chore(deps): [security] bump strapi-plugin-content-type-builder from 3.2.1 to 3.2.5

[dependabot-preview]

Bumps strapi-plugin-content-type-builder from 3.2.1 to 3.2.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Improper Authorization in Strapi In Strapi before 3.2.5, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.

Affected versions: < 3.2.5

Release notes

Sourced from strapi-plugin-content-type-builder's releases.

v3.2.5

🚨 Security

These security issues are only exploitable by a user with admin panel access and the right permissions.

• [core:framework] Add permission to CTB routes (strapi/strapi#8439) @Convly
• [plugin:content-manager] Fix XSS security with the wysiwyg preview (strapi/strapi#8440) @soupette
• [plugin:upload] Remove usage of unsecure proxy for now (strapi/strapi#8442) @alexandrebodin

Big shoutouts 🔥 to Tomáš Melicher and Lukáš Václavík for finding these issues and helping us make Strapi better !

🐛 Bug fix

• [admin] Fix #8413 - Immer dependancy (strapi/strapi#8420) @derrickmehaffy
• [core:database] fix d&p regressions (strapi/strapi#8314) @petersg83
• [core:database] Fix deepFiltering with draft & publish (strapi/strapi#8356) @Convly

💅 Enhancement

• [admin] add didUpdateRolePermissions event (strapi/strapi#8333) @petersg83
• [documentation] Adapt README.md because NodeJS 14 is supported now (strapi/strapi#8417) @bykof

---

📚 Migration guides can be found here 📚

v3.2.4

Migration Guide for this release: here

🚨 Security

• [plugin:users-permissions] Add confirmationToken to user for email confirmation (strapi/strapi#8365) @alexandrebodin

🐛 Bug fix

• [core:framework] Fix validations for custom field types (strapi/strapi#8297) @sam899
• [core:framework] Fix wrong permissions assigns (upload, users-permissions) (strapi/strapi#8320) @Convly
• [plugin:content-manager] Add right padding if contains some right adornment for UID input (strapi/strapi#8174) @tanmoyopenroot
• [plugin:graphql] Support query operators _or & _where in graphql with deep nesting (strapi/strapi#8332) @alexandrebodin
• [plugin:upload] Fix file info of new uploaded file not being persisted after edit (strapi/strapi#8244) @henrych4
• [plugin:users-permissions] Fix links action on role list page (strapi/strapi#8272) @MattieBelt

💅 Enhancement

• [admin] Add Academy link to the 'Join the community' card in the homepage (strapi/strapi#8316) @Mcastres
• [core:database] Don't use mongoose 5.10.7 (strapi/strapi#8278) @jlsjonas
• [core:database] better error handling for missing model error (strapi/strapi#8328) @TC-42-54
• [core:framework] Support node v14 + CI refactor (strapi/strapi#8226) @alexandrebodin
• [documentation] Adds warnings and workarounds for Brotli performance in koa-compress (strapi/strapi#8261) @albatrocity
• [documentation] Update admin panel screenshot (strapi/strapi#8265) @thomaspockrandt

Commits

• c785915 v3.2.5
• 328c1a3 Merge pull request #8442 from strapi/security/upload-proxy-disable
• b515e75 Merge pull request #8420 from strapi/fix/8413
• 1149f8c Merge pull request #8417 from bykof/patch-1
• fbf8313 Remove usage of unsecure proxy for now
• b324020 Merge pull request #8440 from strapi/fix/preview-security
• 3cdd739 Merge pull request #8439 from strapi/fix/ctb-permissions
• aedac98 Fix XSS wysiwyg preview
• 15e8a76 Add permission to CTB routes
• 4d00bc0 Merge pull request #8432 from strapi/dependabot/npm_and_yarn/eslint-plugin-no...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)