chore(deps): bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@apollo/experimental-nextjs-app-support	0.5.2	0.7.0
axios	1.6.7	1.6.8
express	4.18.2	4.19.2
es5-ext	0.10.62	0.10.64
follow-redirects	1.15.5	1.15.6
ip	2.0.0	2.0.1
jose	4.15.4	4.15.5
tar	6.2.0	6.2.1
undici	5.28.2	5.28.4
vite	5.0.12	5.2.8
webpack-dev-middleware	5.3.3	5.3.4

Updates @apollo/experimental-nextjs-app-support from 0.5.2 to 0.7.0

Release notes

Sourced from @​apollo/experimental-nextjs-app-support's releases.

0.7.0: important security fix

This version fixes CVE-2024-23841.
You can see more details in the security advisory.

There are no known workarounds for this issue, please update immediately.

0.6.0: reduced bundle size and "nonce" support

This release reduces the bundle size by changing an import from graphql. (#161)

It also adds support for a "nonce" in the script tags created by this package, by introducing a new extraScriptProps option. (#160)

Usage example:

    <ApolloNextAppProvider
      makeClient={makeClient}
      extraScriptProps={{
        nonce: actualNonce,
      }}
    >{...}</ApolloNextAppProvider>

As you should not pass a sensitive value like a nonce or a token as props from a Server Component into a Client Component, you can use the ssr-only-secrets we published for that purpose.

Generate a jwk-formatted AES-CBC key (see details in the linked package) and set it as an environment variable, e.g. "SECRET_KEY_VAR"

In a Server Component:

import { cloakSSROnlySecret } from "ssr-only-secrets";
const MyServerComponent = () => {
const nonce = headers().get('x-nonce')
return <ApolloWrapper nonce={cloakSSROnlySecret(nonce, "SECRET_KEY_VAR")} />
}

In your ApolloWrapper:

export function ApolloWrapper({
  children,
  nonce,
}: React.PropsWithChildren<{ nonce?: string }>) {
// other code, e.g. makeClient
const actualNonce = useSSROnlySecret(nonce, "SECRET_KEY_VAR");
return (
<ApolloNextAppProvider
makeClient={makeClient}
extraScriptProps={{
nonce: actualNonce,
</tr></table>

... (truncated)

Commits

• b92bc42 Merge pull request from GHSA-rv8p-rr2h-fgpg
• 4271a8c feat: adds user survey workflow and link in README (#180)
• 99acf6a chore(deps): update dependency next to v14.1.0 (#177)
• 2adedfa chore(deps): update all devdependencies (#172)
• bf8af08 Merge pull request #173 from apollographql/renovate/major-all-dev
• 6b7d50a Merge branch 'main' into renovate/major-all-dev
• 3d8ff60 also add & configure eslint-plugin-react-hooks
• 2976a0c chore(deps): update secops orb to v2.0.7 (#176)
• 745bda7 chore(deps): update all devdependencies to v6
• 4930d28 feat: SECOPS-2525 - add semgrep job (#174)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apollo-bot, a new releaser for @​apollo/experimental-nextjs-app-support since your current version.

Updates axios from 1.6.7 to 1.6.8

Release notes

Sourced from axios's releases.

Release v1.6.8

Release notes:

Bug Fixes

• AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
• import: use named export for EventEmitter; (7320430)
• vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Mitchell
• Emmanuel
• Lucas Keller
• Aditya Mogili
• Miroslav Petrov

Changelog

Sourced from axios's changelog.

1.6.8 (2024-03-15)

Bug Fixes

• AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
• import: use named export for EventEmitter; (7320430)
• vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Mitchell
• Emmanuel
• Lucas Keller
• Aditya Mogili
• Miroslav Petrov

Commits

• ab3f0f9 chore(release): v1.6.8 (#6303)
• 2656612 fix(AxiosHeaders): fix AxiosHeaders conversion to an object during config mer...
• 7320430 fix(import): use named export for EventEmitter;
• 8786e0f fix(vulnerability): update follow-redirects to 1.15.6 (#6300)
• d844227 chore: update and bump deps (#6238)
• caa0625 docs: update README responseEncoding types (#6194)
• 41c4584 docs: Update README.md to point to current axios version in CDN links (#6196)
• bf6974f chore(ci): add npm tag action; (#6231)
• See full diff in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates es5-ext from 0.10.62 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

---

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

---

Comparison since last release

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

Commits

• f76b03d chore: Release v0.10.64
• 2881acd chore: Bump dependencies
• c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
• 16f2b72 docs: Fix date in the changelog
• de4e03c chore: Release v0.10.63
• 3fd53b7 chore: Upgrade lint-staged to v13
• bf8ed79 chore: Ensure postinstall script does not crash on Windows
• 2cbbb07 chore: Bump dependencies
• 22d0416 chore: Bump LICENSE year
• a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.5 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• See full diff in compare view

Updates ip from 2.0.0 to 2.0.1

Commits

• 3b0994a 2.0.1
• 32f468f lib: fixed CVE-2023-42282 and added unit test
• See full diff in compare view

Updates jose from 4.15.4 to 4.15.5

Release notes

Sourced from jose's releases.

v4.15.5

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88), fixes CVE-2024-28176

Changelog

Sourced from jose's changelog.

4.15.5 (2024-03-07)

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88)

Commits

• 765aafd chore(release): 4.15.5
• b36e45e test: add export check to x509 pem import tests
• e839ecb test: stop testing JWE RSA1_5 Algorithm
• 1b91d88 fix: add a maxOutputLength option to zlib inflate
• 9ca2b24 build: remove release action
• f3035d8 chore: cleanup after release
• See full diff in compare view

Updates tar from 6.2.0 to 6.2.1

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• See full diff in compare view

Updates undici from 5.28.2 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

⚠️ Security Release ⚠️

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

Commits

• fb98306 Bumped v5.28.4
• 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
• 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
• 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
• 0e9d54b skip failing test due to Node.js changes
• e71cb4c Bumped v5.28.3
• 20c65b8 Fix tests for Node.js v20.11.0 (#2618)
• 8ec52cd Fix tests for Node.js v21 (#2609)
• d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
• See full diff in compare view

Updates vite from 5.0.12 to 5.2.8

Release notes

Sourced from vite's releases.

create-vite@5.2.3

Please refer to CHANGELOG.md for details.

create-vite@5.2.2

Please refer to CHANGELOG.md for details.

create-vite@5.2.1

Please refer to CHANGELOG.md for details.

create-vite@5.2.0

Please refer to CHANGELOG.md for details.

create-vite@5.1.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.2.8 (2024-04-03)

• fix: csp nonce injection when no closing tag (#16281) (#16282) (3c85c6b), closes #16281 #16282
• fix: do not access document in /@vite/client when not defined (#16318) (646319c), closes #16318
• fix: fix sourcemap when using object as define value (#15805) (445c4f2), closes #15805
• fix(css): unknown file error happened with lightningcss (#16306) (01af308), closes #16306
• fix(hmr): multiple updates happened when invalidate is called while multiple tabs open (#16307) (21cc10b), closes #16307
• fix(scanner): duplicate modules for same id if glob is used in html-like types (#16305) (eca68fa), closes #16305
• chore(deps): update all non-major dependencies (#16325) (a78e265), closes #16325
• refactor: use types from sass instead of @​types/sass (#16340) (4581e83), closes #16340

5.2.7 (2024-03-29)

• chore: deprecate splitVendorChunkPlugin (#16274) (45a06da), closes #16274
• fix: skip injecting __vite__mapDeps when it's not used (#16271) (890538a), closes #16271
• fix(deps): update all non-major dependencies (#16258) (7caef42), closes #16258
• fix(hmr): don't mutate module graph when collecting modules (#16302) (dfffea1), closes #16302
• fix(hmr): trigger hmr for missing file import errored module after file creation (#16303) (ffedc06), closes #16303
• fix(sourcemap): don't warn even if the sourcesContent is an empty string (#16273) (24e376a), closes #16273
• feat(hmr): reload when HTML file is created/deleted (#16288) (1f53796), closes #16288

5.2.6 (2024-03-24)

• fix: fs.deny with globs with directories (#16250) (ba5269c), closes #16250

5.2.5 (2024-03-24)

• fix: avoid SSR requests in waitForRequestIdle (#16246) (7093f77), closes #16246
• docs: clarify enforce vs hook.order (#16226) (3a73e48), closes #16226

5.2.4 (2024-03-23)

• fix: dont resolve imports with malformed URI (#16244) (fbf69d5), closes #16244

5.2.3 (2024-03-22)

• fix: handle warmup request error correctly (#16223) (d7c5256), closes #16223
• fix: skip encode if is data uri (#16233) (8617e76), closes #16233
• fix(optimizer): fix optimizeDeps.include glob syntax for ./* exports (#16230) (f184c80), closes #16230
• fix(runtime): fix sourcemap with prepareStackTrace (#16220) (dad7f4f), closes #16220

... (truncated)

Commits

• 8b8d402 release: v5.2.8
• 646319c fix: do not access document in /@vite/client when not defined (#16318)
• 445c4f2 fix: fix sourcemap when using object as define value (#15805)
• a78e265 chore(deps): update all non-major dependencies (#16325)
• 4581e83 refactor: use types from sass instead of @​types/sass (#16340)
• 3c85c6b fix: csp nonce injection when no closing tag (#16281) (#16282)
• 21cc10b fix(hmr): multiple updates happened when invalidate is called while multiple ...
• 01af308 fix(css): unknown file error happened with lightningcss (#16306)
• eca68fa fix(scanner): duplicate modules for same id if glob is used in html-like type...
• ad246da release: v5.2.7
• Additional commits viewable in compare view

Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.