chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@opentelemetry/exporter-prometheus	0.213.0	0.219.0
@grpc/grpc-js	1.14.3	1.14.4
srvx	0.2.8	0.11.16
systeminformation	5.31.2	5.31.7
ws	8.18.3	8.21.0

Updates @opentelemetry/exporter-prometheus from 0.213.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

• fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
  • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
• fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
• feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
• fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

• feat(sdk-node): wire up metric producers from declarative config #6712 @​MikeGoldsmith
• feat(sdk-logs)!: add support for attributes in LoggerOptions #6573 @​pichlermarc

🐛 Bug Fixes

• fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
• fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
• fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
• fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
• fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
• fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
• fix(browser-detector): user agent resource attribute always #6754 @​david-luna
• fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
• fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
• fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

• docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

• refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 2.1.1

Commits

• 64b71d3 2.1.1
• c3a817c Backport v5.0.6 change to v2 (#109)
• 1ee4a90 2.1.0
• b0302ac Add opt-in { max } mitigation to v2 legacy line (#100)
• 73b5459 2.0.3
• 311ac0d Backport fix for GHSA-f886-m6hf-6m8v to v2 (#96)
• a3efcee 2.0.2
• 14f1d91 pkg: publish on tag 2.x
• ed7780a fmt
• 36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• Additional commits viewable in compare view

Updates @grpc/grpc-js from 1.14.3 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

Commits

• a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
• 5b8d37b Merge commit from fork
• 6a97456 Merge commit from fork
• e5e0b1d grpc-js: Bump version to 1.14.4
• 5029a26 Make compression error a static string
• 2fe55fd Fix crashes when receiving malformed compressed data
• 234f917 Fix server crash when handling invalid requests
• acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
• 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
• See full diff in compare view

Updates srvx from 0.2.8 to 0.11.16

Release notes

Sourced from srvx's releases.

v0.11.16

compare changes

🩹 Fixes

• node: Flatten writeHead headers on Deno (#203)
• aws-lambda-streaming: Handle empty body (#205)
• node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

• node/web: Add new TypeOfService utils to socker impl (945fc17)

❤️ Contributors

• Taylor Steele (@​taylorfsteele)
• Pooya Parsa (@​pi0)
• KT (@​ktKongTong)

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

❤️ Contributors

• Joël Charles (@​magne4000)

v0.11.14

compare changes

🩹 Fixes

• node: Handle EADDRINUSE port conflict on serve (#197)

❤️ Contributors

• Neko (@​nekomeowww)

v0.11.13

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

v0.11.12

compare changes

... (truncated)

Changelog

Sourced from srvx's changelog.

v0.11.16

compare changes

🩹 Fixes

• node: Flatten writeHead headers on Deno (#203)
• aws-lambda-streaming: Handle empty body (#205)
• node: Do not crash on asterisk-form request targets (#206)

💅 Refactors

• node/web: Add new TypeOfService utils to socker impl (945fc17)

🏡 Chore

• Update deps (4a6fcd3)
• Update deps (c0acb0f)
• Bump deps (c853aa9)
• Update deps (961d756)

✅ Tests

• Node 20 compat (7771820)

🤖 CI

• Downgrade undici for node 20 only (05efca4)
• Downgrade undici for deno node-compat test (e501480)
• Force latest deno version (6f17e2e)
• Directly install latest deno (59ba353)
• Fix deno install (f6efb77)
• Pin deno (7249b63)
• Test node 22, 24, 26 (a745b47)

❤️ Contributors

• Pi0x x@pi0.io
• Taylor Steele (@​taylorfsteele)
• Pooya Parsa (@​pi0)
• KT (@​ktKongTong)

v0.11.15

compare changes

🩹 Fixes

• node/web: Do not swallow getReader errors (#199)

... (truncated)

Commits

• 19efb13 fix(node): do not crash on asterisk-form request targets (#206)
• e429c6f fix(aws-lambda-streaming): handle empty body (#205)
• a745b47 ci: test node 22, 24, 26
• 961d756 chore: update deps
• c853aa9 chore: bump deps
• 7249b63 ci: pin deno
• f6efb77 ci: fix deno install
• 59ba353 ci: directly install latest deno
• 6f17e2e ci: force latest deno version
• 7a05a72 fix(node): flatten writeHead headers on Deno (#203)
• Additional commits viewable in compare view

Updates systeminformation from 5.31.2 to 5.31.7

Release notes

Sourced from systeminformation's releases.

v5.31.7

Full Changelog: sebhildebrandt/systeminformation@v5.31.6...v5.31.7

v5.31.6

Full Changelog: sebhildebrandt/systeminformation@v5.31.5...v5.31.6

v5.31.5

Full Changelog: sebhildebrandt/systeminformation@v5.31.4...v5.31.5

v5.31.4

Full Changelog: sebhildebrandt/systeminformation@v5.31.3...v5.31.4

v5.31.3

Full Changelog: sebhildebrandt/systeminformation@v5.31.2...v5.31.3

Changelog

Sourced from systeminformation's changelog.

Changelog

Major Changes - Version 5

New Functions

• audio() detailed audio information
• bluetoothDevices() detailed information detected bluetooth devices
• dockerImages() detailed information docker images
• dockerVolumes() detailed information docker volumes
• printers() detailed printer information
• usb() detailed USB information
• wifiInterfaces() detected Wi-Fi interfaces
• wifiConnections() active Wi-Fi connections

Breaking Changes

Be aware, that the new version 5.x is NOT fully backward compatible to version 4.x ...

We had to make several interface changes to keep systeminformation as consistent as possible. We highly recommend to go through the complete list and adapt your own code to be again compatible to the new version 5.

Function	Old	New (V5)	Comments
unsupported values	-1	null	values which are unknown orunsupported on platform
battery()	hasbatterycyclecountischargingdesignedcapacitymaxcapacityacconnectedtimeremaining	hasBatterycycleCountisChargingdesignedCapacitymaxCapacityacConnectedtimeRemaining	pascalCase conformity
blockDevices()	fstype	fsType	pascalCase conformity
cpu()	speedminspeedmax	speedMinspeedMax	pascalCase conformity
cpu().speedcpu().speedMincpu().speedMax	string values	now returningnumerical values	better value handling
cpuCurrentspeed()		cpuCurrentSpeed()	function name changedpascalCase conformity
currentLoad()	avgloadcurrentloadcurrentload_usercurrentload_systemcurrentload_nicecurrentload_idlecurrentload_irqraw_currentload	avgLoadcurrentLoadcurrentLoadUsercurrentLoadSystemcurrentLoadNicecurrentLoadIdlecurrentLoadIrqrawCurrentLoad	pascalCase conformity
dockerContainerStats()	mem_usagemem_limitmem_percentcpu_percentcpu_statsprecpu_statsmemory_stats	memUsagememLimitmemPercentcpuPercentcpuStatsprecpuStatsmemoryStats	pascalCase conformity
dockerContainerProcesses()	pid_host	pidHost	pascalCase conformity
graphics().display	pixeldepthresolutionxresolutionysizexsizey	pixelDepthresolutionXresolutionYsizeXsizeY	pascalCase conformity
networkConnections()	localaddresslocalportpeeraddresspeerport	localAddresslocalPortpeerAddresspeerPort	pascalCase conformity
networkInterfaces()	carrier_changes	carrierChanges	pascalCase conformity
processes()	mem_vszmem_rsspcpupcpuupcpuspmem	memVszmemRsscpucpuucpusmem	pascalCase conformityrenamed attributes
processLoad()	result as object	result as array of objects	function now allows to provide more thanone process (as a comma separated list)
services()	pcpupmem	cpumem	renamed attributes
vbox()	HPETPAEAPICX2APICACPIIOAPICbiosAPICmodeTRC	hpetpaeapicx2ApicacpiioApicbiosApicModertc	pascalCase conformity

Other Improvements and Changes

• baseboard(): added memMax, memSlots
• bios(): added language and features (linux)
• blockDevices() added raid group member (linux)
• cpu(): extended AMD processor list

... (truncated)

Commits

• 4e12591 5.31.7
• bbfddde networkInterfaces() fix unsanitized command (linux)
• da1cbf5 5.31.6
• 87dbb60 fix: smaller issues
• 1d1bddf fix: smaller issues
• f69576f fix: networkInterfaces() ci wip
• 78624d1 fix: networkInterfaces() ci
• ed1cac5 5.31.5
• 4dd5aa9 netStats() netstat command adaption (mac OS)
• 59360e6 5.31.4
• Additional commits viewable in compare view

Updates ws from 8.18.3 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.