chore(deps-dev): bump the dev-dependencies-minor-patch group across 1 directory with 10 updates

[dependabot]

Bumps the dev-dependencies-minor-patch group with 10 updates in the / directory:

Package	From	To
@hono/node-server	2.0.1	2.0.4
@remix-run/node-fetch-server	0.13.0	0.13.3
@types/node	25.0.3	25.9.2
@vitest/coverage-v8	4.1.5	4.1.8
sherif	1.9.0	1.11.1
srvx	0.10.0	0.11.16
vitest	4.1.5	4.1.8
ws	8.19.0	8.21.0
supertest	7.1.4	7.2.2
@types/supertest	6.0.3	7.2.0

Updates @hono/node-server from 2.0.1 to 2.0.4

Release notes

Sourced from @​hono/node-server's releases.

v2.0.4

What's Changed

• fix: stub ws types to prevent them leaking in public types by @​BlankParticle in honojs/node-server#359

Full Changelog: honojs/node-server@v2.0.3...v2.0.4

v2.0.3

What's Changed

• chore(ci): update GitHub Actions versions by @​BlankParticle in honojs/node-server#352
• docs: Align the ServeStaticOptions comment with the current spec by @​kakkokari-gtyih in honojs/node-server#356
• fix: preserve headers mutated after raw Response construction by @​abdulmunimjemal in honojs/node-server#357

New Contributors

• @​kakkokari-gtyih made their first contribution in honojs/node-server#356
• @​abdulmunimjemal made their first contribution in honojs/node-server#357

Full Changelog: honojs/node-server@v2.0.2...v2.0.3

v2.0.2

What's Changed

• fix(serve-static): stop using file birthtime for Date header by @​usualoma in honojs/node-server#350
• fix: handle serveStatic stream fallback backpressure by @​usualoma in honojs/node-server#351

Full Changelog: honojs/node-server@v2.0.1...v2.0.2

Commits

• 9e1cdee 2.0.4
• b4ca622 fix: stub ws types to prevent them leaking in public types (#359)
• 9d87987 2.0.3
• 9463250 fix: preserve headers mutated after raw Response construction (#357)
• cee5e81 docs: Align the ServeStaticOption command with the current specification (#...
• 4aa0650 chore(ci): update GitHub Actions versions (#352)
• 808159c 2.0.2
• 1a9748e fix: handle serveStatic stream fallback backpressure (#351)
• 54d1bcd fix(serve-static): stop using file birthtime for Date header (#350)
• See full diff in compare view

Updates @remix-run/node-fetch-server from 0.13.0 to 0.13.3

Release notes

Sourced from @​remix-run/node-fetch-server's releases.

node-fetch-server v0.13.3

Patch Changes

• Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

• Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

node-fetch-server v0.13.2

Patch Changes

• Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.

Changelog

Sourced from @​remix-run/node-fetch-server's changelog.

v0.13.3

Patch Changes

• Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

• Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

v0.13.2

Patch Changes

• Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.

v0.13.1

Patch Changes

• Improve request throughput so node-fetch-server is now on par with native node:http performance in the request-inspection benchmark, while preserving Fetch API request handlers. The main optimizations lazily materialize Request and Headers objects, specialize handlers by declared arity, avoid unnecessary client/request work on hot paths, and send single-chunk response bodies with less Web stream overhead. See the node-fetch-server benchmarks for current results.

Commits

• See full diff in compare view

Updates @types/node from 25.0.3 to 25.9.2

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.5 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates sherif from 1.9.0 to 1.11.1

Release notes

Sourced from sherif's releases.

v1.11.1

What's Changed

• feat: add --version flag to cli by @​igas in QuiiBz/sherif#150

Full Changelog: QuiiBz/sherif@v1.11.0...v1.11.1

v1.11.0

What's Changed

• feat(dependencies-nested-star): support single nested glob pattern by @​QuiiBz in QuiiBz/sherif#149
• feat(action)!: Upgrade Node version from 20 to 24 by @​igas in QuiiBz/sherif#152

New Contributors

• @​igas made their first contribution in QuiiBz/sherif#152

Full Changelog: QuiiBz/sherif@v1.10.0...v1.11.0

v1.10.0

JSON configuration in root package.json

When using many CLI arguments, it might be easier to move to the configuration format. In your root package.json, add a sherif field containing the same options as the CLI, but in camelCase. Default values are shown below:

{
  "sherif": {
    "fix": false,
    "select": "highest", // "highest" | "lowest"
    "noInstall": false,
    "failOnWarnings": false,
    "ignoreDependency": [], // string[]
    "ignorePackage": [], // string[]
    "ignoreRule": [] // string[]
  }
}

--fail-on-warnings option

Add a new option --fail-on-warnings to exit with code 1 if any warning issues are found. By default, only error issues will make Sherif exit with code 1.

What's Changed

• feat: add --fail-on-warnings option by @​QuiiBz in QuiiBz/sherif#141
• feat: add support for configuring via root package.json by @​QuiiBz in QuiiBz/sherif#146

Full Changelog: QuiiBz/sherif@v1.9.0...v1.10.0

Commits

• 08adbc0 1.11.1
• 0cb7fd3 feat: add --version flag to cli (#150)
• 5101b4d 1.11.0
• aac941b feat(action)!: Upgrade Node version from 20 to 24 (#152)
• 2a19a43 feat(dependencies-nested-star): support single nested glob pattern (#149)
• 9e68fc2 1.10.0
• efab71d Update mac runners to 15
• 18ebd26 feat: add support for configuring via root package.json (#146)
• a7705ec feat: add --fail-on-warnings option (#141)
• See full diff in compare view

Updates srvx from 0.10.0 to 0.11.16

Release notes

Sourced from srvx's releases.

v0.11.16

compare changes

🩹 Fixes

• node: Flatten writeHead headers on Deno (#203)
• aws-lambda-streaming: Handle empty body (#205)
• node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

• node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

• Taylor Steele (@​taylorfsteele)
• Pooya Parsa (@​pi0)
• KT (@​ktKongTong)

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

• Neko (@​nekomeowww)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.16

compare changes

🩹 Fixes

• node: Flatten writeHead headers on Deno (#203)
• aws-lambda-streaming: Handle empty body (#205)
• node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

• node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

• Update deps (4a6fcd3)
• Update deps (c0acb0f)
• Bump deps (c853aa9)
• Update deps (961d756)

✅ Tests

• Node 20 compat (7771820)

🤖 CI

• Downgrade undici for node 20 only (05efca4)
• Downgrade undici for deno node-compat test (e501480)
• Force latest deno version (6f17e2e)
• Directly install latest deno (59ba353)
• Fix deno install (f6efb77)
• Pin deno (7249b63)
• Test node 22, 24, 26 (a745b47)

❤️ Contributors

• Pi0x x@pi0.io
• Taylor Steele (@​taylorfsteele)
• Pooya Parsa (@​pi0)
• KT (@​ktKongTong)

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

... (truncated)

Commits

• 19efb13 fix(node): do not crash on asterisk-form request targets (#206)
• e429c6f fix(aws-lambda-streaming): handle empty body (#205)
• a745b47 ci: test node 22, 24, 26
• 961d756 chore: update deps
• c853aa9 chore: bump deps
• 7249b63 ci: pin deno
• f6efb77 ci: fix deno install
• 59ba353 ci: directly install latest deno
• 6f17e2e ci: force latest deno version
• 7a05a72 fix(node): flatten writeHead headers on Deno (#203)
• Additional commits viewable in compare view

Updates vitest from 4.1.5 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• See full diff in compare view

Updates ws from 8.19.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Updates supertest from 7.1.4 to 7.2.2

Release notes

Sourced from supertest's releases.

v7.2.2

• fix: replace 'should' dependency with native assertions in cookies module 1954bcf

---

forwardemail/supertest@v7.2.1...v7.2.2

v7.2.1

• fix: correct case-sensitive require path for assertion module d4f04fb

---

forwardemail/supertest@v7.2.0...v7.2.1

v7.2.0

• fix: fixed package lock c4b08a6
• fix: drop v14 and v16 from tests d084ce2
• Merge pull request #872 from forwardemail/dependabot/npm_and_yarn/js-yaml-3.14.2 61f3ddf
• Merge pull request #873 from forwardemail/dependabot/npm_and_yarn/multi-6d05d0e569 bd2fe45
• chore(deps): bump qs, body-parser and express 07bf4fb
• Merge pull request #866 from SchroederSteffen/use-lowercase-header-name 0666797
• Merge pull request #868 from dmurvihill/cookie-assertions 953eca7
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 81ab94c
• Merge pull request #870 from kudlav/patch-1 14d905d
• Update links to documentation in README f508b30
• feat(cookies): add cookie assertions 4f89680
• chore(readme): use lower-case header name 1e642b0

---

forwardemail/supertest@v7.1.4...v7.2.0

Commits

• d799751 7.2.2
• 1954bcf fix: replace 'should' dependency with native assertions in cookies module
• 8fb7453 7.2.1
• d4f04fb fix: correct case-sensitive require path for assertion module
• b8f0a43 7.2.0
• c4b08a6 fix: fixed package lock
• d084ce2 fix: drop v14 and v16 from tests
• 61f3ddf Merge pull request #872 from forwardemail/dependabot/npm_and_yarn/js-yaml-3.14.2
• bd2fe45 Merge pull request #873 from forwardemail/dependabot/npm_and_yarn/multi-6d05d...
• 07bf4fb chore(deps): bump qs, body-parser and express
• Additional commits viewable in compare view

Updates @types/supertest from 6.0.3 to 7.2.0

Commits

• See full diff in compare view

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: d1a982e8-09d8-446e-8934-67dd41868a2f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}