Release 2.36.0 (#4127)

## Release Notes
Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9
> ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change
to previous release)

[Compare to previous Release
v2.35.0](https://github.com/MagicMirrorOrg/MagicMirror/compare/v2.35.0...v2.36.0)

This release falls outside the quarterly schedule. We opted for an early
release due to:
- Security fix for the internal cors proxy
- API change of the weather provider smi
- Several bug fixes

### Breaking Changes

The cors proxy is now disabled by default. If required, it must be
explicitly enabled in the `config.js` file. See the
[documentation](https://docs.magicmirror.builders/configuration/cors.html).

### ⚠️ Security

You can find several publicly accessible MagicMirror² instances.

This should never be done. Doing so makes your entire configuration,
including secrets and API keys, publicly visible. Furthermore, it allows
attackers to target the host; this is only prevented beginning with this
release.

Public MagicMirror² instances should always run behind a reverse proxy
with authentication.

### [core]
- Prepare Release 2.36.0 (#4126)
- Allow HTTPFetcher to pass through 304 responses (#4120)
- fix(http-fetcher): fall back to reloadInterval after retries exhausted
(#4113)
- config endpoint must handle functions in module configs (#4106)
- fix replaceSecretPlaceholder (#4104)
- restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102)
- fix: prevent crash when config is undefined in socket handler (#4096)
- fix cors function for alpine linux (#4091)
- fix(cors): prevent SSRF via DNS rebinding (#4090)
- add option to disable or restrict cors endpoint (#4087)
- fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs
(#4084)
- chore: add permissions section to enforce pull-request rules workflow
(#4079)
- update version for develop

### [dependencies]
- update dependencies (#4124)
- chore: update dependencies (#4088)
- refactor: enable ESLint rule "no-unused-vars" and handle related
issues (#4080)

### [modules/newsfeed]
- fix(newsfeed): prevent duplicate parse error callback when using
pipeline (#4083)

### [modules/updatenotification]
- fix(updatenotification): harden git command execution + simplify
checkUpdates (#4115)
- fix(tests): correct import path for git_helper module in
updatenotification tests (#4078)

### [modules/weather]
- fix(weather): use nearest openmeteo hourly data (#4123)
- fix(weather): avoid loading state after reconnect (#4121)
- weather: fix UV index display and add WeatherFlow precipitation
(#4108)
- fix(weather): restore OpenWeatherMap v2.5 support (#4101)
- fix(weather): use stable instanceId to prevent duplicate fetchers
(#4092)
- SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082)

### [testing]
- ci(actions): set explicit token permissions (#4114)
- fix(http_fetcher): use undici.fetch when dispatcher is present (#4097)
- ci(codeql): also scan develop branch on push and PR (#4086)
- refactor: replace implicit global config with explicit global.config
(#4085)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: sam detweiler <sdetweil@gmail.com>
Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
Co-authored-by: Veeck <github@veeck.de>
Co-authored-by: veeck <gitkraken@veeck.de>
Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com>
Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com>
Co-authored-by: Nathan <n8nyoung@gmail.com>
Co-authored-by: mixasgr <mixasgr@users.noreply.github.com>
Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr>
Co-authored-by: Konstantinos <geraki@gmail.com>
Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com>
Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr>
Co-authored-by: Koen Konst <koenspero@gmail.com>
Co-authored-by: Koen Konst <c.h.konst@avisi.nl>
Co-authored-by: dathbe <github@beffa.us>
Co-authored-by: Marcel <m-idler@users.noreply.github.com>
Co-authored-by: Kevin G. <crazylegstoo@gmail.com>
Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com>
Co-authored-by: Jboucly <contact@jboucly.fr>
Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com>
Co-authored-by: Jordan Welch <JordanHWelch@gmail.com>
Co-authored-by: Blackspirits <blackspirits@gmail.com>
Co-authored-by: Samed Ozdemir <samed@xsor.io>
Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com>
Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com>
Co-authored-by: cgillinger <christian.gillinger@gmail.com>
Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com>
Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "magicmirror",
-	"version": "2.35.0",
+	"version": "2.36.0",
 	"description": "The open source modular smart mirror platform.",
 	"keywords": [
 		"magic mirror",
@@ -90,55 +90,55 @@
 		"@fontsource/roboto": "^5.2.10",
 		"@fontsource/roboto-condensed": "^5.2.8",
 		"@fortawesome/fontawesome-free": "^7.2.0",
-		"ajv": "^8.18.0",
+		"ajv": "^8.20.0",
 		"animate.css": "^4.1.1",
 		"croner": "^10.0.1",
-		"eslint": "^10.1.0",
+		"eslint": "^10.2.1",
 		"express": "^5.2.1",
 		"feedme": "^2.0.2",
-		"globals": "^17.4.0",
+		"globals": "^17.5.0",
 		"helmet": "^8.1.0",
 		"html-to-text": "^9.0.5",
 		"iconv-lite": "^0.7.2",
 		"ipaddr.js": "^2.3.0",
 		"moment": "^2.30.1",
-		"moment-timezone": "^0.6.1",
-		"node-ical": "^0.25.6",
+		"moment-timezone": "^0.6.2",
+		"node-ical": "^0.26.0",
 		"nunjucks": "^3.2.4",
 		"pm2": "^6.0.14",
 		"socket.io": "^4.8.3",
 		"suncalc": "^1.9.0",
 		"systeminformation": "^5.31.5",
-		"undici": "^7.24.6",
+		"undici": "^8.1.0",
 		"weathericons": "^2.1.0"
 	},
 	"devDependencies": {
 		"@eslint/js": "^10.0.1",
 		"@stylistic/eslint-plugin": "^5.10.0",
-		"@vitest/coverage-v8": "^4.1.2",
-		"@vitest/eslint-plugin": "^1.6.14",
-		"@vitest/ui": "^4.1.2",
-		"cspell": "^9.7.0",
+		"@vitest/coverage-v8": "^4.1.5",
+		"@vitest/eslint-plugin": "^1.6.16",
+		"@vitest/ui": "^4.1.5",
+		"cspell": "^10.0.0",
 		"eslint-plugin-import-x": "^4.16.2",
-		"eslint-plugin-jsdoc": "^62.8.1",
-		"eslint-plugin-package-json": "^0.91.1",
-		"eslint-plugin-playwright": "^2.10.1",
+		"eslint-plugin-jsdoc": "^62.9.0",
+		"eslint-plugin-package-json": "^0.91.2",
+		"eslint-plugin-playwright": "^2.10.2",
 		"express-basic-auth": "^1.2.1",
 		"husky": "^9.1.7",
-		"jsdom": "^29.0.1",
+		"jsdom": "^29.1.0",
 		"lint-staged": "^16.4.0",
-		"markdownlint-cli2": "^0.22.0",
-		"msw": "^2.12.14",
-		"playwright": "^1.58.2",
-		"prettier": "^3.8.1",
+		"markdownlint-cli2": "^0.22.1",
+		"msw": "^2.13.6",
+		"playwright": "^1.59.1",
+		"prettier": "^3.8.3",
 		"prettier-plugin-jinja-template": "^2.1.0",
-		"stylelint": "^17.6.0",
+		"stylelint": "^17.9.1",
 		"stylelint-config-standard": "^40.0.0",
 		"stylelint-prettier": "^5.0.3",
-		"vitest": "^4.1.2"
+		"vitest": "^4.1.5"
 	},
 	"optionalDependencies": {
-		"electron": "^41.1.0"
+		"electron": "^41.3.0"
 	},
 	"engines": {
 		"node": ">=22.21.1 <23 || >=24"