Upgrade dependency versions to fix audit scanning

[BenjiTheC]

Description

This PR upgrades packages version to address security scanning issues from rush-pnpm audit. It fixes all the issues but one:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Regular Expression Denial of Service (ReDoS) in lodash │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ lodash.trimend                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=4.5.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ../../packages/services/installer > [email protected]  │
│                     │ > [email protected] > [email protected]                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9      │
└─────────────────────┴────────────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 moderate

The package [email protected] is the latest version of package and has not been upgraded since. In my opinion, it's not a security threat because of the way (and the frequency) we use this package in our code base.

Packages with major version upgrade:

Version upgrades are done via running rush upgrade-interactive --make-consistent, when a major version is available, rush will present only major version upgrade option for the package, investigation has been done to make sure there is no breaking change introduced.

• nodemon: 2.0.20 -> 3.1.0
  • Breaking change (from 3.0.0): official support for node@8 dropped.
• luxon: 2.3.0 -> 3.4.4
  • Breaking change: https://moment.github.io/luxon/#/upgrading?id=_2x-to-30, this doesn't impact the usage of this package in CDF (see code search link)
• busboy: 0.3.1 -> 1.6.0
  • Breacking change: Changes in v1.0.0 mscdex/busboy#266. This package seems to be a legacy dependency that was somehow kept when moving from command package to command-and-control package. There is no usage of this package in command-and-control package code. (see code search link)
• @types/busboy: 0.2.3 -> 1.5.4
  • This is the complementary major version upgrade for busboy above

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (existing code being refactored)
• This change includes a documentation update

Submission Checklist

• CI dry-run passing
• Integration tests passing locally
• Change logs generated
  • N/A

Additional Notes:

[pcozzi]

Can you run integration tests on this change?

[ts-amz]

Can you add a note about why this change exists?

[BenjiTheC]

This is an attempt to make command package pass the build. The rest of the packages use npx tsc -p tsconfig.json for build, so I kept this change in the PR.

[ts-amz]

Am I reading this right that we're now getting this type from their library instead of defining it ourselves? Does the same not apply to the other exported types below? If so, can you open an issue to update them to use the library values instead of defining them in our code?

[BenjiTheC]

I believe the newer version of the dependent AWS SDK package updated their typing from a general string to more strict enum, which results in this incompatibility. And you are right, this can apply to other types defined in the code base. I have created #211 to track this

[BenjiTheC]

@pcozzi Can you run integration tests on this change?

Integration tests are passing