Bump @contentful/f36-components from 4.0.17 to 4.56.2 in /subhub-link-checker

[dependabot]

Bumps @contentful/f36-components from 4.0.17 to 4.56.2.

Changelog

Sourced from @​contentful/f36-components's changelog.

---

title: What's new slug: '/whats-new' section: 'introduction'

The Changelog gives an overview of the changes we've made to Forma 36

12-12-2023

F36 Tokens v4.0.3

• feat(Text): add letterSpacing support

F36 Typography v4.56.2

• feat(Text): add letterSpacing support

09-12-2023

F36 Core v4.56.1

• Map gap 'none' to 0px

07-12-2023

F36 Button v4.55.1

• fix(Button): default padding for small size

F36 Badge v4.56.0

• Allow passing icons to Badge component with small size

06-12-2023

F36 Copybutton v4.55.0

• Make CopyButton component visual props less strict

02-12-2023

F36 Button v4.54.5

• Consume density context on buttons

F36 Utils v4.24.2

... (truncated)

Commits

• 3621453 feat(Text): add letterSpacing support (#2633)
• f3c3530 chore: adjust npm-package-publisher action (#2632)
• 898e498 docs: update changelog on repository and website
• 05071e6 docs(changelog): add changelogs for 35be000ac [skip ci]
• 35be000 fix(Flex): map gap 'none' to 0px (#2625)
• fac5462 chore: add npm-package-publisher (#2631)
• b9b5989 chore: add changelog to alpha packages (#2630)
• 991d7ee chore: adjust release token + vault policy (#2629)
• 0965800 chore: replace npm registry with GitHub packages (#2628)
• 9d277ba feat(DensityContainer): add package (#2618)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

In general, this should be fixed by adding a permissions block that limits the GITHUB_TOKEN to the least privileges required. For a linting workflow that only checks out code and runs linters, read access to repository contents is sufficient, so contents: read is an appropriate minimal setting.

The best fix without changing existing functionality is to add a permissions block at the workflow root level, directly under the name: Lint line. This will apply to all jobs in the workflow (there is only run-linters), and restrict GITHUB_TOKEN to read-only contents access. No other code changes, imports, or steps are required.

Concretely, in .github/workflows/linting.yml, insert:

permissions:
  contents: read

between line 1 (name: Lint) and line 3 (on:). This documents the intended minimal permissions and ensures the workflow remains least-privilege even if repository or organization defaults change.

To fix the problem, add an explicit permissions block that restricts the GITHUB_TOKEN to the least privilege needed. Since this workflow only checks out the code and then calls Sentry’s release action (which uses an explicit Sentry token, not GITHUB_TOKEN), it should be sufficient to grant read-only access to repository contents.

The best, minimal-impact fix is to add a workflow‑level permissions section directly under the name (or on) key, so it applies to all jobs by default. In .github/workflows/sentry.yml, between lines 1–3 (after name: Sentry Release and before on:), insert:

permissions:
  contents: read

No imports or extra definitions are required. This change documents the workflow’s needs and ensures the GITHUB_TOKEN remains read‑only even if org/repo defaults change.

In general, to fix log injection you should avoid writing raw user input directly to logs. At minimum, remove characters that can affect log structure (like \n and \r), and clearly label user-controlled sections in log messages. For logs that might be rendered as HTML, HTML-encode user inputs before logging.

For this specific case in hub-search-proxy/handler.js, the best fix is to sanitize event.body before interpolating it into the log message. We can create a sanitized version of the string by converting event.body to a string (to be safe) and removing any newline and carriage return characters using String.prototype.replace with a regular expression. Then log the sanitized string instead of the raw body. This change should be done immediately before the console.log call at line 53, and no new imports are necessary. Existing behavior is preserved, except that log output will no longer contain embedded line breaks injected by the caller.

Concretely:

• In the module.exports.search function, replace the direct console.log(\Received query: ${event.body}`);` with:
  • A new local variable, e.g. const safeBody = String(event.body).replace(/[\r\n]/g, '');
  • A log statement using safeBody instead of event.body.
    No other parts of the function need to change.