chore(deps): bump the npm_and_yarn group across 6 directories with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the / directory: send, pug and vite.
Bumps the npm_and_yarn group with 3 updates in the /dev/coverage-action directory: @octokit/plugin-paginate-rest, @octokit/request and undici.
Bumps the npm_and_yarn group with 2 updates in the /dev/del-old-packages directory: @octokit/request and @octokit/core.
Bumps the npm_and_yarn group with 4 updates in the /dev/deploy-to-container directory: cross-spawn, nanoid, tar-fs and dockerode.
Bumps the npm_and_yarn group with 3 updates in the /dev/diff directory: cross-spawn, tar-fs and dockerode.
Bumps the npm_and_yarn group with 6 updates in the /playwright directory:

Package	From	To
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
ip	2.0.0	removed
socks	2.7.1	2.8.4
semver	6.3.0	7.5.4
tar	6.1.15	6.2.1

Updates send from 0.18.0 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

• @​UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 9d2db99 0.19.0
• ae4f298 Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates pug from 3.0.2 to 3.0.3

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• See full diff in compare view

Updates vite from 4.5.3 to 4.5.13

Release notes

Sourced from vite's releases.

v4.5.13

Please refer to CHANGELOG.md for details.

v4.5.12

Please refer to CHANGELOG.md for details.

v4.5.11

Please refer to CHANGELOG.md for details.

v4.5.10

Please refer to CHANGELOG.md for details.

v4.5.9

Please refer to CHANGELOG.md for details.

v4.5.8

Please refer to CHANGELOG.md for details.

v4.5.7

Please refer to CHANGELOG.md for details.

v4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v4.5.5

Please refer to CHANGELOG.md for details.

v4.5.4

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

4.5.13 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19832) (41f3819), closes #19830 #19832

4.5.12 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19785) (0a3dcf5), closes #19782 #19785

4.5.11 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19763) (26e1764), closes #19761 #19763

4.5.10 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19704) (315695e), closes #19702 #19704

4.5.9 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (0bc52e0), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (8f63cd6), closes #19249

4.5.8 (2025-01-20)

• fix: try parse server.origin URL (#19241) (3680bad), closes #19241

4.5.7 (2025-01-20)

• fix: crypto.getRandomValues is not available in old Node versions (#19237) (f4d3c46), closes #19237

4.5.6 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (ef1049d)
• fix!: default server.cors: false to disallow fetching from untrusted origins (07b36d5)
• fix: verify token for HMR WebSocket connection (c065a77)

... (truncated)

Commits

• cd60e8b release: v4.5.13
• 41f3819 fix: backport #19830, reject requests with # in request-target (#19832)
• 6104add release: v4.5.12
• 0a3dcf5 fix: backport #19782, fs check with svg and relative paths (#19785)
• 07ddc3e release: v4.5.11
• 26e1764 fix: backport #19761, fs check in transform middleware (#19763)
• 86e7a6b release: v4.5.10
• 315695e fix: backport #19702, fs raw query with query separators (#19704)
• edad4d2 release: v4.5.9
• 8f63cd6 fix: allow CORS from loopback addresses by default (#19249)
• Additional commits viewable in compare view

Updates pug-code-gen from 3.0.2 to 3.0.3

Release notes

Sourced from pug-code-gen's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• d4b7f60 Properly handle errors originating from included files when compileDebug is e...
• d6f0615 fix capture groups for "each" statements (#3274)
• 73ea7cf fix: keep lexer plugins inside tag interpolation (#3296)
• 29a53c5 fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)
• 60b1b15 chore: update supported versions (#3315)
• See full diff in compare view

Updates @octokit/plugin-paginate-rest from 9.0.0 to 9.2.2

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v9.2.2

9.2.2 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#660) (e1e4489)

v9.2.1

9.2.1 (2024-03-01)

Bug Fixes

• pkg: pin @octokit/core peerDependency to v5 (#599) (5b84386)

v9.2.0

9.2.0 (2024-02-22)

Features

• new /orgs/{org}/organization-roles/{role_id}/teams and /orgs/{org}/organization-roles/{role_id}/users endpoints (#594) (75aeaaf)

v9.1.5

9.1.5 (2023-12-04)

Bug Fixes

• bump octokit/types minor version (#581) (65baec4)

v9.1.4

9.1.4 (2023-11-12)

Bug Fixes

• deps: bump @octokit/types (#575) (27db9ae)

v9.1.3

9.1.3 (2023-11-09)

Bug Fixes

• deps: bump @octokit/types (#574) (0940cb7)

v9.1.2

9.1.2 (2023-10-26)

... (truncated)

Commits

• e1e4489 fix: ReDos regex vulnerability, reported by @​DayShift (#660)
• 5b84386 fix(pkg): pin @octokit/core peerDependency to v5 (#599)
• fa01f94 ci(action): update actions/add-to-project action to v0.6.0 (#598)
• 75aeaaf feat: new /orgs/{org}/organization-roles/{role_id}/teams and `/orgs/{org}/o...
• 54d6bcf chore(deps): update dependency prettier to v3.2.5
• 1bfa2f8 chore(deps): update dependency npm-run-all2 to v6
• eb4a8fe chore(deps): replace dependency npm-run-all with npm-run-all2 ^5.0.0
• 11ef779 chore(deps): update dependency esbuild to ^0.20.0
• 2b6cc98 ci(action): update peter-evans/create-or-update-comment action to v4
• d7c9de5 chore(deps): update dependency prettier to v3.2.4 (#588)
• Additional commits viewable in compare view

Updates @octokit/request from 8.1.4 to 8.4.1

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates @octokit/request-error from 5.0.1 to 5.1.1

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• See full diff in compare view

Updates undici from 5.26.4 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in nodejs/undici#4104
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

v5.28.4

⚠️ Security Release ⚠️

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in nodejs/undici#2470
• fix: remove node: prefix by @​tsctx in nodejs/undici#2471
• perf: avoid Headers initialization by @​tsctx in nodejs/undici#2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in nodejs/undici#2466
• fix: Add null type to signal in RequestInit by @​gebsh in nodejs/undici#2455
• fix: correctly handle data URL with hashes. by @​tsctx in nodejs/undici#2475
• fix: check response for timinginfo allow flag by @​ToshB in nodejs/undici#2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in nodejs/undici#2478
• refactor: better integrity check by @​tsctx in nodejs/undici#2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in nodejs/undici#2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in nodejs/undici#2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in nodejs/undici#2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in nodejs/undici#2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in nodejs/undici#2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in nodejs/undici#2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in nodejs/undici#2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in nodejs/undici#2302

... (truncated)

Commits

• 9528f68 Bumped v5.29.0
• f1d75a4 increase timeout for redirect test
• 2d31ed6 remove fuzzing tests
• 6b36d49 fix redirect test in Node v16
• 648dd8f more fix for the wpt runner on Windows
• a0516ba don't use internal header state for cookies (#3295)
• 87ce4af fix test/client for node 20
• c2c8fd5 fix: accept v20 SSL specific error for alpn selection in http/2
• 82200bd [v6.x] fix wpts on windows (#4093)
• 47546fa test: fix windows wpt (#4050)
• Additional commits viewable in compare view

Updates @octokit/request from 6.2.2 to 9.2.3

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates @octokit/core from 4.2.4 to 6.1.5

Release notes

Sourced from @​octokit/core's releases.

v6.1.5

6.1.5 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#731) (3700c41)

v6.1.4

6.1.4 (2025-02-13)

Bug Fixes

• deps: bump Octokit dependencies vulnerable to ReDos (#723) (582d8bd)

v6.1.3

6.1.3 (2025-01-03)

Bug Fixes

• deps: bump Octokit dependencies to fix Deno compat (#715) (e2b21bb)

v6.1.2

6.1.2 (2024-04-09)

Bug Fixes

• pkg: add default fallback and types export (#673) (af3d390), closes #665 #667

v6.1.1

6.1.1 (2024-04-03)

Bug Fixes

• deps: update dependency @​octokit/types to v13 (ade2813)

v6.1.0

6.1.0 (2024-04-03)

Features

• security: Add provenance (#671) (1c2bd25)

... (truncated)

Commits

• 3700c41 fix(deps): update dependency @​octokit/types to v14 (#731)
• fcfe306 chore(deps): bump vite from 6.1.0 to 6.2.5 (#729)
• 59c0138 ci(prettier): use Node LTS instead of Node v16 (#727)
• 7304860 chore(deps): update dependency prettier to v3.5.3 (#726)
• 768204c chore(deps): update dependency prettier to v3.5.2 (#725)
• 3105ee1 chore(deps): update dependency semantic-release-plugin-update-version-in-file...
• 2ddb327 chore(deps): update dependency prettier to v3.5.1 (#722)
• 582d8bd fix(deps): bump Octokit dependencies vulnerable to ReDos (#723)
• 4c21074 chore(deps): update dependency esbuild to ^0.25.0 (#721)
• 5fa1fe1 chore(deps-dev): bump vitest and @​vitest/coverage-v8 (#720)
• Additional commits viewable in compare view

Updates @octokit/request-error from 3.0.2 to 6.1.8

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates nanoid from 5.0.7 to 5.0.9

Release notes

Sourced from nanoid's releases.

5.0.9

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

5.0.8

• Reduced customAlphabet size (by @​kirillgroshkov).

Changelog

Sourced from nanoid's changelog.

5.0.9

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

5.0.8

• Reduced customAlphabet size (by @​kirillgroshkov).

Commits

• 65a38ac Release 5.0.9 version
• b00d120 Merge after 3.3.8 release
• 3044cd5 Release 3.3.8 version
• cdc3edc Update size limit
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• 0daa00f Additional fixes and tests for #508 (#509)
• 313a14e Update dependencies
• eb2db95 Fix size limit and linting
• 9da8f60 Fix pool pollution, infinite loop (#508)
• Additional commits viewable in compare view

Updates tar-fs from 2.0.1 to 2.1.2

Commits

• d97731b 2.1.2
• fd1634e symlink tweak from main
• 7ec11cb 2.1.1
• 207879d bump travis
• ac27bac more docs
• f80a770 add fix by @​k13-engineering
• 2b9eb7a update standard (#85)
• 21cb738 Dependency bump for CVE-2020-8244 (#97)
• 33971c2 2.1.0
• 462dd91 Makes tar-fs able to pack files that are actively being written to. (#88)
• See full diff in compare view

Updates dockerode from 4.0.2 to 4.0.6

Release notes

Sourced from dockerode's releases.

v4.0.6

What's Changed

• Update image.inspect method to accept options by @​jpinz in apocas/dockerode#800

New Contributors

• @​jpinz made their first contribution in apocas/dockerode#800

Full Changelog: apocas/dockerode@v4.0.5...v4.0.6

v4.0.5

What's Changed

• Bump serialize-javascript and mocha by @​dependabot in apocas/dockerode#791
• fixed typo in README.md by @​vedantmishra69 in apocas/dockerode#788
• Use JSON serialization for cachefrom option by @​pipex in apocas/dockerode#793
• Bump tar-fs from 2.0.1 to 2.1.2 by @​dependabot in apocas/dockerode#801

New Contributors

• @​vedantmishra69 made their first contribution in apocas/dockerode#788
• @​pipex made their first contribution in apocas/dockerode#793

Full Changelog: apocas/dockerode@v4.0.4...v4.0.5

v4.0.4

What's Changed

• Declare 'extend' variable in docker.js by @​gaberudy in apocas/dockerode#784

New Contributors

• @​gaberudy made their first contribution in apocas/dockerode#784

Full Changelog: apocas/dockerode@v4.0.3...v4.0.4

v4.0.3

What's Changed

• add: new method pullAll by @​AndreasHeine in apocas/dockerode#758
• error managed in run_stdin example by @​Bhavesh-Parmar in apocas/dockerode#752
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in apocas/dockerode#767
• Update doc reference to "HTTP connection hijacking" by @​rishkwal in apocas/dockerode#770
• BuildKit support by @​schummar in apocas/dockerode#766

New Contributors

• @​AndreasHeine made their first contribution in apocas/dockerode#758
• @​Bhavesh-Parmar made their first contribution in apocas/dockerode#752
• @​rishkwal made their first contribution in apocas/dockerode#770
• @​schummar made their first contribution in apocas/dockerode#766

Full Changelog: apocas/dockerode@v4.0.2...v4.0.3

Description has been truncated