build(deps): bump the npm_and_yarn group across 3 directories with 30 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /pkgs/tools/misc/fx_cast directory:

Package	From	To
node-fetch	3.2.3	3.2.10
ws	8.5.0	8.17.1
pkg	5.6.0	5.8.1
braces	3.0.2	3.0.3
form-data	3.0.1	3.0.4
micromatch	4.0.5	4.0.8
protobufjs	6.11.2	6.11.4

Bumps the npm_and_yarn group with 5 updates in the /pkgs/tools/graphics/puppeteer-cli directory:

Package	From	To
minimist	1.2.5	1.2.8
ws	6.2.1	6.2.3
url-parse	1.4.7	1.5.9
brace-expansion	1.1.11	1.1.12
minimatch	3.0.4	3.1.2

Bumps the npm_and_yarn group with 18 updates in the /pkgs/tools/admin/pgadmin directory:

Package	From	To
braces	3.0.2	3.0.3
micromatch	4.0.4	4.0.8
brace-expansion	1.1.11	1.1.12
minimatch	3.0.4	3.1.2
axios	0.21.4	0.30.2
lodash	4.17.21	4.17.23
postcss	8.3.11	8.4.31
webpack	5.61.0	5.94.0
@babel/helpers	7.13.0	7.28.6
@babel/traverse	7.14.7	7.28.6
body-parser	1.19.0	1.20.4
browserify-sign	4.2.1	4.2.5
cipher-base	1.0.4	1.0.7
ejs	3.1.6	3.1.10
js-yaml	3.14.1	3.14.2
sha.js	2.4.11	2.4.12
socket.io	4.4.1	4.8.3
tmp	0.2.1	0.2.5

Updates node-fetch from 3.2.3 to 3.2.10

Release notes

Sourced from node-fetch's releases.

v3.2.10

3.2.10 (2022-07-31)

Bug Fixes

• ReDoS referrer (#1611) (2880238)

v3.2.9

3.2.9 (2022-07-18)

Bug Fixes

• Headers: don't forward secure headers on protocol change (#1599) (e87b093)

v3.2.8

3.2.8 (2022-07-12)

Bug Fixes

• possibly flaky test (#1523) (11b7033)

v3.2.7

3.2.7 (2022-07-11)

Bug Fixes

• always warn Request.data (#1550) (4f43c9e)

v3.2.6

3.2.6 (2022-06-09)

Bug Fixes

• undefined reference to response.body when aborted (#1578) (1c5ed6b)

v3.2.5

3.2.5 (2022-06-01)

Bug Fixes

• use space in accept-encoding values (#1572) (a92b5d5), closes #1571

v3.2.4

3.2.4 (2022-04-28)

... (truncated)

Commits

• 2880238 fix: ReDoS referrer (#1611)
• e87b093 fix(Headers): don't forward secure headers on protocol change (#1599)
• bcfb71c chore: remove triple-slash directives from typings (#1285) (#1287)
• 95165d5 fix spelling (#1602)
• 11b7033 fix: possibly flaky test (#1523)
• 4f43c9e fix: always warn Request.data (#1550)
• 1c5ed6b fix: undefined reference to response.body when aborted (#1578)
• a92b5d5 fix: use space in accept-encoding values (#1572)
• 0f122b8 docs: fix formdata code example (#1562)
• 6ae9c76 docs(readme): response.clone() is not async (#1560)
• Additional commits viewable in compare view

Updates ws from 8.5.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Updates pkg from 5.6.0 to 5.8.1

Release notes

Sourced from pkg's releases.

5.8.1

Patches

• Producer: properly call "prebuild-install" if N-API is used: dd9de59c9fca2751bf5d22b57bd9b03d43e85e80
• Chore: clean up obsolete eslint disable comments: #1760
• Chore: add prettier check in linting step: #1764
• Chore: separate individual test scripts: #1759
• Chore: use @types/babel__generator package: #1755
• Chore: remove unused entry: #1766
• Chore: upgrade actions runners: #1767
• Style: fix typo in test-99-#1192/main.js: #1790
• Chore: bump prebuild-install@7.1.1: #1788
• Fix: add force flag to codesign to avoid already signed error: #1756

Credits

Huge thanks to @​ignatiusmb, @​eltociear, @​PraveenAnaparthi, and @​brianunlam for helping!

5.8.0

Highlights

• Support more language features, including but not limited to classPrivateMethods (#1248, #1249)
  • Note: pkg uses Babel to trace dependencies. It does NOT transform your sources. You should make sure that your code can run on the target Node.js version.

What's Changed

• Bump to vercel/pkg-fetch@v3.4.2 by @​jesec in vercel/pkg#1693
  • Add Node 14.20.0, 16.16.0 and 18.5.0 binaries
  • https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
• detector: use Babel AST and default plugins by @​jesec in vercel/pkg#1648
• test: rearrange and fix order by @​jesec in vercel/pkg#1650
• fix: typo in fabricator.ts by @​eltociear in vercel/pkg#1661

New Contributors

• @​eltociear made their first contribution in vercel/pkg#1661

Full Changelog: vercel/pkg@5.7.0...5.8.0

5.7.0

Highlights

• Node 18 is now supported!

What's Changed

• Bump to vercel/pkg-fetch@v3.4.1 by @​jesec in vercel/pkg#1616
  • No longer take NODE_OPTIONS from the environment of the end-user. Only the users (developers who use pkg to package their project) should have control over the flags via the "bake in" (--options) mechanism (Fixes: vercel/pkg#954, vercel/pkg#989, vercel/pkg#1194, vercel/pkg#1517)
  • Patched Node: bump to 16.15.0, add 18.1.0 and drop 17
• fix broken tests on node 12; latest pnpm requires node >= 14.19 by @​kldzj in vercel/pkg#1613
• dependencies: bump (minor) by @​jesec in vercel/pkg#1615
• fix(bootstrap): prevent to override existing node addon file by @​renkei in vercel/pkg#1611

New Contributors

... (truncated)

Commits

• 5dc987b 5.8.1
• f19285d fix: add force flag to codesign to avoid already signed error (#1756)
• e3ac490 chore: bump prebuild-install@7.1.1 (#1788)
• be1123c style: fix typo in test-99-#1192/main.js (#1790)
• 614c02a chore: upgrade actions runners (#1767)
• 39e9985 chore: remove unused entry (#1766)
• b8deba4 chore: use @types/babel__generator package (#1755)
• 332c7d9 chore: separate individual test scripts (#1759)
• 6efa7cf chore: add prettier check in linting step (#1764)
• 56135b5 chore: clean up obsolete eslint disable comments (#1760)
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates form-data from 3.0.1 to 3.0.4

Release notes

Sourced from form-data's releases.

v3.0.2

Fixes

• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Changelog

Sourced from form-data's changelog.

v3.0.4 - 2025-07-16

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config f5e7eb0
• [meta] add auto-changelog d2eb290
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 e8c574c
• [Fix] Switch to using crypto random for boundary values c6ced61
• [Refactor] use hasown 1a78b5d
• [Fix] validate boundary type in setBoundary() method 70bbaa0
• [Tests] add tests to check the behavior of getBoundary with non-strings b22a64e
• [meta] actually ensure the readme backup isn’t published 0150851
• [meta] remove local commit hooks fc42bb9
• [Dev Deps] remove unused deps a14d09e
• [meta] fix scripts to use prepublishOnly 11d9f73
• [meta] fix readme capitalization fc38b48

v3.0.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 7fecefe
• [Dev Deps] update @types/node, browserify, coveralls, cross-spawn, eslint, formidable, in-publish, pkgfiles, pre-commit, puppeteer, request, tape, typescript 8261fcb
• Only apps should have lockfiles b82f590
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl e5df7f2
• [Deps] update mime-types 5a5bafe

v3.0.2 - 2024-10-10

Merged

• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Commits

• [Tests] migrate from travis to GHA 8fdb3bc
• [eslint] clean up ignores 3217b3d
• fix: move util.isArray to Array.isArray (#564) edb555a

Commits

• 9c82fcd v3.0.4
• e8c574c [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• c6ced61 [Fix] Switch to using crypto random for boundary values
• 0150851 [meta] actually ensure the readme backup isn’t published
• fc38b48 [meta] fix readme capitalization
• d2eb290 [meta] add auto-changelog
• fc42bb9 [meta] remove local commit hooks
• a14d09e [Dev Deps] remove unused deps
• 002b9b0 [Fix] append: avoid a crash on nullish values
• 70bbaa0 [Fix] validate boundary type in setBoundary() method
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates semver from 5.7.1 to 7.7.3

Release notes

Sourced from semver's releases.

v7.7.3

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@​H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@​dependabot[bot], @​owlstronaut)

v7.7.2

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@​Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@​mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@​wraithgar)
• 2677f2a #778 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@​dependabot[bot], @​npm-cli-bot)

v7.7.1

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@​wraithgar)

v7.7.0

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

v7.6.3

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

v7.6.2

7.6.2 (2024-05-09)

... (truncated)

Changelog

Sourced from semver's changelog.

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@​H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@​dependabot[bot], @​owlstronaut)

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@​Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@​mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@​wraithgar)
• 2677f2a #778 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@​dependabot[bot], @​npm-cli-bot)

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@​wraithgar)

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@​mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@​eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@​mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@​shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@​mbtools, @​ljharb)

Chores

• 145c554 #741 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 753e02b #747 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@​dependabot[bot], @​npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@​hashtagchris)

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

7.6.2 (2024-05-09)

Bug Fixes

• 6466ba9 #713 lru: use map.delete() directly (#713) (@​negezor, @​lukekarrys)

7.6.1 (2024-05-04)

... (truncated)

Commits

• a25789b chore: release 7.7.3 (#812)
• e37e0ca fix: faster paths for compare (#813)
• 2471d75 fix: x-range build metadata support
• 8f05c87 chore: bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#807)
• d17aebf chore: bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#797)
• 3b03e3b chore: bump @​npmcli/template-oss from 4.24.3 to 4.24.4 (#790)
• 281055e chore: release 7.7.2 (#783)
• fcafb61 fix: add missing 'use strict' directives (#780)
• c760403 chore: template-oss-apply for workflow permissions (#784)
• c99f336 fix: prerelease identifier starting with digits (#781)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for semver since your current version.

Updates protobufjs from 6.11.2 to 6.11.4

Commits

• See full diff in compare view

Updates tar-fs from 2.1.1 to 2.1.4

Commits

• f421a23 2.1.4
• c412fa1 refactor to same pattern as v3
• 4b7e868 2.1.3
• 266194b hardlink tweak from main
• d97731b 2.1.2
• fd1634e symlink tweak from main
• See full diff in compare view

Updates minimist from 1.2.5 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Updates ws from 6.2.1 to 6.2.3

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars ...
Description has been truncated