🚨 [security] Update lerna 8.2.2 → 8.2.3 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ lerna (8.2.2 → 8.2.3) · Repo · Changelog

Release Notes

8.2.3

8.2.3 (2025-06-29)

Bug Fixes

• use internal fork of unmaintained strong-log-transformer (#4195) (7115485)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​emnapi/core (indirect, 1.4.3 → 1.5.0) · Repo

Release Notes

1.5.0

What's Changed

Prebuilt libraries are built by LLVM clang 20.

• fix: env undefined after emitting beforeExit event by @toyobayashi in #162
• fix(wasi): avoid deadlock caused by child thread abort when the main thread is in Atomics.wait and allow blocking calls on browser main thread (requires wasi-sdk 26+ and --export=emnapi_thread_crashed) by @toyobayashi in #163
• build: backport emscripten parse tools changes to v1 by @toyobayashi in #165

Full Changelog: v1.4.5...v1.5.0

1.4.5

What's Changed

• fix(wasm32-wasip1-threads): process never exit if trap in threads (#156)

Full Changelog: v1.4.4...v1.4.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​emnapi/runtime (indirect, 1.4.3 → 1.5.0) · Repo

Release Notes

1.5.0

What's Changed

Prebuilt libraries are built by LLVM clang 20.

• fix: env undefined after emitting beforeExit event by @toyobayashi in #162
• fix(wasi): avoid deadlock caused by child thread abort when the main thread is in Atomics.wait and allow blocking calls on browser main thread (requires wasi-sdk 26+ and --export=emnapi_thread_crashed) by @toyobayashi in #163
• build: backport emscripten parse tools changes to v1 by @toyobayashi in #165

Full Changelog: v1.4.5...v1.5.0

1.4.5

What's Changed

• fix(wasm32-wasip1-threads): process never exit if trap in threads (#156)

Full Changelog: v1.4.4...v1.4.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​emnapi/wasi-threads (indirect, 1.0.2 → 1.1.0) · Repo

Release Notes

1.1.0

What's Changed

• test: make napi_get_buffer_info check if passed buffer is valid by @toyobayashi in #108
• feat: segregate nogc APIs from rest via type system by @toyobayashi in #110
• test: fix unreliable assumption in js-native-api/test_cannot_run_js by @toyobayashi in #111
• fix: missing sources in gyp wasi + threads target

Full Changelog: v1.0.0...v1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​octokit/core (indirect, 5.2.1 → 5.2.2) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ axios (indirect, 1.9.0 → 1.11.0) · Repo · Changelog

Release Notes

1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

1.10.0

Release notes:

Bug Fixes

• adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
• form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
• package: add module entry point for React Native; (#6933) (3d343b8)

Features

• types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Dimitrios Lazanas
• Adrian Knapp
• Howie Zhao
• Uhyeon Park
• Sampo Silvennoinen

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ follow-redirects (indirect, 1.15.9 → 1.15.11) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ form-data (indirect, 4.0.2 → 4.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 form-data uses unsafe random function in form-data for choosing boundary

Summary

form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:

1. can observe other values produced by Math.random in the target application, and
2. can control one field of a request made using form-data

Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.

This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.

Details

The culprit is this line here:

form-data/lib/form_data.js

Line 347 in 426ba9a

    <tbody>

boundary += Math.floor(Math.random() * 10).toString(16);

An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)

PoC

PoC here: https://github.com/benweissmann/CVE-2025-7783-poc

Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).

Impact

For an application to be vulnerable, it must:

• Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)
• Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values.

If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fs-extra (indirect, 11.3.0 → 11.3.1) · Repo · Changelog

Release Notes

11.3.1 (from changelog)

• Fix case where move/moveSync could incorrectly think files are identical on Windows (#1050)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ inquirer (indirect, 8.2.6 → 8.2.7) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ jake (indirect, 10.9.2 → 10.9.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jsonfile (indirect, 6.1.0 → 6.2.0) · Repo · Changelog

Release Notes

6.2.0 (from changelog)

• Add support for importing as ESM named imports (e.g. import { readFileSync } from 'jsonfile') (#162)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tmp (indirect, 0.2.3 → 0.2.5) · Repo · Changelog

Security Advisories 🚨

🚨 tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50
Other breaking changes, i.e.

template must be relative to tmpdir
name must be relative to tmpdir
dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.
In order to override the system's tmpdir, you will have to use the newly

introduced tmpdir option.
// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375

dir: the optional temporary directory that must be relative to the system's default temporary directory.

absolute paths are fine as long as they point to a location under the system's default temporary directory.

Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access,

as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: #207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible.
Tested on a Linux machine.

• Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1
ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

• check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

• run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

• the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

• main.js

// npm i tmp@0.2.3
const tmp = require('tmp');
const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});

console.log('File: ', tmpobj.name);
try {

tmp.fileSync({ 'dir': 'mydir1'});

} catch (err) {

console.log('test 1:', err.message)

}
try {

tmp.fileSync({ 'dir': '/foo'});

} catch (err) {

console.log('test 2:', err.message)

}
try {

const fs = require('node:fs');

const resolved = fs.realpathSync('/tmp/evil-dir');

tmp.fileSync({ 'dir': resolved});

} catch (err) {

console.log('test 3:', err.message)

}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ yaml (indirect, 2.8.0 → 2.8.1) · Repo

Release Notes

2.8.1

• Preserve empty block literals (#634)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​inquirer/external-editor (added, 1.0.1)

🆕 fdir (added, 6.5.0)

🆕 tinyglobby (added, 0.2.12)

🆕 brace-expansion (added, 1.1.12)

🆕 brace-expansion (added, 2.0.2)

🆕 chardet (added, 2.1.0)

🗑️ @​esbuild/aix-ppc64 (removed)

🗑️ @​esbuild/aix-ppc64 (removed)

🗑️ @​esbuild/android-arm (removed)

🗑️ @​esbuild/android-arm (removed)

🗑️ @​esbuild/android-arm64 (removed)

🗑️ @​esbuild/android-arm64 (removed)

🗑️ @​esbuild/android-x64 (removed)

🗑️ @​esbuild/android-x64 (removed)

🗑️ @​esbuild/darwin-arm64 (removed)

🗑️ @​esbuild/darwin-arm64 (removed)

🗑️ @​esbuild/darwin-x64 (removed)

🗑️ @​esbuild/darwin-x64 (removed)

🗑️ @​esbuild/freebsd-arm64 (removed)

🗑️ @​esbuild/freebsd-arm64 (removed)

🗑️ @​esbuild/freebsd-x64 (removed)

🗑️ @​esbuild/freebsd-x64 (removed)

🗑️ @​esbuild/linux-arm (removed)

🗑️ @​esbuild/linux-arm (removed)

🗑️ @​esbuild/linux-arm64 (removed)

🗑️ @​esbuild/linux-arm64 (removed)

🗑️ @​esbuild/linux-ia32 (removed)

🗑️ @​esbuild/linux-ia32 (removed)

🗑️ @​esbuild/linux-loong64 (removed)

🗑️ @​esbuild/linux-loong64 (removed)

🗑️ @​esbuild/linux-mips64el (removed)

🗑️ @​esbuild/linux-mips64el (removed)

🗑️ @​esbuild/linux-ppc64 (removed)

🗑️ @​esbuild/linux-ppc64 (removed)

🗑️ @​esbuild/linux-riscv64 (removed)

🗑️ @​esbuild/linux-riscv64 (removed)

🗑️ @​esbuild/linux-s390x (removed)

🗑️ @​esbuild/linux-s390x (removed)

🗑️ @​esbuild/linux-x64 (removed)

🗑️ @​esbuild/linux-x64 (removed)

🗑️ @​esbuild/netbsd-x64 (removed)

🗑️ @​esbuild/netbsd-x64 (removed)

🗑️ @​esbuild/openbsd-x64 (removed)

🗑️ @​esbuild/openbsd-x64 (removed)

🗑️ @​esbuild/sunos-x64 (removed)

🗑️ @​esbuild/sunos-x64 (removed)

🗑️ @​esbuild/win32-arm64 (removed)

🗑️ @​esbuild/win32-arm64 (removed)

🗑️ @​esbuild/win32-ia32 (removed)

🗑️ @​esbuild/win32-ia32 (removed)

🗑️ @​esbuild/win32-x64 (removed)

🗑️ @​esbuild/win32-x64 (removed)

🗑️ esbuild (removed)

🗑️ esbuild (removed)

🗑️ @​bcoe/v8-coverage (removed)

🗑️ @​bufbuild/protobuf (removed)

🗑️ @​colors/colors (removed)

🗑️ @​dabh/diagnostics (removed)

🗑️ @​elastic/ecs-helpers (removed)

🗑️ @​elastic/ecs-pino-format (removed)

🗑️ @​elastic/elasticsearch (removed)

🗑️ @​elastic/transport (removed)

🗑️ @​esbuild/netbsd-arm64 (removed)

🗑️ @​esbuild/openbsd-arm64 (removed)

🗑️ @​esbuild/openharmony-arm64 (removed)

🗑️ @​eslint/config-array (removed)

🗑️ @​eslint/config-helpers (removed)

🗑️ @​eslint/core (removed)

🗑️ @​eslint/object-schema (removed)

🗑️ @​eslint/plugin-kit (removed)

🗑️ @​grpc/grpc-js (removed)

🗑️ @​grpc/proto-loader (removed)

🗑️ @​humanfs/core (removed)

🗑️ @​humanfs/node (removed)

🗑️ @​humanwhocodes/retry (removed)

🗑️ @​humanwhocodes/retry (removed)

🗑️ @​istanbuljs/schema (removed)

🗑️ @​js-sdsl/ordered-map (removed)

🗑️ @​localazy/languages (removed)

🗑️ @​opentelemetry/api (removed)

🗑️ @​opentelemetry/core (removed)

🗑️ @​opentelemetry/resources (removed)

🗑️ @​opentelemetry/sdk-metrics (removed)

🗑️ @​opentelemetry/semantic-conventions (removed)

🗑️ @​protobufjs/aspromise (removed)

🗑️ @​protobufjs/base64 (removed)

🗑️ @​protobufjs/codegen (removed)

🗑️ @​protobufjs/eventemitter (removed)

🗑️ @​protobufjs/fetch (removed)

🗑️ @​protobufjs/float (removed)

🗑️ @​protobufjs/inquire (removed)

🗑️ @​protobufjs/path (removed)

🗑️ @​protobufjs/pool (removed)

🗑️ @​protobufjs/utf8 (removed)

🗑️ @​restorecommerce/dataset-demoshop-catalog-transformer (removed)

🗑️ @​restorecommerce/dataset-system-units-transformer (removed)

🗑️ @​restorecommerce/dataset-system-world-transformer (removed)

🗑️ @​restorecommerce/dev (removed)

🗑️ @​eslint/compat (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/scope-manager (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/types (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/typescript-estree (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/utils (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ @​typescript-eslint/visitor-keys (removed)

🗑️ eslint-plugin-prefer-arrow-functions (removed)

🗑️ ts-api-utils (removed)

🗑️ ts-api-utils (removed)

🗑️ @​restorecommerce/grpc-client (removed)

🗑️ @​restorecommerce/logger (removed)

🗑️ @​restorecommerce/rc-grpc-clients (removed)

🗑️ @​rollup/rollup-android-arm-eabi (removed)

🗑️ @​rollup/rollup-android-arm64 (removed)

🗑️ @​rollup/rollup-darwin-arm64 (removed)

🗑️ @​rollup/rollup-darwin-x64 (removed)

🗑️ @​rollup/rollup-freebsd-arm64 (removed)

🗑️ @​rollup/rollup-freebsd-x64 (removed)

🗑️ @​rollup/rollup-linux-arm-gnueabihf (removed)

🗑️ @​rollup/rollup-linux-arm-musleabihf (removed)

🗑️ @​rollup/rollup-linux-arm64-gnu (removed)

🗑️ @​rollup/rollup-linux-arm64-musl (removed)

🗑️ @​rollup/rollup-linux-loongarch64-gnu (removed)

🗑️ @​rollup/rollup-linux-powerpc64le-gnu (removed)

🗑️ @​rollup/rollup-linux-riscv64-gnu (removed)

🗑️ @​rollup/rollup-linux-riscv64-musl (removed)

🗑️ @​rollup/rollup-linux-s390x-gnu (removed)

🗑️ @​rollup/rollup-linux-x64-gnu (removed)

🗑️ @​rollup/rollup-linux-x64-musl (removed)

🗑️ @​rollup/rollup-win32-arm64-msvc (removed)

🗑️ @​rollup/rollup-win32-ia32-msvc (removed)

🗑️ @​rollup/rollup-win32-x64-msvc (removed)

🗑️ @​stylistic/eslint-plugin (removed)

🗑️ @​swc/helpers (removed)

🗑️ @​types/argparse (removed)

🗑️ @​types/command-line-args (removed)

🗑️ @​types/command-line-usage (removed)

🗑️ @​types/estree (removed)

🗑️ @​types/google-protobuf (removed)

🗑️ @​types/js-yaml (removed)

🗑️ @​types/json-schema (removed)

🗑️ @​types/triple-beam (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/eslint-plugin (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/parser (removed)

🗑️ @​typescript-eslint/type-utils (removed)

🗑️ @​typescript-eslint/type-utils (removed)

🗑️ @​vitest/coverage-v8 (removed)

🗑️ @​vitest/expect (removed)

🗑️ @​vitest/mocker (removed)

🗑️ @​vitest/pretty-format (removed)

🗑️ @​vitest/runner (removed)

🗑️ @​vitest/snapshot (removed)

🗑️ @​vitest/spy (removed)

🗑️ @​vitest/utils (removed)

🗑️ @​vvo/tzdb (removed)

🗑️ abort-controller-x (removed)

🗑️ acorn-import-assertions (removed)

🗑️ after-all-results (removed)

🗑️ agentkeepalive (removed)

🗑️ apache-arrow (removed)

🗑️ array-back (removed)

🗑️ asap (removed)

🗑️ assertion-error (removed)

🗑️ async-cache (removed)

🗑️ async-hook-jl (removed)

🗑️ async-value (removed)

🗑️ async-value-promise (removed)

🗑️ atomic-sleep (removed)

🗑️ basic-auth (removed)

🗑️ binary-search (removed)

🗑️ braces (removed)

🗑️ breadth-filter (removed)

🗑️ builtin-modules (removed)

🗑️ cac (removed)

🗑️ chai (removed)

🗑️ chalk-template (removed)

🗑️ check-error (removed)

🗑️ cjs-module-lexer (removed)

🗑️ clean-regexp (removed)

🗑️ cls-hooked (removed)

🗑️ cls-rtracer (removed)

🗑️ color (removed)

🗑️ color-string (removed)

🗑️ colorspace (removed)

🗑️ command-line-args (removed)

🗑️ command-line-usage (removed)

🗑️ console-log-level (removed)

🗑️ cookie (removed)

🗑️ core-js-compat (removed)

🗑️ csv-parser (removed)

🗑️ currency-list (removed)

🗑️ dayjs (removed)

🗑️ deep-eql (removed)

🗑️ dir-glob (removed)

🗑️ duplexer (removed)

🗑️ elastic-apm-node (removed)

🗑️ emitter-listener (removed)

🗑️ enabled (removed)

🗑️ error-callsites (removed)

🗑️ error-stack-parser (removed)

🗑️ es-module-lexer (removed)

🗑️ eslint-plugin-file-extension-in-import-ts (removed)

🗑️ eslint-plugin-unicorn (removed)

🗑️ estree-walker (removed)

🗑️ expect-type (removed)

🗑️ fast-glob (removed)

🗑️ fast-redact (removed)

🗑️ fast-safe-stringify (removed)

🗑️ fast-stream-to-buffer (removed)

🗑️ fecha (removed)

🗑️ fill-range (removed)

🗑️ find-replace (removed)

🗑️ flatbuffers (removed)

🗑️ flatstr (removed)

🗑️ fn.name (removed)

🗑️ forwarded-parse (removed)

🗑️ fsevents (removed)

🗑️ globby (removed)

🗑️ google-protobuf (removed)

🗑️ hpagent (removed)

🗑️ html-escaper (removed)

🗑️ http-headers (removed)

🗑️ humanize-ms (removed)

🗑️ import-in-the-middle (removed)

🗑️ is-builtin-module (removed)

🗑️ is-finite (removed)

🗑️ is-integer (removed)

🗑️ is-native (removed)

🗑️ is-nil (removed)

🗑️ is-number (removed)

🗑️ istanbul-lib-coverage (removed)

🗑️ istanbul-lib-report (removed)

🗑️ istanbul-lib-source-maps (removed)

🗑️ istanbul-reports (removed)

🗑️ json-bignum (removed)

🗑️ kuler (removed)

🗑️ lodash.camelcase (removed)

🗑️ lodash.defaults (removed)

🗑️ lodash.omit (removed)

🗑️ lodash.sortby (removed)

🗑️ logform (removed)

🗑️ long (removed)

🗑️ loupe (removed)

🗑️ magic-string (removed)

🗑️ magicast (removed)

🗑️ mapcap (removed)

🗑️ measured-core (removed)

🗑️ measured-reporting (removed)

🗑️ merge2 (removed)

🗑️ micromatch (removed)

🗑️ module-details-from-path (removed)

🗑️ monitor-event-loop-delay (removed)

🗑️ nanoid (removed)

🗑️ next-line (removed)

🗑️ nice-grpc (removed)

🗑️ nice-grpc-client-middleware-deadline (removed)

🗑️ nice-grpc-client-middleware-retry (removed)

🗑️ nice-grpc-common (removed)

🗑️ node-xlsx (removed)

🗑️ object-filter-sequence (removed)

🗑️ object-hash (removed)

🗑️ object-identity-map (removed)

🗑️ one-time (removed)

🗑️ optional-js (removed)

🗑️ original-url (removed)

🗑️ pathe (removed)

🗑️ pathval (removed)

🗑️ pino (removed)

🗑️ pino-std-serializers (removed)

🗑️ pluralize (removed)

🗑️ postcss (removed)

🗑️ process-warning (removed)

🗑️ promise (removed)

🗑️ protobufjs (removed)

🗑️ pseudomap (removed)

🗑️ quick-format-unescaped (removed)

🗑️ regexp-tree (removed)

🗑️ regjsparser (removed)

🗑️ relative-microtime (removed)

🗑️ require-in-the-middle (removed)

🗑️ rollup (removed)

🗑️ safe-stable-stringify (removed)

🗑️ secure-json-parse (removed)

🗑️ shallow-clone-shim (removed)

🗑️ shimmer (removed)

🗑️ siginfo (removed)

🗑️ simple-swizzle (removed)

🗑️ sonic-boom (removed)

🗑️ source-map-js (removed)

🗑️ source-map-support (removed)

🗑️ sql-summary (removed)

🗑️ stack-chain (removed)

🗑️ stack-trace (removed)

🗑️ stackback (removed)

🗑️ stackframe (removed)

🗑️ std-env (removed)

🗑️ stream-chopper (removed)

🗑️ strong-log-transformer (removed)

🗑️ table-layout (removed)

🗑️ test-exclude (removed)

🗑️ text-hex (removed)

🗑️ tinybench (removed)

🗑️ tinyexec (removed)

🗑️ tinypool (removed)

🗑️ tinyrainbow (removed)

🗑️ tinyspy (removed)

🗑️ to-regex-range (removed)

🗑️ to-source-code (removed)

🗑️ triple-beam (removed)

🗑️ ts-error (removed)

🗑️ ts-proto-descriptors (removed)

🗑️ typescript-eslint (removed)

🗑️ typical (removed)

🗑️ undici (removed)

🗑️ unicode-byte-truncate (removed)

🗑️ unicode-substring (removed)

🗑️ vite (removed)

🗑️ vite-node (removed)

🗑️ vitest (removed)

🗑️ why-is-node-running (removed)

🗑️ winston (removed)

🗑️ winston-elasticsearch (removed)

🗑️ winston-transport (removed)

🗑️ wordwrapjs (removed)

🗑️ world-countries (removed)

🗑️ xlsx (removed)

🗑️ eslint-visitor-keys (removed)

🗑️ @​eslint/eslintrc (removed)

🗑️ espree (removed)

🗑️ globals (removed)

🗑️ globals (removed)

🗑️ @​eslint/js (removed)

🗑️ uuid (removed)

🗑️ uuid (removed)

🗑️ lru-cache (removed)

🗑️ eslint (removed)

🗑️ eslint-scope (removed)

🗑️ file-entry-cache (removed)

🗑️ flat-cache (removed)

🗑️ @​types/node (removed)

🗑️ undici-types (removed)

🗑️ yallist (removed)

🗑️ through2 (removed)

🗑️ source-map (removed)

🗑️ tr46 (removed)

🗑️ webidl-conversions (removed)

🗑️ whatwg-url (removed)

🗑️ is-arrayish (removed)

🗑️ jsesc (removed)

🗑️ path-type (removed)

🗑️ retry (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #118.