Bump hot-shots from 14.3.1 to 15.0.0

[dependabot]

Bumps hot-shots from 14.3.1 to 15.0.0.

Changelog

Sourced from hot-shots's changelog.

15.0.0 (2026-5-28)

• @​bdeitte A number of updates to improve callback and error handling:
  • Default error listener on every transport socket so that in the cases we didn't have one, an error doesn't crash the host
  • Wrap interval flushes (buffer + telemetry) and the close-time telemetry flush in try/catch to prevent host crashing
  • Fix child-close error routing so there's no double-delivery for inherited handlers
  • Fix buffered-message callback being sometimes (but not always) misrouted to the prior buffer's flush- new callback now fires synchronously after enqueue for consistency
  • Ensure the errorHandler is used when there's an issue with the flush performed inside close()
  • Updated error section in README to explain better how things work, especially the differences between buffered and unbuffered modes
• @​bdeitte A number of security improvements:
  • Sanitize \r in metric names, tag keys, and tag values alongside newlines, since some receivers split lines on \r and could otherwise be tricked into accepting injected metrics
  • Add files allowlist to package.json so npm publishes only index.js, index.mjs, lib/, and the TypeScript definitions
  • dev-only library updates. Override uuid to 14.x to fix GHSA-w5hq-g745-h8pq and add diff override to ^8.0.3 to resolve GHSA-73rr-hh4g-fpgx transitively pulled in via mocha and sinon.
• @​bdeitte A few smaller cleanups and fixups:
  • Replace polling in close() with a Promise-based drain that handles async-queued follow-up sends
  • Warn (via console.error) on invalid port, sampleRate, bufferFlushInterval config values and use default config values
  • Misc cleanups: for-of over array routes, simpler EAGAIN access, dedup Buffer.byteLength in sendMessage

Commits

• 7129573 15.0.0
• da3053b Changes update
• d15d412 Merge pull request #319 from bdeitte/best-practices
• 6920863 Silence no-invalid-this lint for mocha this.timeout in TS test
• acc1306 Bump TypeScript-compilation test timeout for slow Windows CI
• f20cfd8 Address review feedback
• 3f75e9e Better changes update and fix extra info that is not needed
• dffc900 Address PR review comments
• 5e1e59e More small reviewing updates
• 53c46b4 More small reviewing updates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

This dependency update will be handled internally by our engineering team.