Chore: Update packages

[stevensJourney]

This bumps external dependencies, in order to avoid some warnings provided by tools such as NPMX.

An example of a recent report

The above seems to contain strange warnings. E.g. we didn't explicitly increase our dependency requirements between versions - perhaps this is related to internal dependencies. We also don't use that version of glob in our codebase.

After bumping these versions, a pnpm audit currently shows these items

❯ pnpm audit
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <14.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=14.0.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ cli>@journeyapps-labs/common-utils>uuid                │
│                     │                                                        │
│                     │ cli>@powersync/service-sync-rules>uuid                 │
│                     │                                                        │
│                     │ packages__editor>nitro-nightly>unstorage>@azure/       │
│                     │ identity>@azure/msal-node>uuid                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Arbitrary File Write in cli                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6cpc-mj5c-m9rq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
4 vulnerabilities found
Severity: 1 low | 3 moderate

Where the cli seems to be a false match of our /cli folder, to the cli package published to npm. The uuid entry requires changes to the mentioned packages.

TODOs:

• Bump uuid package in sub dependencies

Additional Fix

As an additional fix, this fixes the release flow to build installers' artifacts in the same workflow as the release workflow (in a separate job). Currently, the onRelease workflow is not triggered, due to blocked recursive Github actions invocations.

[stevensJourney]

The current remaining sources of uuid are from @journeyapps-labs/common-sdk and @journeyapps-labs/common-utils. The uuid dependency was removed from those in journeyapps-labs/common#17 - however the publishing pipeline seems to be broken in that repo at the moment. These packages use ^ range dependencies, so they should automatically update once they are actually released.

I've configured Dependabot to automatically check for updates and create update PRs.

[LucDeCaf]

LGTM. I noticed we added oclif to the PNPM catalog; I'm guessing that's just to make applying the patch across all our packages easier, but I think we should also consider adding other shared dependencies to the catalog (eg. typescript, @types/*).

[stevensJourney]

LGTM. I noticed we added oclif to the PNPM catalog; I'm guessing that's just to make applying the patch across all our packages easier, but I think we should also consider adding other shared dependencies to the catalog (eg. typescript, @types/*).

Jip, we should share more catalog versions in future :)