chore(deps): bump minimatch and @apollo/gateway in /tests/scenario/lambda-frameworks/apollo-federation-supergraph/app

[dependabot]

Bumps minimatch to 10.2.2 and updates ancestor dependency @apollo/gateway. These dependencies need to be updated together.

Updates minimatch from 9.0.5 to 10.2.2

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• f42b239 10.2.2
• fa2133b update deps
• b9d0153 ci: update action workflows
• 35d9ee9 expand engines to include node 18
• 6d7ac34 10.2.1
• 2e111f3 coalesce consecutive non-globstar * characters
• 1a62a2a 10.2.0
• 758b5a3 changelog 10.2
• 903e50b add braceExpandMax option, format
• a50a110 10.1.3
• Additional commits viewable in compare view

Updates @apollo/gateway from 2.8.2 to 2.13.1

Release notes

Sourced from @​apollo/gateway's releases.

@​apollo/gateway@​2.13.1

Patch Changes

• Allow bumping make-fetch-happen dependency to v15. (#3374)

  This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.

  The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.

  There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:

  this changes the underlying http agents to those provided by @​npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.

  As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.

  We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.

  Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.

  The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.

• Updated dependencies []:

  • @​apollo/composition@​2.13.1
  • @​apollo/federation-internals@​2.13.1
  • @​apollo/query-planner@​2.13.1

@​apollo/gateway@​2.13.0

Minor Changes

• Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, 523b13b715e75033f0bdbc176416e59ac01de8f0, ecbe182423313b3a94c185dee6b659573435b141, 4c64006b1604471940e20aa1aa46a0f75a6396df, 873577a2b7ae8ce507e0ca4377aed049e1a15075]:
  • @​apollo/query-planner@​2.13.0
  • @​apollo/composition@​2.13.0
  • @​apollo/federation-internals@​2.13.0

@​apollo/gateway@​2.13.0-preview.2

Minor Changes

• • Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, ecbe182423313b3a94c185dee6b659573435b141]:
  • @​apollo/query-planner@​2.13.0-preview.2
  • @​apollo/composition@​2.13.0-preview.2
  • @​apollo/federation-internals@​2.13.0-preview.2

... (truncated)

Changelog

Sourced from @​apollo/gateway's changelog.

2.13.1

Patch Changes

• Allow bumping make-fetch-happen dependency to v15. (#3374)

  This change allows users to upgrade make-fetch-happen to v15, which in turn will allow updating the cacache dependency from v17 to v20, dropping the tar v6 dependency that is marked as vulnerable.

  The only breaking changes in make-fetch-happen from v11 to v15 are removals of support for old end-of-life Node.js versions.

  There is only one note from the 12.0.0 release of make-fetch-happen that might be of interest when considering the upgrade:

  this changes the underlying http agents to those provided by @​npmcli/agent. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.

  As a result, it should be possible for most users to upgrade from v11 to v15 without any issues.

  We still keep the dependency to v11 as an alternative for people that cannot upgrade to v15 for some reason. This will be removed in a future version of @apollo/gateway.

  Even for users that stay on v11, there should not be any immediate danger. While cacache had tar v6 as a dependency, it actually never used it. It seems that that dependency had become unused at some point but was never removed. So users on make-fetch-happen v11 are not actually affected by the vulnerability in tar v6.

  The dependency might hold the tar package required by other packages back, though. In case an update from v11 to v15 is not possible, users should consider to use the resolution override feature of their package manager to force the dependency from cacache to tar to either be removed or updated to a newer version. As cacache does not actually use tar, this should not cause any issues.

• Updated dependencies []:

  • @​apollo/composition@​2.13.1
  • @​apollo/federation-internals@​2.13.1
  • @​apollo/query-planner@​2.13.1

2.13.0

Minor Changes

• Drop Node.js 14/16 support, require Node.js 18+ (#3364)

Patch Changes

• Updated dependencies [f4d2f4a1f50a92be37ea7179eddb3681f36d9d15, 523b13b715e75033f0bdbc176416e59ac01de8f0, ecbe182423313b3a94c185dee6b659573435b141, 4c64006b1604471940e20aa1aa46a0f75a6396df, 873577a2b7ae8ce507e0ca4377aed049e1a15075]:
  • @​apollo/query-planner@​2.13.0
  • @​apollo/composition@​2.13.0
  • @​apollo/federation-internals@​2.13.0

2.12.2

Patch Changes

• Updated dependencies [238d9d71e831e4f3e8d8e334ad6952cc19c073b1]:
  • @​apollo/federation-internals@​2.12.2
  • @​apollo/composition@​2.12.2
  • @​apollo/query-planner@​2.12.2

2.12.1

... (truncated)

Commits

• 5ccf15a release: on branch main (#3380)
• 2c0e462 allow bumping make-fetch-happen dependency to v15 (#3374)
• 9ef306d release: on branch main (#3373)
• 0e3a65a release: on branch next (preview) (#3367)
• 7ed1768 release: on branch next (preview) (#3361)
• e22869f Merge branch 'main' into 'next'
• fec0c7d release: on branch main (#3358)
• bda422b release: on branch next (preview) (#3351)
• fd436fa release: on branch main (#3345)
• 8aee9f7 release: on branch next (#3322)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​apollo/gateway since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.