chore: update aws-sdk to patch GHSA-776f-qx25-q3cc

[nickdirienzo]

In this PR:

Updates aws-sdk to latest to patch GHSA-776f-qx25-q3cc.

From my monorepo where I implemented turboerpo-remote-cache, npm audit showed me this:

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
  aws-sdk  <=2.1353.0
  Depends on vulnerable versions of xml2js
  node_modules/aws-sdk
    turborepo-remote-cache  >=1.7.4
    Depends on vulnerable versions of aws-sdk
    services/turborepo-remote-cache/node_modules/turborepo-remote-cache

I also moved minio over to a separate port because running pnpm run test was causing intermittent failures between s3 and minio due to address in use errors. I can drop this change from the PR if no one else is experiencing this.

Issues reference:

Let me know if I should make one for this change.

Checklist:

• Have you checked to ensure there aren't other open Pull Requests for the same update/change?

• Have you lint your code with pnpm lint locally prior to submission?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you successfully ran build with pnpm build of your changes locally?
• Have you successfully ran tests with pnpm test of your changes locally?
• Have you commit using Conventional Commits?

[socket-security]

Updated and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected] 🔁 npm/[email protected]	Transitive: eval	+36	103 MB	aws-sdk-bot

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Environment variable access	npm/[email protected]	Env Vars: ENV_AUTH_TOKEN_FILE Location: Package overview	package.json pnpm-lock.yaml	🚫

View full report↗︎

Next steps

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]

[matteovivona]

🎉 This PR is included in version 2.2.12 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀