chore(deps): bump the npm_and_yarn group across 6 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the / directory: send, pug and vite.
Bumps the npm_and_yarn group with 3 updates in the /dev/coverage-action directory: @octokit/plugin-paginate-rest, @octokit/request and undici.
Bumps the npm_and_yarn group with 2 updates in the /dev/del-old-packages directory: @octokit/request and @octokit/core.
Bumps the npm_and_yarn group with 5 updates in the /dev/deploy-to-container directory:

Package	From	To
brace-expansion	2.0.1	2.0.2
cross-spawn	7.0.3	7.0.6
nanoid	5.0.9	5.1.5
tar-fs	2.0.1	2.1.3
dockerode	4.0.3	4.0.7

Bumps the npm_and_yarn group with 4 updates in the /dev/diff directory: brace-expansion, cross-spawn, tar-fs and dockerode.
Bumps the npm_and_yarn group with 6 updates in the /playwright directory:

Package	From	To
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
ip	2.0.0	removed
socks	2.7.1	2.8.5
semver	6.3.0	7.5.4
tar	6.1.15	6.2.1

Updates send from 0.18.0 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

• @​UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 9d2db99 0.19.0
• ae4f298 Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates pug from 3.0.2 to 3.0.3

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• See full diff in compare view

Updates vite from 4.5.3 to 4.5.14

Release notes

Sourced from vite's releases.

v4.5.14

Please refer to CHANGELOG.md for details.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.14 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19967) (7739479), closes #19965 #19967
• chore: run format (99afb60)

4.5.13 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

... (truncated)

Commits

• 9bfe2b1 release: v4.5.14
• 7739479 fix: backport #19965, check static serve file inside sirv (#19967)
• 99afb60 chore: run format
• cd60e8b release: v4.5.13
• 41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
• 6104add release: v4.5.12
• 0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• Additional commits viewable in compare view

Updates pug-code-gen from 3.0.2 to 3.0.3

Release notes

Sourced from pug-code-gen's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• d4b7f60 Properly handle errors originating from included files when compileDebug is e...
• d6f0615 fix capture groups for "each" statements (#3274)
• 73ea7cf fix: keep lexer plugins inside tag interpolation (#3296)
• 29a53c5 fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)
• 60b1b15 chore: update supported versions (#3315)
• See full diff in compare view

Updates @octokit/plugin-paginate-rest from 9.0.0 to 9.2.2

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v9.2.2

9.2.2 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#660) (e1e4489)

v9.2.1

9.2.1 (2024-03-01)

Bug Fixes

• pkg: pin @octokit/core peerDependency to v5 (#599) (5b84386)

v9.2.0

9.2.0 (2024-02-22)

Features

• new /orgs/{org}/organization-roles/{role_id}/teams and /orgs/{org}/organization-roles/{role_id}/users endpoints (#594) (75aeaaf)

v9.1.5

9.1.5 (2023-12-04)

Bug Fixes

• bump octokit/types minor version (#581) (65baec4)

v9.1.4

9.1.4 (2023-11-12)

Bug Fixes

• deps: bump @octokit/types (#575) (27db9ae)

v9.1.3

9.1.3 (2023-11-09)

Bug Fixes

• deps: bump @octokit/types (#574) (0940cb7)

v9.1.2

9.1.2 (2023-10-26)

... (truncated)

Commits

• e1e4489 fix: ReDos regex vulnerability, reported by @​DayShift (#660)
• 5b84386 fix(pkg): pin @octokit/core peerDependency to v5 (#599)
• fa01f94 ci(action): update actions/add-to-project action to v0.6.0 (#598)
• 75aeaaf feat: new /orgs/{org}/organization-roles/{role_id}/teams and `/orgs/{org}/o...
• 54d6bcf chore(deps): update dependency prettier to v3.2.5
• 1bfa2f8 chore(deps): update dependency npm-run-all2 to v6
• eb4a8fe chore(deps): replace dependency npm-run-all with npm-run-all2 ^5.0.0
• 11ef779 chore(deps): update dependency esbuild to ^0.20.0
• 2b6cc98 ci(action): update peter-evans/create-or-update-comment action to v4
• d7c9de5 chore(deps): update dependency prettier to v3.2.4 (#588)
• Additional commits viewable in compare view

Updates @octokit/request from 8.1.4 to 8.4.1

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates @octokit/request-error from 5.0.1 to 5.1.1

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• See full diff in compare view

Updates undici from 5.26.4 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in nodejs/undici#4104
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

v5.28.4

⚠️ Security Release ⚠️

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in nodejs/undici#2470
• fix: remove node: prefix by @​tsctx in nodejs/undici#2471
• perf: avoid Headers initialization by @​tsctx in nodejs/undici#2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in nodejs/undici#2466
• fix: Add null type to signal in RequestInit by @​gebsh in nodejs/undici#2455
• fix: correctly handle data URL with hashes. by @​tsctx in nodejs/undici#2475
• fix: check response for timinginfo allow flag by @​ToshB in nodejs/undici#2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in nodejs/undici#2478
• refactor: better integrity check by @​tsctx in nodejs/undici#2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in nodejs/undici#2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in nodejs/undici#2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in nodejs/undici#2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in nodejs/undici#2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in nodejs/undici#2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in nodejs/undici#2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in nodejs/undici#2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in nodejs/undici#2302

... (truncated)

Commits

• 9528f68 Bumped v5.29.0
• f1d75a4 increase timeout for redirect test
• 2d31ed6 remove fuzzing tests
• 6b36d49 fix redirect test in Node v16
• 648dd8f more fix for the wpt runner on Windows
• a0516ba don't use internal header state for cookies (#3295)
• 87ce4af fix test/client for node 20
• c2c8fd5 fix: accept v20 SSL specific error for alpn selection in http/2
• 82200bd [v6.x] fix wpts on windows (#4093)
• 47546fa test: fix windows wpt (#4050)
• Additional commits viewable in compare view

Updates @octokit/request from 6.2.2 to 10.0.2

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates @octokit/core from 4.2.4 to 7.0.2

Release notes

Sourced from @​octokit/core's releases.

v7.0.2

7.0.2 (2025-05-20)

Bug Fixes

• deps: update octokit monorepo (major) (#742) (629fa4e)

v7.0.1

7.0.1 (2025-05-20)

Bug Fixes

• deps: update dependency before-after-hook to v4 (#739) (2abf89e)

v7.0.0

7.0.0 (2025-05-20)

Continuous Integration

• stop testing against NodeJS v18 (#738) (78747bf)

BREAKING CHANGES

• Drop support for NodeJS v18

• build: set minimal node version in build script to v20

• ci: stop testing against NodeJS v18

v6.1.5

6.1.5 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#731) (3700c41)

v6.1.4

6.1.4 (2025-02-13)

Bug Fixes

• deps: bump Octokit dependencies vulnerable to ReDos (#723) (582d8bd)

... (truncated)

Commits

• 629fa4e fix(deps): update octokit monorepo (major) (#742)
• 1aba598 chore(deps): update dependency undici to v7 (#711)
• 2abf89e fix(deps): update dependency before-after-hook to v4 (#739)
• 78747bf ci: stop testing against NodeJS v18 (#738)
• 38dd554 chore(deps): update dependency undici to v6.21.2 [security] (#741)
• f7cb18f build: remove glob (#737)
• 22243bd chore(deps): bump vite from 6.2.6 to 6.3.4 (#735)
• e0d36c5 ci: replace OCTOKITBOT_PROJECT_ACTION_TOKEN and OCTOKITBOT_PAT with a tok...
• e72addd chore(deps): bump vite from 6.2.5 to 6.2.6 (#733)
• 3700c41 fix(deps): update dependency @​octokit/types to v14 (#731)
• Additional commits viewable in compare view

Updates @octokit/request-error from 3.0.2 to 7.0.0

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• See full diff in compare view

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v2.0.2

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

---

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

• a3efcee 2.0.2
• 14f1d91 pkg: publish on tag 2.x
• ed7780a fmt
• 36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates nanoid from 5.0.9 to 5.1.5

Release notes

Sourced from nanoid's releases.

5.1.5

• Fixed latest version on npm after 3.x release.

5.1.4

• Fixed latest version on npm after 3.x release.

5.1.3

• Fixed React Native support (by @​steida).

5.1.2

• Fixed module docs.

5.1.1

• Fixed opaque types support for non-secure generator.
• Added JSR support.

5.1.0

• Added opaque types support (by @​kossnocorp).

Changelog

Sourced from nanoid's changelog.

5.1.5

• Fixed latest version on npm after 3.x release.

5.1.4

• Fixed latest version on npm after 3.x release.

5.1.3

• Fixed React Native support (by @​steida).

5.1.2

• Fixed module docs.

5.1.1

• Fixed opaque types support for non-secure generator.
• Added JSR support.

5.1.0

• Added opaque types support (by @​kossnocorp).

Commits

• 5b1220d Release 5.1.5 version
• e62fd22 Backport changes from 3.x
• 991dc53 Update benchmark
• 523a74e Release 5.1.4 version
• 7772155 Backport Changelog changes from v3
• 8e456c2 Update dependencies
• 29025b2 Add the first PR author
• 2839aac Fix merge conflict
• 50b6d96 Fix Expo, #468 (#515)
• 32bc9bf Release 5.1.3 version
• Additional commits viewable in compare view

Updates tar-fs from 2.0.1 to 2.1.3

Commits

• 4b7e868 2.1.3
• 266194b hardlink tweak from main
• d97731b 2.1.2
• fd1634e symlink tweak from main
• 7ec11cb 2.1.1
• 207879d bump travis
• ac27bac more docs
• f80a770 add fix by @​k13-engineering
• 2b9eb7a update standard (#85)
• 21cb738 Dependency bump for CVE-2020-8244 (#97)
• Additional commits viewable in compare view

Updates dockerode from 4.0.3 to 4.0.7

Release notes

Sourced from dockerode's releases.

v4.0.7

What's Changed

• Bump tar-fs from 2.1.2 to 2.1.3 by @​dependabot in apocas/dockerode#808

Full Changelog: apocas/dockerode@v4.0.6...v4.0.7

v4.0.6

What's Changed

• Update image.inspect method to accept options by @​jpinz in apocas/dockerode#800

New Contributors

• @​jpinz made their first contribution in apocas/dockerode#800

Full Changelog: apocas/dockerode@v4.0.5...v4.0.6

v4.0.5

What's Changed

• Bump serialize-javascript and mocha by @​dependabot in apocas/dockerode#791
• fixed typo in README.md by @​vedantmishra69 in apocas/dockerode#788
• Use JSON serialization for cachefrom option by @​pipex in apocas/dockerode#793
• Bump tar-fs from 2.0.1 to 2.1.2 by @​dependabot in apocas/dockerode#801

New Contributors

• @​vedantmishra69 made their first contribution in apocas/dockerode#788
• @​pipex made their first contribution in apocas/dockerode#793

Full Changelog: apocas/dockerode@v4.0.4...v4.0.5

v4.0.4

What's Changed

• Declare 'extend' variable in docker.js by @​gaberudy in apocas/dockerode#784

New Contributors

• @​gaberudy made their first contribution in apocas/dockerode#784

Full Changelog: apocas/dockerode@v4.0.3...v4.0.4

Commits...

Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.