack (#55556)
• 8881c41 Fix useState function initialiser case for optimize_server_react transform ...
• 1025011 Add react-icons to optimizePackageImports (#55572)
• d5c35a1 chore: replace issue triaing actions with nissuer (#55525)
• 33c561b Consolidate experimental React opt-in & add ppr flag (#55560)
• Additional commits viewable in compare view

Updates postcss from 8.4.31 to 8.4.32

Release notes

Sourced from postcss's releases.

8.4.32

• Fixed postcss().process() types (by @​ferreira-tb).

Changelog

Sourced from postcss's changelog.

8.4.32

• Fixed postcss().process() types (by Andrew Ferreira).

Commits

• a0d9f10 Release 8.4.32 version
• 0146b3e Add Node.js 21 to CI
• 2398534 Update dependencies
• 1918533 Merge pull request #1902 from ferreira-tb/main
• 395e6dc Fix ProcessOptions interface
• fa8cd15 Update dependencies
• 199a7c4 Typo
• 2528047 Update EM link
• See full diff in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: [email protected] and [email protected] by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add [email protected] by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates fast-jwt from 3.3.1 to 3.3.3

Release notes

Sourced from fast-jwt's releases.

v3.3.3

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v3.3.2 by @​optic-release-automation in nearform/fast-jwt#410
• fix: check for RSA header before decoding public key by @​karl-power in nearform/fast-jwt#415

New Contributors

• @​karl-power made their first contribution in nearform/fast-jwt#415

Full Changelog: https://github.com/nearform/fast-jwt/compare/v3.3.2...v3.3.3

v3.3.2

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v3.3.1 by @​optic-release-automation in nearform/fast-jwt#390
• fix: add missingRequiredClaim to TokenValidationErrorCode by @​TimLehner in nearform/fast-jwt#403
• fix(typescript): fix typescript type DecodedJwt by @​qoomon in nearform/fast-jwt#407

New Contributors

• @​TimLehner made their first contribution in nearform/fast-jwt#403
• @​qoomon made their first contribution in nearform/fast-jwt#407

Full Changelog: https://github.com/nearform/fast-jwt/compare/v3.3.1...v3.3.2

Commits

• 6e5bf00 Release v3.3.3
• 89efaab fix: check for RSA header before decoding public key (#415)
• 4add987 Release v3.3.2 (#410)
• 15a6e92 Merge pull request from GHSA-c2ff-88x2-x9pg
• a5ef39b fix(typescript): fix typescript type DecodedJwt (#407)
• 4d8c66f fix: add missingRequiredClaim to TokenValidationErrorCode (#403)
• 52e94dd Release v3.3.1 (#390)
• See full diff in compare view

Updates follow-redirects from 1.15.3 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates ip from 1.1.8 to 1.1.9

Commits

• 1ecbf2f 1.1.9
• 6a3ada9 lib: fixed CVE-2023-42282 and added unit test
• See full diff in compare view

Updates jose from 4.15.4 to 4.15.5

Release notes

Sourced from jose's releases.

v4.15.5

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88), fixes CVE-2024-28176

Changelog

Sourced from jose's changelog.

4.15.5 (2024-03-07)

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88)

Commits

• 765aafd chore(release): 4.15.5
• b36e45e test: add export check to x509 pem import tests
• e839ecb test: stop testing JWE RSA1_5 Algorithm
• 1b91d88 fix: add a maxOutputLength option to zlib inflate
• 9ca2b24 build: remove release action
• f3035d8 chore: cleanup after release
• See full diff in compare view

Updates tar from 6.2.0 to 6.2.1

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• See full diff in compare view

Updates undici from 5.26.4 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

:warning: Security Release :warning:

• Fixes https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3

v5.28.2

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in nodejs/undici#2470
• fix: remove node: prefix by @​tsctx in nodejs/undici#2471
• perf: avoid Headers initialization by @​tsctx in nodejs/undici#2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in nodejs/undici#2466
• fix: Add null type to signal in RequestInit by @​gebsh in nodejs/undici#2455
• fix: correctly handle data URL with hashes. by @​tsctx in nodejs/undici#2475
• fix: check response for timinginfo allow flag by @​ToshB in nodejs/undici#2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in nodejs/undici#2478
• refactor: better integrity check by @​tsctx in nodejs/undici#2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in nodejs/undici#2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in nodejs/undici#2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in nodejs/undici#2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in nodejs/undici#2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in nodejs/undici#2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in nodejs/undici#2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in nodejs/undici#2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in nodejs/undici#2302

New Contributors

• @​bugb made their first contribution in nodejs/undici#2470
• @​gebsh made their first contribution in nodejs/undici#2455
• @​ToshB made their first contribution in nodejs/undici#2477
• @​MzUgM made their first contribution in nodejs/undici#2478
• @​matt-way made their first contribution in nodejs/undici#2473

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2

v5.28.1

What's Changed

• perf: Improve normalizeMethod by @​tsctx in nodejs/undici#2456
• fix: dispatch error handling by @​ronag in nodejs/undici#2459

... (truncated)

Commits

• fb98306 Bumped v5.28.4
• 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
• 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
• 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
• 0e9d54b skip failing test due to Node.js changes
• e71cb4c Bumped v5.28.3
• 20c65b8 Fix tests for Node.js v20.11.0 (#2618)
• 8ec52cd Fix tests for Node.js v21 (#2609)
• d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
• 9a14e5f Bumped v5.28.2
• Additional commits viewable in compare view

Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• See full diff in compare view

Updates aws-cdk-lib from 2.79.1 to 2.80.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.80.0

⚠ BREAKING CHANGES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#25630) (ecb59fd)
• appmesh: access log format support for app mesh (#25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#25555) (5ccc569)
• cli: assets can now depend on stacks (#25536) (25d5d60)
• cli: logging can be corked (#25644) (0643020), closes #25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#24536) (b60876f), closes #24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#25330) (83c4c36), closes #25307
• msk: Kafka version 3.4.0 (#25557) (6317518), closes #25522
• scheduler: schedule expression construct (#25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#25540) (8854739), closes aws/aws-cdk#19380 #25272 #25273 #25507
• eks: overly permissive trust policies (#25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

---

Alpha modules (2.80.0-alpha.0)

Changelog

Sourced from aws-cdk-lib's changelog.

2.80.0 (2023-05-19)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#25630) (ecb59fd)
• appmesh: access log format support for app mesh (#25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#25555) (5ccc569)
• cli: assets can now depend on stacks (#25536) (25d5d60)
• cli: logging can be corked (#25644) (0643020), closes #25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#24536) (b60876f), closes #24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#25330) (83c4c36), closes #25307
• msk: Kafka version 3.4.0 (#25557) (6317518), closes #25522
• scheduler: schedule expression construct (#25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#25540) (8854739), closes aws/aws-cdk#19380 #25272 #25273 #25507
• eks: overly permissive trust policies (#25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

Commits

• ecb59fd feat(apigateway): add grantExecute to API Methods (#25630)
• b60876f feat(codepipeline-actions): add KMSEncryptionKeyARN for S3DeployAction (#24536)
• f48515f docs(ssm): explain that SecretValue.ssmSecure() lives in core now (#25581)
• 60a7e1e chore: npm-check-updates && yarn upgrade (#25631)
• 28914bd docs(assertions): add more detail about migrating from the old assert library...
• d7e263d feat(appsync): Add Private API support when creating a GraphqlApi (#25569)
• a2e6324 chore: npm-check-updates && yarn upgrade (#25613)
• 25d5d60 feat(cli): assets can now depend on stacks (#25536)
• b885ece docs(assertions): update link to migration guide (#25602)
• 83c4c36 feat(eks): alb controller include versions 2.4.2 - 2.5.1 (#25330)
• Additional commits viewable in compare view

Updates electron from 23.3.13 to 29.3.0

Commits

• 543f7c3 chore: cherry-pick 3fbd1dca6a4d from libvpx (#40025)
• e51dee4 fix: use generic capturer to list both screens and windows when possible (#39...
• 384f44d ci: fix linux builds of forks (#39942)
• edb117a build: use afs on aks instead of circle cache (#39913)
• 3f864b2 build: fixup autoninja (#39901)
• 97bf8c8 build: run on circle hosts for forks (#39864)
• 4a9b367 build: use aks backed runners for linux builds (#39837)
• 0508e25 chore: cherry-pick b2eab7500a18 from chromium (#39826)
• 0641412 fix: ensure app load is limited to real asar files when appropriate (#39810)
• c574fed chore: cherry-pick 3 changes from Release-3-M116 (#39757)
• Additional commits viewable in compare view

Updates next from 13.4.19 to 13.5.1

Commits

• ffafad2 v13.5.0
• 4a589edDescription has been truncated