Update All patch-minor dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@snyk/protect	1.1294.0 -> 1.1295.4					dependencies	minor
async (source)	3.2.2 -> 3.2.6					resolutions	patch
csurf	1.10.0 -> 1.11.0					dependencies	minor
decode-uri-component	^0.2.1 -> ^0.4.0					resolutions	minor
engine.io (source)	6.6.2 -> 6.6.4					resolutions	patch
express (source)	4.21.1 -> 4.21.2					dependencies	patch
govuk-elements-sass	~3.0.2 -> ~3.1.0					dependencies	minor
govuk_template_jinja	^0.23.0 -> ^0.26.0					dependencies	minor
govuk_template_mustache	^0.19.0 -> ^0.26.0					dependencies	minor
hashicorp/terraform	1.3.9 -> 1.11.0						minor
idam-pr	2.2.6 -> 2.3.0						minor
jackspeak	2.1.1 -> 2.3.6					resolutions	minor
nconf	0.11.4 -> 0.12.1					resolutions	minor
nock	13.5.5 -> 13.5.6					devDependencies	patch
node (source)	18.17.0 -> 18.20.7						minor
nodejs	3.1.0 -> 3.1.1						patch
qs	6.13.0 -> 6.14.0					resolutions	minor
sass	1.83.1 -> 1.85.1					dependencies	minor
semver	7.5.4 -> 7.7.1					resolutions	minor
ua-parser-js (source)	^0.7.33 -> ^0.8.0					resolutions	minor
ws	8.18.0 -> 8.18.1					resolutions	patch
yarn (source)	3.6.4 -> 3.8.7					packageManager	minor

---

Release Notes

snyk/snyk (@​snyk/protect)

v1.1295.4

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades dependencies to address CVE-2023-37788

v1.1295.3

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades dependencies to address CVE-2025-21614
• language-server: Improved memory usage when executing code scans on large projects
• language-server: Fix incorrect filtering of files when executing code scans which could fail the analysis
• language-server: Fix random unexpected logouts when using OAuth2 authentication

v1.1295.2

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• general: revert dependencies upgrade which introduced a regression on a number of Linux installations

v1.1295.1

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades goproxy to 1.5 to address a high severity vulnerability
• security: Upgrades dependencies in IaC plugin to address CVE-2025-21614

v1.1295.0

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• iac: include evidence field in json output [IAC-3161] (9487a08)
• auth: auto detect API Url during OAuth authentication (6884511)

Bug Fixes

• test: support verbose gradle graphs for sbom generation (600ef50)
• general: prevent snyk-policy lib from interrupting stdout to ensure valid --json --sarif output (469edf5)
• general: improved error messages around network requests (f6fc5f7)
• general: only read SNYK_ prefixed env vars (5bfcbe8)
• instrumentation: add default oss product for monitor as well (83cabc3)
• container: optional dependencies are properly connected in the dep-graph (3205e66)
• container: package-lock v3 missing sub-dependencies 94c9b7f)
• container: support --exclude-app-vulns with oauth (73a75fa)
• monitor: use error catalog messages for monitor commands (4e58601)
• iac: extra error handling and debugging [IAC-3138] (7fbae0f)
• iac: snyk-iac-test security update [IAC-3171] (fac22bb)
• iac: update snyk-iac-parsers version [IAC-3138] (5326d9d)
• iac: use proxy aware snyk-iac-test [INC-1647] (d5d1e2e)
• test: do not treat warnings as errors on restore (d0113eb)
• test:fix mismatch/off-by-one on unmanagedDependencyCount in the analytics logs UNIFY-340 (75d8e6d)
• test: update snyk-nodejs-plugin to fix micromatch vuln (766bd1d)
• test: upgrade mvn-plugin to handle jar scanning sha-not-found error (060380a)
• test: fix runtime versions overwriting nuget versions (5e715cf)
• instrumentation: stop sending CLI args in analytics (6d183fb)
• policy update policy library to fix valid json output (0bc0aed)

v1.1294.3

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: update golang.org/x/crypto/ssh to fix a critical vulnerability

v1.1294.2

Compare Source

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• container: ignore npm/yarn default cache directories
• container: fix: avoid possible unhandled promise rejections

v1.1294.1

Compare Source

Bug Fixes

• container: unable to process RedHat images when the “content_sets” attribute was missing in the redhat-content-manifests file. (https://github.com/snyk/snyk-docker-plugin/pull/615)
• container: skip optional dependencies when testing Python projects to prevent "too many vulnerable paths for conversion to legacy test output" error (https://github.com/snyk/snyk-docker-plugin/pull/614)
• container, test, monitor prevents "Invalid JSON" being produced when debugging is enabled and policies are being applied. (https://github.com/snyk/cli/pull/5583)

caolan/async (async)

v3.2.6

Compare Source

v3.2.5

Compare Source

• Ensure Error objects such as AggregateError are propagated without modification (#​1920)

v3.2.4

Compare Source

• Fix a bug in priorityQueue where it didn't wait for the result. (#​1725)
• Fix a bug where unshiftAsync was included in priorityQueue. (#​1790)

v3.2.3

Compare Source

• Fix bugs in comment parsing in autoInject. (#​1767, #​1780)

expressjs/csurf (csurf)

v1.11.0

Compare Source

===================

• deps: [email protected]
  • Add SameSite=None support
• deps: http-errors@~1.7.3
  • deps: [email protected]

SamVerschueren/decode-uri-component (decode-uri-component)

v0.4.1

Compare Source

• Add TypeScript type definitions c345b4c

v0.4.0

Compare Source

• Require Node.js 14 and move to ESM (#​11) b09e39d

v0.3.0

Compare Source

• Do not decode + to a space - fixes #​3 3bbc879

socketio/socket.io (engine.io)

v6.6.4

Compare Source

The bump of the cookie dependency was reverted, as it drops support for older Node.js versions (< 14).

Dependencies

• ws@~8.17.1 (no change)

v6.6.3

Compare Source

This release contains a bump of the cookie dependency.

Release notes: https://github.com/jshttp/cookie/releases/tag/v1.0.0

Dependencies

• ws@~8.17.1 (no change)

expressjs/express (express)

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in https://github.com/expressjs/express/pull/6065
• deps: [email protected] by @​blakeembrey in https://github.com/expressjs/express/pull/5956
• deps: bump [email protected] by @​jonchurch in https://github.com/expressjs/express/pull/6209
• Release: 4.21.2 by @​UlisesGascon in https://github.com/expressjs/express/pull/6094

Full Changelog: expressjs/express@4.21.1...4.21.2

alphagov/govuk_elements (govuk-elements-sass)

v3.1.3

Compare Source

Changes:

• Fix missing arrow on the <details> element in Firefox (PR #​534)
• Heading classes set to display: block; (PR #​552)
• Add class to adjust fieldset top margin when used after error summary (PR #​552)
• Change error layout for single-question form pages (PR #​552)

v3.1.2

Compare Source

Guidance Changes

• Use h2 for error summary headings in form examples (#​510)
• Use aria-disabled to make disabled buttons compatible with older screen readers (JAWS 15 and below) (#​532)
• Change error summary ARIA role to "alert" (#​511)
• Reflect form validation error in page title (#​509)
• Remove "Example service name" from the confirmation page example (#​549)
• Remove tabindex attribute from the main element (#​534)
• Use the details polyfill from frontend toolkit (#​562)

Build Changes

• Update documentation to reference correct asset paths (#​531)
• Replace postinstall script with Heroku's postbuild script (#​530)
• Switch to Heroku deploying on successful CI run rather than triggering it from Travis (#​559)
• Ensure documentation styles don't override examples (#​548)

Dependencies

• Update govuk_template_jinja to 0.23.0 (#​558)
• Update govuk_frontend_toolkit to v7.1.0 (#​526, #​562)
• Update run-sequence to version 2.1.0 (#​537)

v3.1.1

Compare Source

v3.1.0

Compare Source

3.1.0

• Split the list of partials imported by GOV.UK elements into two further files - elements and frontend-toolkit.
  This supports npm-sass, where the frontend toolkit dependencies are imported separately (PR #​489).
• Add a new class .body-text for use inside legends, for text to accompany radio buttons or checkboxes - either 'select one', or 'select all that apply'.
  Ensure legends or elements within legends have margins in webkit browsers (PR #​484).
• Move the breadcrumb so it sits outside the main element (PR #​478)
• Constrain error summary boxes to 2/3 of the page width (PR #​477)
• Remove the right padding from the last column of items in a table.
  Remove color set for table headers and cells, to allow users to change colour settings (PR #​482
• Align table captions to the left (PR #​476).
• Add guidance for use of table captions (PR #​488).
• Fix unnecessary float and width 100% for .form-section and .form-group (PR #​487).
• Fix incorrect margin above the last panel in a group (PR #​498).
• Add guidance for the mininum text size to be used with the highlight box on confimation boxes (PR #​481).
• Update govuk_template_jinja to 0.22.0 (PR #​493).

alphagov/govuk_template_jinja (govuk_template_jinja)

v0.26.0

Compare Source

v0.25.0

Compare Source

v0.24.1

Compare Source

v0.24.0

Compare Source

alphagov/govuk_template_mustache (govuk_template_mustache)

v0.26.0

Compare Source

v0.25.0

Compare Source

v0.24.1

Compare Source

v0.24.0

Compare Source

v0.23.3

Compare Source

v0.23.2

Compare Source

v0.23.1

Compare Source

v0.23.0

Compare Source

v0.22.3

Compare Source

v0.22.2

Compare Source

v0.22.1

Compare Source

v0.22.0

Compare Source

v0.21.0

Compare Source

v0.20.1

Compare Source

v0.20.0

Compare Source

hashicorp/terraform (hashicorp/terraform)

v1.11.0

Compare Source

1.11.0 (February 27, 2025)

NEW FEATURES:

• Add write-only attributes to resources. Providers can specify that certain attributes are write-only. They are not persisted in state. You can use ephemeral values in write-only attributes. (#​36031)

• terraform test: The -junit-xml option for the terraform test command is now generally available. This option allows the command to create a test report in JUnit XML format. Feedback during the experimental phase helped map terraform test concepts to the JUnit XML format, and new additons may happen in future releases. (#​36324)

• S3 native state locking is now generally available. The use_lockfile argument enables users to adopt the S3-native mechanism for state locking. As part of this change, we've deprecated the DynamoDB-related arguments in favor of this new locking mechanism. While you can still use DynamoDB alongside S3-native state locking for migration purposes, we encourage migrating to the new state locking mechanism. (#​36338)

ENHANCEMENTS:

• init: Provider installation will utilise credentials configured in a .netrc file for the download and shasum URLs returned by provider registries. (#​35843)

• terraform test: Test runs now support using mocked or overridden values during unit test runs (e.g., with command = "plan"). Set override_during = plan in the test configuration to use the overridden values during the plan phase. The default value is override_during = apply. (#​36227)

• terraform test: Add new state_key attribute for run blocks, allowing test authors control over which internal state file should be used for the current test run. (#​36185)

• Updates the azure backend authentication to match the terraform-provider-azurermprovider authentication, in several ways:

  • github.com/hashicorp/go-azure-helpers: v0.43.0 -> v0.71.0
  • github.com/hashicorp/go-azure-sdk/[resource-manager/sdk]: v0.20241212.1154051. This replaces the deprecated Azure SDK used before
  • github.com/jackofallops/giovanni: v0.15.1 -> v0.27.0. Meanwhile, updating the azure storage API version from 2018-11-09 to 2023-11-03
  • Following new properties are added for the azure backend configuration:
    • use_cli
    • use_aks_workload_identity
    • client_id_file_path
    • client_certificate
    • client_id_file_path
    • client_secret_file_path
      (#​36258)

• Include ca-certificates package in our official Docker image to help with certificate handling by downstream (#​36486)

BUG FIXES:

• ephemeral values: correct error message when ephemeral values are included in provisioner output (#​36427)

• Attempting to override a variable during apply via TF_VAR_ environment variable will now yield warning instead of misleading error. (#​36435)

• backends: Fix crash when interrupting during interactive prompt for values (#​36448)

• Fixes hanging behavior seen when applying a saved plan with -auto-approve using the cloud backend (#​36453)

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.10
• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

v1.10.5

Compare Source

1.10.5 (January 22, 2025)

BUG FIXES:

• element(...): no longer crashes when asked for a negative index into a tuple. (#​36376)

• Updated dependency github.com/hashicorp/go-slug v0.16.0 => v0.16.3 to integrate latest changes (fix for CVE-2025-0377) (#​36273)

• jsondecode(...): improved error message when objects contain duplicate keys (#​36376)

v1.10.4

Compare Source

1.10.4 (January 8, 2025)

BUG FIXES:

• type conversion: Empty map conversions now return correct type information (#​36262)

• terraform console: Fix crash when printing ephemeral values (#​36267)

v1.10.3

Compare Source

1.10.3 (December 18, 2024)

BUG FIXES:

• Terraform could panic when encountering an error during plan encoding (#​36212)

v1.10.2

Compare Source

1.10.2 (December 11, 2024)

BUG FIXES:

• cli: variables in an auto-loaded tfvars file which were overridden during plan incorrectly show as changed during apply [GH-36180]

v1.10.1

Compare Source

1.10.1 (December 4, 2024)

BUG FIXES:

• cli: Complex variables values set via environment variables were parsed incorrectly during apply (#​36121)
• config: templatefile would panic if given and entirely unknown map of variables (#​36118)
• config: templatefile would panic if the variables map contains marked values (#​36127)
• config: Remove constraint that an expanded resource block must only be used in conjunction with imports using for_each (#​36119)
• backend/s3: Lock files could not be written to buckets with object locking enabled (#​36120)

v1.10.0

Compare Source

1.10.0 (November 27, 2024)

NEW FEATURES:

• Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
• Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.
  • ephemeralasnull function: a function takes a value of any type and returns a similar value of the same type with any ephemeral values replaced with non-ephemeral null values and all non-ephemeral values preserved.

BUG FIXES:

• The secret_suffix in the kubernetes backend now includes validation to prevent errors when the secret_suffix ends with a number (#​35666).
• The error message for an invalid default value for an input variable now indicates when the problem is with a nested value in a complex data type. (#​35465)
• Sensitive marks could be incorrectly transferred to nested resource values, causing erroneous changes during a plan (#​35501)
• Allow unknown error_message values to pass the core validate step, so variable validation can be completed later during plan
  (#​35537)
• Unencoded slashes within GitHub module source refs were being truncated and incorrectly used as subdirectories in the request path (#​35552)
• Terraform refresh-only plans with output only changes are now applyable. (#​35812)
• Postconditions referencing self with many instances could encounter an error during evaluation (#​35895)
• The plantimestamp() function would return an invalid date during validation (#​35902)
• Updates to resources which were forced to use create_before_destroy could lose that flag in the state temporarily and cause cycles if immediately removed from the configuration (#​35966)
• backend/cloud: Prefer KV tags, even when tags are defined as set (#​35937)
• Simplify config generation (plan -generate-config-out) for string attributes that contain primitive types (e.g. numbers or booleans) (#​35984)
• config: issensitive could incorrectly assert that an unknown value was not sensitive during plan, but later became sensitive during apply, causing failures where changes did not match the planned result (#​36012)
• config: The evaluation of conditional expressions and for expression in HCL could lose marks with certain combinations of unknown values (#​36017)

ENHANCEMENTS:

• The element function now accepts negative indices (#​35501)
• Import block validation has been improved to provide more useful errors and catch more invalid cases during terraform validate (#​35543)
• Performance enhancements for resource evaluation, especially when large numbers of resource instances are involved (#​35558)
• The plan, apply, and refresh commands now produce a deprecated warning when using the -state flag. Instead use the path attribute within the local backend to modify the state file. (#​35660)
• backend/cos: Add new auth for Tencent Cloud backend (#​35888)

UPGRADE NOTES:

• backend/s3: Removes deprecated attributes for assuming IAM role. Must use the assume_role block (#​35721)
• backend/s3: The s3 backend now supports S3 native state locking. When used with DynamoDB-based locking, locks will be acquired from both sources. In a future minor release of Terraform the DynamoDB locking mechanism and associated arguments will be deprecated. (#​35661)
• moved: Moved blocks now respect reserved keywords when parsing resource addresses. Configurations that reference resources with type names that match top level blocks and keywords from moved blocks will need to prepend the resource. identifier to these references. (#​35850)
• config: In order to ensure consistency in results from HCL conditional expressions, marks must be combined from all values within the expression to avoid losing mark information. This typically improves accuracy when validating configuration, but users may see sensitive results where they were lost previously.

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

v1.9.8

Compare Source

1.9.8 (October 16, 2024)

BUG FIXES:

• init: Highlight missing subdirectories of registry modules in error message (#​35848)
• init: Prevent crash when loading provider_meta blocks with invalid names (#​35842)
• config generation: Escape all invalid syntax in generate map keys with quotes (#​35837)
• plan: also validate provider requirements from state (#​35864)

v1.9.7

Compare Source

1.9.7 (October 2, 2024)

BUG FIXES:

• config generation: escape map keys with whitespaces (#​35754)

v1.9.6

Compare Source

1.9.6 (September 18, 2024)

BUG FIXES:

• plan renderer: Render complete changes within unknown nested blocks. (#​35644)
• plan renderer: Fix crash when attempting to render unknown nested blocks that contain attributes forcing resource replacement. (#​35644)
• plan renderer: Fix crash when rendering a plan that contains null attributes being update to unknown values. (#​35709)

v1.9.5

Compare Source

1.9.5 (August 20, 2024)

ENHANCEMENTS:

• cloud: The cloud block can now interact with workspaces that have HCP resource IDs. (#​35495)

BUG FIXES:

• core: removed blocks with provisioners were not executed when the resource was in a nested module. (#​35611)

---

Configuration

📅 Schedule: Branch creation - "after 7am and before 11am every weekday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.