build(deps): bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /packages/cli directory: axios, crypto-js and mysql2.
Bumps the npm_and_yarn group with 3 updates in the /packages/nodes-base directory: mysql2, formidable and mongodb.

Updates axios from 0.21.4 to 1.6.8

Release notes

Sourced from axios's releases.

Release v1.6.8

Release notes:

Bug Fixes

• AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
• import: use named export for EventEmitter; (7320430)
• vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Mitchell
• Emmanuel
• Lucas Keller
• Aditya Mogili
• Miroslav Petrov

Release v1.6.7

Release notes:

Bug Fixes

• capture async stack only for rejections with native error objects; (#6203) (1a08f90)

Contributors to this release

• Dmitriy Mozgovoy
• zhoulixiang

Release v1.6.6

Release notes:

Bug Fixes

• fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
• wrap errors to improve async stack trace (#5987) (123f354)

Contributors to this release

• Ilya Priven
• Zao Soula

Release v1.6.5

Release notes:

Bug Fixes

• ci: refactor notify action as a job of publish action; (#6176) (0736f95)
• dns: fixed lookup error handling; (#6175) (f4f2b03)

Contributors to this release

... (truncated)

Changelog

Sourced from axios's changelog.

1.6.8 (2024-03-15)

Bug Fixes

• AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
• import: use named export for EventEmitter; (7320430)
• vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Mitchell
• Emmanuel
• Lucas Keller
• Aditya Mogili
• Miroslav Petrov

1.6.7 (2024-01-25)

Bug Fixes

• capture async stack only for rejections with native error objects; (#6203) (1a08f90)

Contributors to this release

• Dmitriy Mozgovoy
• zhoulixiang

1.6.6 (2024-01-24)

Bug Fixes

• fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
• wrap errors to improve async stack trace (#5987) (123f354)

Contributors to this release

• Ilya Priven
• Zao Soula

1.6.5 (2024-01-05)

Bug Fixes

• ci: refactor notify action as a job of publish action; (#6176) (0736f95)

... (truncated)

Commits

• ab3f0f9 chore(release): v1.6.8 (#6303)
• 2656612 fix(AxiosHeaders): fix AxiosHeaders conversion to an object during config mer...
• 7320430 fix(import): use named export for EventEmitter;
• 8786e0f fix(vulnerability): update follow-redirects to 1.15.6 (#6300)
• d844227 chore: update and bump deps (#6238)
• caa0625 docs: update README responseEncoding types (#6194)
• 41c4584 docs: Update README.md to point to current axios version in CDN links (#6196)
• bf6974f chore(ci): add npm tag action; (#6231)
• a52e4d9 chore(release): v1.6.7 (#6204)
• 2b69888 chore: remove unnecessary check (#6186)
• Additional commits viewable in compare view

Updates crypto-js from 4.1.1 to 4.2.0

Commits

• 808f499 Merge branch 'release/4.2.0'
• d5af3ae Update release notes.
• 9496e07 Bump version.
• 421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
• d1f4f4d Update grunt.
• c755289 Discontinued
• 1da3dab Discontinued
• 4dcaa7a Merge pull request #380 from Alanscut/dev
• 762feb2 chore: rename BF to Blowfish
• fb81418 feat: blowfish support
• Additional commits viewable in compare view

Updates mysql2 from 2.3.3 to 3.9.7

Release notes

Sourced from mysql2's releases.

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

• SSL: separate each certificate into an individual item #2542 (63f1055)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
  • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• security: improve results object creation (#2574) (4a964a3)
  • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

v3.9.2

3.9.2 (2024-02-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

• docs: improve the contribution guidelines (#2552) (8a818ce)
• security: improve results object creation (#2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

Bug Fixes

• stream: premature close when it is paused (#2416) (7c6bc64)
• types: expose TypeCast types (#2425) (336a7f1)

3.9.1 (2024-01-29)

... (truncated)

Commits

• 2d3cad8 chore(master): release 3.9.7 (#2609)
• 7d4b098 fix(security): sanitize timezone parameter value to prevent code injection (#...
• 2efd6ab build(deps): bump lucide-react from 0.371.0 to 0.372.0 in /website (#2606)
• e3391ed build(deps): bump lucide-react from 0.368.0 to 0.371.0 in /website (#2604)
• 4f58caa chore(master): release 3.9.6 (#2603)
• 705835d fix: binary parser sometimes reads out of packet bounds when results contain ...
• 2129818 chore(master): release 3.9.5 (#2600)
• f7c60d0 fix: revert breaking change in results creation (#2591)
• 7f5b395 build(deps-dev): bump @​typescript-eslint/eslint-plugin in /website (#2596)
• a770052 build(deps-dev): bump @​typescript-eslint/parser in /website (#2595)
• Additional commits viewable in compare view

Updates mysql2 from 2.3.3 to 3.9.7

Release notes

Sourced from mysql2's releases.

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

• SSL: separate each certificate into an individual item #2542 (63f1055)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
  • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• security: improve results object creation (#2574) (4a964a3)
  • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

v3.9.2

3.9.2 (2024-02-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

• docs: improve the contribution guidelines (#2552) (8a818ce)
• security: improve results object creation (#2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

Bug Fixes

• stream: premature close when it is paused (#2416) (7c6bc64)
• types: expose TypeCast types (#2425) (336a7f1)

3.9.1 (2024-01-29)

... (truncated)

Commits

• 2d3cad8 chore(master): release 3.9.7 (#2609)
• 7d4b098 fix(security): sanitize timezone parameter value to prevent code injection (#...
• 2efd6ab build(deps): bump lucide-react from 0.371.0 to 0.372.0 in /website (#2606)
• e3391ed build(deps): bump lucide-react from 0.368.0 to 0.371.0 in /website (#2604)
• 4f58caa chore(master): release 3.9.6 (#2603)
• 705835d fix: binary parser sometimes reads out of packet bounds when results contain ...
• 2129818 chore(master): release 3.9.5 (#2600)
• f7c60d0 fix: revert breaking change in results creation (#2591)
• 7f5b395 build(deps-dev): bump @​typescript-eslint/eslint-plugin in /website (#2596)
• a770052 build(deps-dev): bump @​typescript-eslint/parser in /website (#2595)
• Additional commits viewable in compare view

Updates formidable from 1.2.6 to 3.5.1

Release notes

Sourced from formidable's releases.

v3.2.5

No release notes provided.

3.2.4

No release notes provided.

3.1.4

https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

Changelog

Sourced from formidable's changelog.

3.5.1

• fix: (#945) multipart parser fix: flush or fail always (don't hang)

3.5.0

• feature: (#944) Dual package: Can be imported as ES module and required as commonjs module

3.4.0

• feature: (#940) form.parse returns a promise if no callback is provided
• it resolves with an array [fields, files]

3.3.2

• feature: (#855) add options.createDirsFromUploads, see README for usage
• form.parse is an async function (ignore the promise)
• benchmarks: add e2e becnhmark with as many request as possible per second
  • npm run to display all the commands
• mark as latest on npm

3.2.5

• fix: (#881) fail earlier when maxFiles is exceeded

3.2.4

• fix: (#857) improve keep extension
• The code from before 3.2.4 already removed some characters from the file extension. But not always. So it was inconsistent.
• The new code cuts the file extension at the first invalid character (invalid in a file extension).
• The characters that are considered invalid inside a file extension are all except the . numbers and a-Z.
• This change only has an effect if filename option is not used and keepextension option is used

3.2.3

• fix: (#852) end event is emitted once

3.2.2

• refactor: (#801)

3.2.1

• fix: do not let empty file on error (#796)
• it was probably due to the fact that .destroy on a file stream does not always complete on time

... (truncated)

Commits

• See full diff in compare view

Updates mongodb from 4.17.2 to 6.5.0

Release notes

Sourced from mongodb's releases.

v6.5.0

6.5.0 (2024-03-11)

The MongoDB Node.js team is pleased to announce version 6.5.0 of the mongodb package!

Release Notes

Bulk Write Operations Generate Ids using pkFactory

When performing inserts, the driver automatically generates _ids for each document if there is no _id present. By default, the driver generates ObjectIds. An option, pkFactory, can be used to configure the driver to generate _ids that are not object ids.

For a long time, only Collection.insert and Collection.insertMany actually used the pkFactory, if configured. Notably, Collection.bulkWrite(), Collection.initializeOrderedBulkOp() and Collection.initializeOrderedBulkOp() always generated ObjectIds, regardless of what was configured on collection.

The driver always generates _ids for inserted documents using the pkFactory.

[!CAUTION] If you are using a pkFactory and performing bulk writes, you may have inserted data into your database that does not have _ids generated by the pkFactory.

Fixed applying read preference to commands depending on topology

When connecting to a secondary in a replica set with a direct connection, if a read operation is performed, the driver attaches a read preference of primaryPreferred to the command.

Fixed memory leak in Connection layer

The Connection class has recently been refactored to operate on our socket operations using promises. An oversight how we made async network operations interruptible made new promises for every operation. We've simplified the approach and corrected the leak.

Query SRV and TXT records in parallel

When connecting using a convenient SRV connection string (mongodb+srv://) hostnames are obtained from an SRV dns lookup and some configuration options are obtained from a TXT dns query. Those DNS operations are now performed in parallel to reduce first-time connection latency.

Container and Kubernetes Awareness

The Node.js driver now keeps track of container metadata in the client.env.container field of the handshake document.

If space allows, the following metadata will be included in client.env.container:

env?: { 
  container?: {
    orchestrator?: 'kubernetes' // if process.env.KUBERNETES_SERVICE_HOST is set
    runtime?: 'docker' // if the '/.dockerenv' file exists
  } 
}

Note: If neither Kubernetes nor Docker is present, client.env will not have the container property.

Add property errorResponse to MongoServerError

The MongoServer error maps keys from the error document returned by the server on to itself. There are some use cases where the original error document is desirable to obtain in isolation. So now, the mongoServerError.errorResponse property stores a reference to the error document returned by the server.

... (truncated)

Changelog

Sourced from mongodb's changelog.

6.5.0 (2024-03-11)

Features

• NODE-5968: container and Kubernetes awareness in client metadata (#4005) (28b7040)
• NODE-5988: Provide access to raw results doc on MongoServerError (#4016) (c023242)
• NODE-6008: deprecate CloseOptions interface (#4030) (f6cd8d9)

Bug Fixes

• NODE-5636: generate _ids using pkFactory in bulk write operations (#4025) (fbb5059)
• NODE-5981: read preference not applied to commands properly (#4010) (937c9c8)
• NODE-5985: throw Nodejs' certificate expired error when TLS fails to connect instead of CERT_HAS_EXPIRED (#4014) (057c223)
• NODE-5993: memory leak in the Connection class (#4022) (69de253)

Performance Improvements

• NODE-5986: parallelize SRV/TXT resolution (#4012) (eab8f23)

6.4.0 (2024-02-29)

Features

• NODE-3449: Add serverConnectionId to Command Monitoring Spec (735f7aa)
• NODE-3470: retry selects another mongos (#3963) (84959ee)
• NODE-3689: require hello command for connection handshake to use OP_MSG disallowing OP_QUERY (#3938) (ce7df0f)
• NODE-4686: Add log messages to CLAM (#3955) (e3bfa30)
• NODE-4687: Add logging to server selection (#3946) (7f3ce0b)
• NODE-4719: add SDAM Logging Spec (#3940) (a3c0298)
• NODE-4847: Add config error handling to logging (#3970) (8f7bb59)
• NODE-5717: make ExceededTimeLimit retryable reads error (#3947) (106ab09)
• NODE-5885: upgrade BSON to ^6.3.0 (#3983) (9401d09)
• NODE-5939: Implement 6.x: cache the AWS credentials provider in the MONGODB-AWS auth logic (#3991) (e0a37e5)
• NODE-5978: upgrade BSON to ^6.4.0 (#4007) (90f2f70)

Bug Fixes

• NODE-5127: implement reject kmsRequest on server close (#3964) (568e05f)
• NODE-5609: node driver omits base64 padding in sasl-continue command (#3975) (b7d28d3)
• NODE-5765: change type for countDocuments (#3932) (22cae0f)
• NODE-5791: type error with $addToSet in bulkWrite (#3953) (b93d405)
• NODE-5818: Add feature flagging to server selection logging (#3974) (55203ef)
• NODE-5839: support for multibyte code-points in stringifyWithMaxLen (#3979) (aed1cf0)
• NODE-5840: heartbeat duration includes socket creation (#3973) (a42039b)
• NODE-5901: propagate errors to transformed stream in cursor (#3985) (ecfc615)

... (truncated)

Commits

• c9e32ad chore(main): release 6.5.0 [skip-ci] (#4013)
• f6cd8d9 feat(NODE-6008): deprecate CloseOptions interface (#4030)
• 36fa752 refactor(NODE-5915): topology close logic to be synchronous (#4021)
• 937c9c8 fix(NODE-5981): read preference not applied to commands properly (#4010)
• 31f1eed test(NODE-5969): convert CSFLE corpus test #6 to TS, async/await and add writ...
• fbb5059 fix(NODE-5636): generate _ids using pkFactory in bulk write operations (#4025)
• 2348548 test(DRIVERS-2812): sdam load balancer tests in serverless (#4026)
• c023242 feat(NODE-5988): Provide access to raw results doc on MongoServerError (#4016)
• 69de253 fix(NODE-5993): memory leak in the Connection class (#4022)
• 28b7040 feat(NODE-5968): container and Kubernetes awareness in client metadata (#4005)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[height]

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.