chore(deps): Bump pino from 8.16.2 to 10.3.1

[dependabot]

Bumps pino from 8.16.2 to 10.3.1.

Release notes

Sourced from pino's releases.

v10.3.1

What's Changed

• build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in pinojs/pino#2385
• build(deps-dev): bump eslint-plugin-n from 17.23.1 to 17.23.2 by @​dependabot[bot] in pinojs/pino#2386
• docs: clarify transport level filtering behavior by @​mcollina in pinojs/pino#2390
• fix(transport): sanitize invalid NODE_OPTIONS preloads for workers by @​mcollina in pinojs/pino#2391

Full Changelog: pinojs/pino@v10.3.0...v10.3.1

v10.3.0

What's Changed

• feat: improve the return type of multistream().clone() by @​mrazauskas in pinojs/pino#2377
• feat: set worker thread name for transport identification by @​mcollina in pinojs/pino#2380

Full Changelog: pinojs/pino@v10.2.1...v10.3.0

v10.2.1

What's Changed

• fix: prevent ERR_WORKER_INVALID_EXEC_ARGV with monitoring tools by @​mcollina in pinojs/pino#2379

Full Changelog: pinojs/pino@v10.2.0...v10.2.1

v10.2.0

What's Changed

• chore: lint TypeScript files by @​mrazauskas in pinojs/pino#2363
• fix: prevent memory leak when using transport with --import preload by @​mcollina in pinojs/pino#2374

New Contributors

• @​mrazauskas made their first contribution in pinojs/pino#2363

Full Changelog: pinojs/pino@v10.1.1...v10.2.0

v10.1.1

What's Changed

• fix(types): Correct conditional type handling for generic log function arguments by @​samchungy in pinojs/pino#2329
• perf: use JSON.stringify in fast path for node v25+ by @​ronag in pinojs/pino#2330
• build(deps): bump actions/setup-node from 4 to 6 by @​dependabot[bot] in pinojs/pino#2336
• build(deps-dev): bump borp from 0.20.2 to 0.21.0 by @​dependabot[bot] in pinojs/pino#2337
• build(deps): bump pino-abstract-transport from 2.0.0 to 3.0.0 by @​dependabot[bot] in pinojs/pino#2338
• docs: update CONTRIBUTING.md to reference 'main' instead of 'master' by @​NoobFullStack in pinojs/pino#2334
• feat(browser): add reportCaller to surface user callsite by @​dev-KingMaster in pinojs/pino#2340
• docs: update transports.md by @​marklai1998 in pinojs/pino#2224
• docs: add Node.js 22+ native TypeScript type stripping support by @​mcollina in pinojs/pino#2347
• feat(types): use ThreadStream type from thread-stream by @​CHC383 in pinojs/pino#2320
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @​dependabot[bot] in pinojs/pino#2354
• build(deps): update thread-stream to v4 by @​mcollina in pinojs/pino#2356
• fix: harden transport loading against prototype pollution by @​omdxp in pinojs/pino#2358

... (truncated)

Commits

• 6b34498 Bumped v10.3.1
• f1203e6 fix(transport): sanitize invalid NODE_OPTIONS preloads for workers (#2391)
• 6a8e598 docs: clarify transport level filtering behavior (#2390)
• 49a4807 Merge branch 'main' of github.com:pinojs/pino
• 960bbbb build(deps-dev): bump eslint-plugin-n from 17.23.1 to 17.23.2 (#2386)
• e2a5b4a build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#2385)
• 04859e2 chore: update gitignore for ai assistant files
• d6adf03 Bumped v10.3.0
• 06d55b1 feat: set worker thread name for transport identification (#2380)
• a728702 fix: fix multistream().clone() return type (#2377)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for pino since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

package.json

Package	Version	License	Issue Type
pino	^10.3.1	Null	Unknown License

services/heady-mcp-server/package.json

Package	Version	License	Issue Type
pino	^10.3.1	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
npm/pino	^10.3.1	Unknown	Unknown
npm/pino	10.3.1	🟢 6.4	Details Check Score Reason Code-Review 🟢 6 Found 17/25 approved changesets -- score normalized to 6 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 25 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
npm/pino	^10.3.1	Unknown	Unknown
npm/pino	10.3.1	🟢 6.4	Details Check Score Reason Code-Review 🟢 6 Found 17/25 approved changesets -- score normalized to 6 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 25 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches

Scanned Files

• package.json
• services/billing-service/package.json
• services/heady-mcp-server/package.json
• services/notification-service/package.json

[github-actions]

✅ Security Gate — PASSED

Evaluated at 2026-03-11 22:56:24 UTC | Commit: ee89241

Scan Summary

Check	Result	Count
SAST Critical Findings	✅	0
SAST High Findings	✅	0
Exposed Secrets	✅	0
CVEs (CVSS ≥ 7.0)	✅	0