chore(deps): upgrade project dependencies to latest versions (#272)

* chore(deps): upgrade project dependencies to latest versions

upgrade project dependencies to latest versions

GH-271

* fix(ci): pin trivy-action to immutable commit SHA for supply-chain safety

Agent-Logs-Url: https://github.com/sourcefuse/loopback4-notifications/sessions/7524a630-bf35-486e-a73e-1541c2fe1e82

Co-authored-by: rohit-sourcefuse <16935898+rohit-sourcefuse@users.noreply.github.com>

* fix(ci): correct trivy-action commit SHA to valid v0.35.0 SHA

Agent-Logs-Url: https://github.com/sourcefuse/loopback4-notifications/sessions/e04a6e1d-b349-40c1-aa8f-15cd0f16fb4b

Co-authored-by: rohit-sourcefuse <16935898+rohit-sourcefuse@users.noreply.github.com>

* chore(deps): upgraded to latest dependencies, comment resolved

* Update main.yaml

* chore(cic-d): Change npm install to npm ci in release workflow

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: rohit-sourcefuse <16935898+rohit-sourcefuse@users.noreply.github.com>
Co-authored-by: Vinay Gupta <vinay.gupta@sourcefuse.com>
Co-authored-by: yeshamavani <83634146+yeshamavani@users.noreply.github.com>

Author: 5 people

.github/workflows/main.yaml

@@ -13,12 +13,12 @@ jobs:
       matrix:
         node-version: [20, 22, 24]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install Dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
       - name: Run Test Cases
         run: npm run test
 

.github/workflows/release.yaml

@@ -13,7 +13,7 @@ jobs:
     # environment: production  # Uncomment if you set an environment name in npm trusted publisher settings
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           # fetch-depth is necessary to get all tags
           # otherwise lerna can't detect the changes and will end up bumping the versions for all packages
@@ -38,7 +38,7 @@ jobs:
           CONFIG_EMAIL: ${{ vars.RELEASE_COMMIT_EMAIL }}
 
       - name: Install 📌
-        run: npm install
+        run: npm ci --ignore-scripts
 
       - name: Test 🔧
         run: npm run test

.github/workflows/sync-docs.yaml

@@ -18,13 +18,13 @@ jobs:
 
     steps:
       - name: Checkout Extension Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           token: ${{env.GITHUB_TOKEN}}
           path: './extension/'
 
       - name: Checkout Docs Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           token: ${{env.GITHUB_TOKEN}}
           repository: ${{env.DOCS_REPO}}

.github/workflows/trivy.yaml

@@ -19,11 +19,11 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
-          scan-type: "fs"
-          scan-ref: "${{ github.workspace }}"
-          trivy-config: "${{ github.workspace }}/trivy.yml"
+          scan-type: 'fs'
+          scan-ref: '${{ github.workspace }}'
+          trivy-config: '${{ github.workspace }}/trivy.yml'