Update dependencies and security vulnerabilities

[mattpaz]

In addition to #91 flat dependencies are growing long in the tooth.

As of 2024-02-17, there are 32 vulnerabilities (15 moderate, 12 high, 5 critical).

Outdated Modules

Package                              Current    Wanted    Latest  Location                                    Depended by
@actions/core                          1.2.6    1.10.1    1.10.1  node_modules/@actions/core                  flat
@actions/exec                          1.0.4     1.1.1     1.1.1  node_modules/@actions/exec                  flat
@actions/github                        4.0.0     4.0.0     6.0.0  node_modules/@actions/github                flat
@tinyhttp/content-disposition          1.2.0     1.3.0     2.2.0  node_modules/@tinyhttp/content-disposition  flat
@types/jest                          26.0.20   26.0.24   29.5.12  node_modules/@types/jest                    flat
@types/node                         14.14.37  14.18.63  20.11.19  node_modules/@types/node                    flat
@vercel/ncc                           0.27.0    0.27.0    0.38.1  node_modules/@vercel/ncc                    flat
axios                                 0.21.1    0.21.4     1.6.7  node_modules/axios                          flat
connection-string                      4.3.2     4.4.0     4.4.0  node_modules/connection-string              flat
csv-stringify                          5.6.2     5.6.5     6.4.5  node_modules/csv-stringify                  flat
es-mime-types                         0.0.16    0.0.16     0.1.4  node_modules/es-mime-types                  flat
husky                                  6.0.0     6.0.0    9.0.11  node_modules/husky                          flat
jest                                  26.6.3    26.6.3    29.7.0  node_modules/jest                           flat
jest-circus                           26.6.3    26.6.3    29.7.0  node_modules/jest-circus                    flat
mssql                                  6.3.1     6.4.1    10.0.2  node_modules/mssql                          flat
pg                                     8.5.1    8.11.3    8.11.3  node_modules/pg                             flat
prettier                               2.2.1     2.8.8     3.2.5  node_modules/prettier                       flat
reflect-metadata                      0.1.13    0.1.14     0.2.1  node_modules/reflect-metadata               flat
sqlite3                                5.1.6     5.1.7     5.1.7  node_modules/sqlite3                        flat
ts-jest                               26.5.3    26.5.6    29.1.2  node_modules/ts-jest                        flat
typeorm                               0.2.31    0.2.45    0.3.20  node_modules/typeorm                        flat
typescript                             4.2.3     4.9.5     5.3.3  node_modules/typescript                     flat
zod                            3.0.0-alpha.4    3.22.4    3.22.4  node_modules/zod                            flat

Audit Summary

@actions/core  <=1.9.0
Severity: moderate
@actions/core has Delimiter Injection Vulnerability in exportVariable - https://github.com/advisories/GHSA-7r3h-m5j6-3q42
fix available via `npm audit fix`
node_modules/@actions/core

@azure/ms-rest-nodeauth  <=3.0.9
Severity: high
Depends on vulnerable versions of @azure/ms-rest-js
Improper Privilege Management in Azure ms-rest-nodeauth - https://github.com/advisories/GHSA-qpfw-4m9x-rxx8
Depends on vulnerable versions of adal-node
fix available via `npm audit fix`
node_modules/@azure/ms-rest-nodeauth
  tedious  6.3.0 - 6.7.0 || 7.0.0 - 9.2.1
  Depends on vulnerable versions of @azure/ms-rest-nodeauth
  node_modules/tedious

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

async  3.0.0 - 3.2.1
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async

axios  <=1.5.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
fix available via `npm audit fix`
node_modules/axios

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/browserslist

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

follow-redirects  <=1.15.3
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

ip  *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
  socks  1.0.0 - 2.7.1
  Depends on vulnerable versions of ip
  node_modules/socks

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

qs  6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request
  adal-node  <=0.2.2 || >=2.0.0-pre
  Depends on vulnerable versions of request
  Depends on vulnerable versions of xmldom
  node_modules/adal-node
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/jsdom
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@mapbox/node-pre-gyp/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/sane/node_modules/semver
node_modules/semver
node_modules/ts-jest/node_modules/semver

tmpl  <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/@azure/ms-rest-js/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
  @azure/ms-rest-js  <=2.6.6
  Depends on vulnerable versions of tough-cookie
  Depends on vulnerable versions of xml2js
  node_modules/@azure/ms-rest-js

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  7.0.0 - 7.4.5
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/ws

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
  typeorm  0.1.0-alpha.1 - 0.3.14-dev.daf1b47 || >=0.3.21-dev.28a8383
  Depends on vulnerable versions of xml2js
  node_modules/typeorm

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix`
node_modules/xmldom