Bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the production-dependencies group with 5 updates in the /backend directory:

Package	From	To
cron	3.2.1	3.3.1
dotenv	16.4.5	16.4.7
eventsource	2.0.2	3.0.2
express-rate-limit	7.4.1	7.5.0
mysql2	3.11.4	3.12.0

Updates cron from 3.2.1 to 3.3.1

Release notes

Sourced from cron's releases.

v3.3.1

3.3.1 (2024-12-12)

🐛 Bug Fixes

• correct waitForCompletion behavior (#924) (f6270f8), closes #923 #923 #894

v3.3.0

3.3.0 (2024-12-10)

✨ Features

• support async handling and add CronJob status tracking (#894) (b58fb6b), closes #713 #556

⚙️ Continuous Integrations

• action: update github/codeql-action action to v3.27.2 (#912) (d11ba30)
• action: update github/codeql-action action to v3.27.5 (#917) (2a4035e)
• action: update step-security/harden-runner action to v2.10.2 (#920) (26a8f9f)
• add pre-commit hook to lint and prettify (#911) (e1140d1), closes #907

♻️ Chores

• deps: lock file maintenance (94465ae)
• deps: lock file maintenance (23d67a4)
• deps: lock file maintenance (135fdf7)
• deps: lock file maintenance (edcff3b)
• deps: pin dependency lint-staged to 15.2.10 (#916) (5cf24da)
• deps: update dependency @​commitlint/cli to v19.6.0 (9d9ab94)
• deps: update dependency @​types/node to v20.17.7 (9181b6a)
• deps: update dependency @​types/node to v20.17.8 (5899fc2)
• deps: update dependency @​types/node to v20.17.9 (ca5065a)
• deps: update dependency husky to v9.1.7 (a960a29)
• deps: update dependency typescript to v5.7.2 (3447ff5)

Changelog

Sourced from cron's changelog.

3.3.1 (2024-12-12)

🐛 Bug Fixes

• correct waitForCompletion behavior (#924) (f6270f8), closes #923 #923 #894

3.3.0 (2024-12-10)

✨ Features

• support async handling and add CronJob status tracking (#894) (b58fb6b), closes #713 #556

⚙️ Continuous Integrations

• action: update github/codeql-action action to v3.27.2 (#912) (d11ba30)
• action: update github/codeql-action action to v3.27.5 (#917) (2a4035e)
• action: update step-security/harden-runner action to v2.10.2 (#920) (26a8f9f)
• add pre-commit hook to lint and prettify (#911) (e1140d1), closes #907

♻️ Chores

• deps: lock file maintenance (94465ae)
• deps: lock file maintenance (23d67a4)
• deps: lock file maintenance (135fdf7)
• deps: lock file maintenance (edcff3b)
• deps: pin dependency lint-staged to 15.2.10 (#916) (5cf24da)
• deps: update dependency @​commitlint/cli to v19.6.0 (9d9ab94)
• deps: update dependency @​types/node to v20.17.7 (9181b6a)
• deps: update dependency @​types/node to v20.17.8 (5899fc2)
• deps: update dependency @​types/node to v20.17.9 (ca5065a)
• deps: update dependency husky to v9.1.7 (a960a29)
• deps: update dependency typescript to v5.7.2 (3447ff5)

Commits

• 789015b Release v3.3.1 [skip ci]
• f6270f8 fix: correct waitForCompletion behavior (#924)
• f4e9e02 Release v3.3.0 [skip ci]
• b58fb6b feat: support async handling and add CronJob status tracking (#894)
• 94465ae chore(deps): lock file maintenance
• 23d67a4 chore(deps): lock file maintenance
• ca5065a chore(deps): update dependency @​types/node to v20.17.9
• 5899fc2 chore(deps): update dependency @​types/node to v20.17.8
• 9181b6a chore(deps): update dependency @​types/node to v20.17.7
• 3447ff5 chore(deps): update dependency typescript to v5.7.2
• Additional commits viewable in compare view

Updates dotenv from 16.4.5 to 16.4.7

Changelog

Sourced from dotenv's changelog.

16.4.7 (2024-12-03)

Changed

• Ignore .tap folder when publishing. (oops, sorry about that everyone. - @​motdotla) #848

16.4.6 (2024-12-02)

Changed

• Clean up stale dev dependencies #847
• Various README updates clarifying usage and alternative solutions using dotenvx

Commits

• a338d68 16.4.7
• daf3e3d changelog 🪵
• fb74f68 Merge pull request #848 from Spice-King/patch-1
• fe87ba2 Add .tap to .npmignore
• 0c9f764 16.4.6
• fd5f26b changelog 🪵
• bb19b6b Merge pull request #847 from motdotla/deps-updates
• 2f4e36b further dev dependency cleanup
• c2fdd01 send to codecov
• 6707487 add test coverage
• Additional commits viewable in compare view

Updates eventsource from 2.0.2 to 3.0.2

Release notes

Sourced from eventsource's releases.

v3.0.2

3.0.2 (2024-12-13)

Bug Fixes

• reference possibly missing event typings (d3b6849)

---

This release is also available on:

• npm package (@​latest dist-tag)

v3.0.1

3.0.1 (2024-12-07)

Bug Fixes

• run build prior to publishing (f86df19)

---

This release is also available on:

• npm package (@​latest dist-tag)

v3.0.0

3.0.0 (2024-12-07)

⚠ BREAKING CHANGES

• Drop support for Node.js versions below v18
• The module now uses a named export instead of a default export.
• UMD bundle dropped. Use a bundler.
• headers in init dict dropped, pass a custom fetch function instead.
• HTTP/HTTPS proxy support dropped. Pass a custom fetch function instead.
• https.* options dropped. Pass a custom fetch function that provides an agent/dispatcher instead.
• New default reconnect delay: 3 seconds instead of 1 second.
• Reconnecting after a redirect will now always use the original URL, even if the status code was HTTP 307.

Features

• modernize - use fetch, WebStreams, TypeScript, ESM (#330) (40655f7)

Bug Fixes

• dispatchEvent now emits entire event object (eb430c0)
• empty options no longer disable certificate checks (372d387)

---

This release is also available on:

• npm package (@​latest dist-tag)

Changelog

Sourced from eventsource's changelog.

3.0.2 (2024-12-13)

Bug Fixes

• reference possibly missing event typings (d3b6849)

3.0.1 (2024-12-07)

Bug Fixes

• run build prior to publishing (f86df19)

3.0.0 (2024-12-07)

⚠ BREAKING CHANGES

• Drop support for Node.js versions below v18
• The module now uses a named export instead of a default export.
• UMD bundle dropped. Use a bundler.
• headers in init dict dropped, pass a custom fetch function instead.
• HTTP/HTTPS proxy support dropped. Pass a custom fetch function instead.
• https.* options dropped. Pass a custom fetch function that provides an agent/dispatcher instead.
• New default reconnect delay: 3 seconds instead of 1 second.
• Reconnecting after a redirect will now always use the original URL, even if the status code was HTTP 307.

Features

• modernize - use fetch, WebStreams, TypeScript, ESM (#330) (40655f7)

Bug Fixes

• dispatchEvent now emits entire event object (eb430c0)
• empty options no longer disable certificate checks (372d387)

Commits

• 5e08e28 chore(release): 3.0.2 [skip ci]
• d3b6849 fix: reference possibly missing event typings
• 101028d ci: introduce renovatebot
• 84c7c63 ci: remove dependabot (replace with renovate)
• bcf0945 test: ensure target is set to EventSource instance
• eddb83c ci: update bun lockfile
• 2979b39 ci: remove unnecessary build step
• f1b5ff7 chore(release): 3.0.1 [skip ci]
• f86df19 fix: run build prior to publishing
• f7483f4 chore(release): 3.0.0 [skip ci]
• Additional commits viewable in compare view

Updates express-rate-limit from 7.4.1 to 7.5.0

Release notes

Sourced from express-rate-limit's releases.

v7.5.0

Added

• Implemented the combined RateLimit header according to the eighth draft of the IETF RateLimit header specificiation. Enable by setting standardHeaders: 'draft-8'.
• Added a new identifier option, used as the name for the quota policy in the draft-8 headers.
• Added a new headersDraftVersion validation check to identifies cases where an unsupported version string is passed to the standardHeaders option.

---

You can view the full changelog here.

Commits

• fe46b43 7.5.0
• 919bb8a docs: add changelog for v7.5.0
• 69a1c20 feat(headers): implement ietf draft-8 (#486)
• 413995b build(deps): bump cookie, express and socket.io (#483)
• See full diff in compare view

Updates mysql2 from 3.11.4 to 3.12.0

Release notes

Sourced from mysql2's releases.

v3.12.0

3.12.0 (2024-12-23)

Features

• PoolCluster: restoreNodeTimeout implementation (#3218) (9a38601)

v3.11.5

3.11.5 (2024-11-28)

Bug Fixes

• fix datetime fields returned without time part when time is 00:00:00 (#3204) (bded498)
• resolve circular dependencies (#3081) (d5a76e6)
• Deno v2 requires commonjs type explicitly (#3209) (cdc9415)

Changelog

Sourced from mysql2's changelog.

3.12.0 (2024-12-23)

Features

• PoolCluster: restoreNodeTimeout implementation (#3218) (9a38601)

3.11.5 (2024-11-28)

Bug Fixes

• 1040 datetime fields returned without time part when time is 00:00:00 (#3204) (bded498)
• circular dependencies (#3081) (d5a76e6)
• Deno v2 requires commonjs type explicitly (#3209) (cdc9415)

Commits

• 646ac6d chore(master): release 3.12.0 (#3268)
• e455b6b build(deps): bump lucide-react from 0.468.0 to 0.469.0 in /website (#3289)
• e3f5145 build(deps): bump sass from 1.82.0 to 1.83.0 in /website (#3284)
• 04f8dab build(deps): bump prism-react-renderer from 2.4.0 to 2.4.1 in /website (#3282)
• d97f80a build(deps-dev): bump @​types/node from 22.10.1 to 22.10.2 in /website (#3281)
• 0a022ab build(deps-dev): bump c8 from 10.1.2 to 10.1.3 (#3278)
• 29c8c85 build(deps-dev): bump lint-staged from 15.2.10 to 15.2.11 (#3277)
• 6eaa468 build(deps-dev): bump @​types/node from 22.10.1 to 22.10.2 (#3276)
• 605fa04 build(deps): bump lucide-react from 0.467.0 to 0.468.0 in /website (#3272)
• e60a584 build(deps-dev): bump eslint-plugin-react-hooks in /website (#3271)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

backend/package.json

Package	Version	License	Issue Type
express-rate-limit	^7.5.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/cron	3.3.1	🟢 8.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 11 out of 11 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 1 Found 4/24 approved changesets -- score normalized to 1 Contributors 🟢 10 project has 11 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 10 all dependencies are pinned SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/dotenv	16.4.7	🟢 4.7	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 21 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 Found 5/15 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/eventsource	3.0.2	🟢 5.1	Details Check Score Reason Maintained 🟢 10 23 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 2/29 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/eventsource-parser	3.0.0	Unknown	Unknown
npm/express-rate-limit	7.5.0	Unknown	Unknown
npm/mysql2	3.12.0	🟢 6.4	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
npm/cron	^3.3.1	🟢 8.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 11 out of 11 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 1 Found 4/24 approved changesets -- score normalized to 1 Contributors 🟢 10 project has 11 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 10 all dependencies are pinned SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/dotenv	^16.4.7	🟢 4.7	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 21 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 Found 5/15 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/eventsource	^3.0.2	🟢 5.1	Details Check Score Reason Maintained 🟢 10 23 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 2/29 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/express-rate-limit	^7.5.0	Unknown	Unknown
npm/mysql2	^3.12.0	🟢 6.4	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected

Scanned Files

• backend/package-lock.json
• backend/package.json

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.