build(deps): Bump jsonwebtoken, graphile-build-pg and postgraphile

[dependabot]

Bumps jsonwebtoken to 9.0.0 and updates ancestor dependencies jsonwebtoken, graphile-build-pg and postgraphile. These dependencies need to be updated together.

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates graphile-build-pg from 4.5.0 to 4.13.0

Changelog

Sourced from graphile-build-pg's changelog.

4.13.0 (2023-01-12)

Bug Fixes

• typo in error message (#821) (516e8f7)

4.12.3 (2022-05-25)

Bug Fixes

• pg-sql2: remove another spread (#796) (dadd261)
• pg-sql2: use loop not spread, fixes call stack size exceeded (#793) (b4d6c38)
• pubsub: listen for PG client error to prevent crashes (#791) (e0b107a)

4.12.2 (2021-10-21)

Features

• inflection: use builtin for NATURAL and PRIMARY_KEY_ASC/DESC (#759) (f2862a1)
• tags: allow smart tags to indicate a column has a default (#760) (8538ed0)

4.12.1 (2021-05-27)

Features

• utils: support for NULLS FIRST/LAST in orderByAscDesc (#737) (99b1a8e)

4.12.0 (2021-05-26)

Bug Fixes

• order: fix order by computed column SQL item bug (#741) (0635ecb)
• uniqueKey/pgViewUniqueKey applies to views (#739) (b715f6d)

Features

... (truncated)

Commits

• 0b2ca8b v4.13.0
• ec76d8f chore(deps): Bump qs from 6.5.2 to 6.5.3 (#819)
• c30a2fa chore: add graphql 16 as peer dependency for graphql-parse-resolve-info (#814)
• 180a084 chore(deps): Bump jsonwebtoken from 8.5.1 to 9.0.0 (#823)
• 4ba593c chore(deps): Bump json5 from 2.2.0 to 2.2.3 (#825)
• 7b21d26 sponsorship: update sponsors 🙏 (#822)
• 516e8f7 fix: typo in error message (#821)
• b679579 chore(deps): Bump decode-uri-component from 0.2.0 to 0.2.2 (#817)
• 3d49f1e chore(ci): remove Postgres <12 and Node <10 from CI (#820)
• 3daa9cd chore: fix typo in comment (#807)
• Additional commits viewable in compare view

Updates postgraphile from 4.5.0 to 4.13.0

Release notes

Sourced from postgraphile's releases.

v4.13.0

Upgrades to jsonwebtoken v9, fixing a number of vulnerabilities. Please see the jsonwebtoken v8-v9 notes: https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9

🚨 Note jsonwebtoken has dropped support for Node < 12 (Node v10 went end of life 2021-04-30, Node v11 EOL was 2019-06-01); in order to get these security fixes we had no choice but to also drop support for Node versions prior to v12.

v4.12.11

• Improve error message when enum creation fails (thanks @​tsnobip)
• Fix "max stack size exceeded" in pg-sql2 (thanks @​roytan883)
• Add error listener to subscription listener PG client to avoid crashes (thanks @​enisdenjo)
• Add error listener to other PG clients

v4.12.10

• Fixes potential memory leak in subscriptions (thanks @​enisdenjo)
• Fixes order of logic in subscriptions code (determine context last)
• Ensure operation is available before validating subscriptions (thanks @​enisdenjo)

v4.12.9

Upgraded graphql-ws and fixed a TypeScript generic (thanks @​enisdenjo)

v4.12.8 - CLI handling of SSL

Give the CLI the ability to leverage the rejectUnauthorized: false option to pg's ssl option when using ?ssl=no-verify on your PostgreSQL connection string. Thanks to @​maximsmol for tracking this down and fixing it 🙌

No changes

(Just to trigger a new Docker release; Docker tags are now updated: https://hub.docker.com/r/graphile/postgraphile/tags )

v4.12.6 - fix websocketOperations: all

Fixes a couple of bugs related to websocketOperations: 'all'

• --websocket-operations CLI flag was previously ignored
• When issuing queries/mutations over websockets, singleStatement: true was set incorrectly (this should be set only for subscriptions), resulting in performance costs and errors when issuing mutations that use savepoints (which should be all mutations).

Also upgrades GraphiQL

v4.12.5

• JWT can now operate with only jwtPublicKey set - no need for jwtSecret in this case (thanks @​phryneas)
• Shutdown actions now called in reverse order to make shutdown more reliable
• Fix TypeScript type on handleErrors function (thanks @​pinn3)
• --append-plugins and similar options now support Windows file paths (in theory... can someone who has access to Windows test this and get back to me?)
• introduces new smart tag @hasDefault so you can indicate that a column has a default - be that implemented via a trigger, or maybe as an instead of insert rule - so the field will be nullable in create* mutations
• inflection: now uses builtin inflector for NATURAL and PRIMARY_KEY_ASC/DESC enum values (thanks @​Eldow)

Work on V5 of PostGraphile is heavily under way, currently closed source due to immense churn but will be open sourced when it's ready. To help speed up this process, please become a sponsor: https://www.graphile.org/sponsor/

v4.12.4

Bumped some dependencies including graphql-ws adding support for ping/pong.

v4.12.3

Fixed a bug in parsing the PostgreSQL port number from the CLI.

v4.12.2

... (truncated)

Changelog

Sourced from postgraphile's changelog.

4.13.0 (2023-01-12)

Bug Fixes

• upgrade Graphile Engine (#1702) (df19851)
• deps: upgrade to jsonwebtoken@9

4.12.12 (2022-12-01)

Features

• ci: build arm64 (#1681) (6627fcb)

4.12.11 (2022-05-25)

Bug Fixes

• handle pgClient errors (#1633) (263ba74)
• deps: upgrade Graphile Engine (#1631) (1824352)

4.12.10 (2022-04-13)

Bug Fixes

• ws: getting context should be the very last thing (#1615) (1b10ce6)
• ws: release all socket's contexts on close (#1612) (8ef3e81)

4.12.9 (2022-02-28)

Bug Fixes

• ws: update graphql-ws and correct context generic (#1589) (0a27d22)

4.12.8 (2021-12-20)

Bug Fixes

• cli: handling of SSL options from the connection string (#1564) (d8401c6)

4.12.7 (2021-12-20)

4.12.6 (2021-11-30)

Bug Fixes

• ws: only use singleStatement for subscriptions (#1559) (bf11b75)

4.12.5 (2021-10-21)

Bug Fixes

... (truncated)

Commits

• eb16e9e 4.13.0
• df19851 fix: upgrade Graphile Engine (#1702)
• 4adbd42 chore: update to Node 16 LTS in CI & published docker images (#1678)
• 4f1db5a chore(deps): Bump decode-uri-component from 0.2.0 to 0.2.2 in /postgraphiql (...
• 85d0341 chore(deps): Bump express from 4.17.1 to 4.18.2 in /postgraphiql (#1693)
• b9ae04d chore(deps-dev): Bump express from 4.17.1 to 4.17.3 (#1692)
• 3997456 chore(deps): Bump jsonwebtoken from 8.5.1 to 9.0.0 (#1698)
• c85fc16 chore(deps): Bump qs from 6.5.2 to 6.5.3 (#1690)
• fa76fee chore(deps): Bump json5 from 2.1.3 to 2.2.2 (#1700)
• 7375afd chore(deps): Bump decode-uri-component from 0.2.0 to 0.2.2 (#1688)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.