chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@keyv/redis	2.8.3 -> 2.8.4					dependencies	patch
@types/node (source)	20.11.5 -> 20.11.19					devDependencies	patch
dotenv	16.3.1 -> 16.4.4					devDependencies	minor
eslint-plugin-sonarjs	0.23.0 -> 0.24.0					devDependencies	minor
eslint-plugin-unused-imports	3.0.0 -> 3.1.0					devDependencies	minor
node (source)	21.6.0 -> 21.6.2						patch
node (source)	21.6.0 -> 21.6.2					engines	patch
node	21.6.0-alpine -> 21.6.2-alpine					final	patch
node	21.6.0-alpine -> 21.6.2-alpine					stage	patch
npm-run-all	4.1.5 -> 5.0.0					devDependencies	replacement
open-graph-scraper	6.3.2 -> 6.4.0					dependencies	minor
pnpm (source)	8.14.1 -> 8.15.3					packageManager	minor
prettier (source)	3.2.4 -> 3.2.5					devDependencies	patch
tsup (source)	8.0.1 -> 8.0.2					devDependencies	patch
type-fest	4.9.0 -> 4.10.2					devDependencies	minor
vitest (source)	1.2.1 -> 1.3.0					devDependencies	minor

This is a special PR that replaces npm-run-all with the community suggested minimal stable replacement version.

---

Release Notes

motdotla/dotenv (dotenv)

v16.4.4

Compare Source

Changed

• 🐞 Replaced chaining operator ?. with old school && (fixing node 12 failures) #​812

v16.4.3

Compare Source

Changed

• Fixed processing of multiple files in options.path #​805

v16.4.2

Compare Source

Changed

• Changed funding link in package.json to dotenvx.com

v16.4.1

Compare Source

• Patch support for array as path option #​797

v16.4.0

Compare Source

• Add error.code to error messages around .env.vault decryption handling #​795
• Add ability to find .env.vault file when filename(s) passed as an array #​784

v16.3.2

Compare Source

Added

• Add debug message when no encoding set #​735

Changed

• Fix output typing for populate #​792
• Use subarray instead of slice #​793

SonarSource/eslint-plugin-sonarjs (eslint-plugin-sonarjs)

v0.24.0

Compare Source

What's Changed

• Prepare for next development iteration by @​yassin-kammoun-sonarsource in https://github.com/SonarSource/eslint-plugin-sonarjs/pull/429
• Add prettier as pre-commit hook by @​vdiez in https://github.com/SonarSource/eslint-plugin-sonarjs/pull/432
• Fix cognitive complexity link by @​ilia-kebets-sonarsource in https://github.com/SonarSource/eslint-plugin-sonarjs/pull/443
• Drop Node.js 14 support and test against Node.js 20 on CI by @​yassin-kammoun-sonarsource in https://github.com/SonarSource/eslint-plugin-sonarjs/pull/445
• Fix FP S3776 (cognitive-complexity): Ignore nested functions and default values by @​yassin-kammoun-sonarsource in https://github.com/SonarSource/eslint-plugin-sonarjs/pull/444

Full Changelog: SonarSource/eslint-plugin-sonarjs@0.23.0...0.24.0

sweepline/eslint-plugin-unused-imports (eslint-plugin-unused-imports)

v3.1.0

Compare Source

nodejs/node (node)

v21.6.2: 2024-02-14, Version 21.6.2 (Current), @​RafaelGSS

Compare Source

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [8344719369] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [d093600ac4] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [6cd930e5e8] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [9590c15d3d] - deps: upgrade libuv to 1.48.0 (Santiago Gimeno) #​51698
• [666096298c] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#528
• [a4edd22e30] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [6155a1ffaf] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#518
• [777509495e] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [9d2ac2b3fc] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#538
• [208b3940c7] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [fc2454f29c] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#528
• [ef3eea20be] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [8547196964] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#540

jshemas/openGraphScraper (open-graph-scraper)

v6.4.0

Compare Source

• Add character encoding detection and decoding logic using iconv-lite
• Updating dependencies

v6.3.4

Compare Source

• Adding check to make sure customMetaTags are valid
• Updating dependencies

v6.3.3

Compare Source

• Updating dependencies
• Sent the Accept: text/html header by default

pnpm/pnpm (pnpm)

v8.15.3

Compare Source

Patch Changes

• Remove vulnerable "ip" package from the dependencies #​7652.

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v8.15.2

Compare Source

Patch Changes

• When purging multiple node_modules directories, pnpm will no longer print multiple prompts simultaneously.
• Don't print an unnecessary warning when adding new dependencies to a project that uses hoisted node_modules.
• Linking globally the command of a package that has no name in package.json #​4761.
• Installation should work with lockfile created by pnpm v9.0.0-alpha.4

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v8.15.1

Compare Source

Patch Changes

• Use the object-hash library instead of node-object-hash for hashing keys of side-effects cache #​7591.
• bundledDependencies should never be added to the lockfile with false as the value #​7576.

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v8.15.0

Compare Source

Minor Changes

• When the license field does not exist in package.json but a license file exists, try to match and extract the license name #​7530.

Patch Changes

• Running pnpm update -r --latest will no longer downgrade prerelease dependencies #​7436.
• --aggregate-output should work on scripts executed from the same project #​7556.
• Prefer hard links over reflinks on Windows as they perform better #​7564.
• Reduce the length of the side-effects cache key. Instead of saving a stringified object composed from the dependency versions of the package, use the hash calculated from the said object #​7563.
• Throw an error if pnpm update --latest runs with arguments containing versions specs. For instance, pnpm update --latest foo@next is not allowed #​7567.
• Don't fail in Windows CoW if the file already exists #​7554.

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v8.14.3

Compare Source

Patch Changes

• pnpm pack should work as expected when "prepack" modifies the manifest #​7558.

Platinum Sponsors

Gold Sponsors

Our Silver Sponsors

v8.14.2

Compare Source

Patch Changes

• Registry configuration from previous installation should not override current settings #​7507.
• pnpm dlx should not fail, when executed from package.json "scripts" 7424.
• A git-hosted dependency should not be added to the store if it failed to be built #​7407.
• pnpm publish should pack "main" file or "bin" files defined in "publishConfig" #​4195.

Platinum Sponsors

config help if that's undesired. If you want to rebase/retry this PR, check this box This PR has been generated by Mend Renovate. View repository job log here.