bot: Update dependencies (bulk dependabot PRs) 2024-10-28

[github-actions]

✅ This PR was created by combining the following PRs:
#3187 bot: Bump vite from 5.4.9 to 5.4.10 in /playground
#3186 bot: Bump @types/react from 18.3.11 to 18.3.12 in /playground
#3185 bot: Bump eslint-plugin-react-refresh from 0.4.13 to 0.4.14 in /playground
#3182 bot: Bump github.com/ipfs/boxo from 0.24.0 to 0.24.2
#3181 bot: Bump github.com/zalando/go-keyring from 0.2.5 to 0.2.6
#3184 bot: Bump @typescript-eslint/parser from 8.10.0 to 8.11.0 in /playground
#3183 bot: Bump @typescript-eslint/eslint-plugin from 8.10.0 to 8.11.0 in /playground
#3180 bot: Bump github.com/lestrrat-go/jwx/v2 from 2.1.1 to 2.1.2

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.47%. Comparing base (fee0d7e) to head (3028cff).
Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #3188      +/-   ##
===========================================
+ Coverage    77.38%   77.47%   +0.10%     
===========================================
  Files          357      357              
  Lines        34809    34809              
===========================================
+ Hits         26934    26968      +34     
+ Misses        6256     6231      -25     
+ Partials      1619     1610       -9     

Flag	Coverage Δ
all-tests	77.47% <ø> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 11 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fee0d7e...3028cff. Read the comment docs.

[AndrewSisley]

LGTM, might be worth quickly checking that the playground still works given the line-loss count in package-lock.json

[AndrewSisley]

My bad, spoke to soon - the vuln checker is complaining - please sort that out first, or let us know if it is something we can ignore.

[fredcarle]

My bad, spoke to soon - the vuln checker is complaining - please sort that out first, or let us know if it is something we can ignore.

Vulnerabilities were with go std lib dependencies. using go 1.22.7 ensures these are covered.

There is two approches to this:

// Option 1
go 1.22.0
toolchain go1.22.7

or

// Option 2
go 1.22.7

Option 1 might be preferred here since it aligns with how we want to support go versions. It states that we are supporting language features and tools of 1.22.0 but that Defra should be compiled with the 1.22.7 toolchain.

[AndrewSisley]

Option 1 might be preferred here since it aligns with how we want to support go versions. It states that we are supporting language features and tools of 1.22.0 but that Defra should be compiled with the 1.22.7 toolchain.

Why would we not want the original, and not force users/compilers to pick a specific patch version?

go 1.22
toolchain go1.22.7

[fredcarle]

Why would we not want the original, and not force users/compilers to pick a specific patch version?

go 1.22
toolchain go1.22.7

go 1.22 no longer stays this way if you do go mod tidy. It did because our make tidy command specified go mod tidy -go=1.22

and not force users/compilers to pick a specific patch version

The toolchain is what forces compilers to use a specific patch. Using the toolchain directive for it will make it so go will fetch the required toolchain if it isn't available locally. Note that this is a minimum version. Users that have a newer go version locally will be using that newer version when compiling.

[AndrewSisley]

Ah okay, that is a little odd that Go works that way IMO, but I'm happy with the PR then :) Thanks for the explanation.