build: deps updated

[xmlking]

Before submitting this PR: update 3 dependencies to fix CVE alerts

1. execa =2.0.0
2. xpress=4.17.3
3. protobuf=v1.33.0

Checklist

• [x] No breaking changes
• [x] Tests pass
• [ ] New features have new tests
• [ ] Documentation is updated

Breaking changes

Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.

Tests

• please make sure your changes pass the current tests (Use the make test or the make watch command).
• if you are introducing a new feature, please write as much tests as possible.

Documentation

Please make sure the documentation is updated accordingly, in particular:

• Workflows. Workflows are Mermaid sequence diagrams
• Schema. The schema in a Mermaid ER diagram
• Environment variables. Please adjust the .env.example file accordingly
• OpenApi specifications. We are using inline JSDoc annotations

[dbarrosop]

Hi, thanks for the contribution, this and other updates were covered in our monthly scheduled though:

https://github.com/nhost/hasura-auth/pull/493

Otherwise let us know. Thanks!

[xmlking]

@dbarrosop I scanned 0.28.0 looks like we also need to lock execa "execa@<=0.10.0": ">=2.0.0", currently it is showing critical GMS-2020-2

[dbarrosop]

I suspect it is a false positive but if you want to open a PR to make your scanner happy be my guest:

$ pnpm audit
No known vulnerabilities found

Keep in mind that dependency is only used during tests.

[xmlking]

good to know, it is only used for tests.

found it when I scan docker image with docker scout cves nhost/hasura-auth:0.28.0

It would be just peace of mind and easy to convince managers to approve :) I will PR "execa@<=0.10.0": ">=2.0.0", if you don't mind.

Thanks