fix: patch dependency security vulnerabilities (#115)

Resolve all 57 advisories reported by `pnpm audit`
(1 critical, 29 high, 24 moderate, 3 low) down to 0.

Security-relevant direct dependency bumps:
- middleware: axios ^1.15.0 -> ^1.16.1 (SSRF/DoS/prototype pollution + follow-redirects)
- puppeteer-renderer: qs ^6.14.1 -> ^6.15.2, lodash ^4.17.21 -> ^4.18.1,
  express ^4.18.1 -> ^4.22.2 (path-to-regexp ReDoS), puppeteer ^24.32.0 -> ^24.43.1
  (resolves basic-ftp critical, ws, ip-address in the dependency tree)
- root: turbo ^2.3.3 -> ^2.9.16

Refresh the lockfile to pull patched transitive dependencies and add a
qs override (>=6.15.2) plus an explicit vite ^7.3.2 dev dependency to
clear the remaining advisories.

puppeteer 24.43 changed page.screenshot() to return a plain Uint8Array
instead of a Buffer, breaking pngjs parsing in wait-for-animations.ts.
Convert it to a Buffer before reading (matching the pattern in renderer.ts).

Bump puppeteer-renderer to 4.0.3 and puppeteer-renderer-middleware to 1.0.3.

Author: zenato

package.json

@@ -25,21 +25,20 @@
     ]
   },
   "devDependencies": {
-    "eslint": "^9.17.0",
+    "eslint": "^9.39.4",
     "eslint-plugin-common": "workspace:*",
     "husky": "^9.1.7",
-    "lint-staged": "^15.2.11",
-    "prettier": "^3.4.2",
-    "turbo": "^2.3.3"
+    "lint-staged": "^15.5.2",
+    "prettier": "^3.8.3",
+    "turbo": "^2.9.16"
   },
   "engines": {
     "node": ">=22"
   },
   "packageManager": "pnpm@10.12.1",
   "pnpm": {
     "overrides": {
-      "qs": ">=6.14.1"
+      "qs": ">=6.15.2"
     }
   }
 }
-

packages/eslint-plugin-common/package.json

@@ -9,14 +9,14 @@
     ".": "./index.js"
   },
   "dependencies": {
-    "@eslint/js": "^9.17.0",
-    "typescript-eslint": "^8.18.1",
-    "eslint-config-prettier": "^9.1.0",
-    "globals": "^15.14.0"
+    "@eslint/js": "^9.39.4",
+    "eslint-config-prettier": "^9.1.2",
+    "globals": "^15.15.0",
+    "typescript-eslint": "^8.60.0"
   },
   "devDependencies": {
-    "eslint": "^9.17.0",
-    "typescript": "^5.7.2"
+    "eslint": "^9.39.4",
+    "typescript": "^5.9.3"
   },
   "peerDependencies": {
     "eslint": "^9.0.0"

packages/middleware/package.json

@@ -10,7 +10,7 @@
     "url": "https://github.com/zenato/puppeteer-renderer"
   },
   "homepage": "https://github.com/zenato/puppeteer-renderer/tree/main/packages/middleware",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "An Express middleware for SSR using puppeteer-renderer",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -37,13 +37,13 @@
     "prepublish": "npm run build"
   },
   "dependencies": {
-    "axios": "^1.15.0"
+    "axios": "^1.16.1"
   },
   "devDependencies": {
-    "@types/express": "^4.17.17",
-    "@types/lodash": "^4.14.197",
-    "express": "^4.18.1",
-    "rimraf": "^5.0.1",
+    "@types/express": "^4.17.25",
+    "@types/lodash": "^4.17.24",
+    "express": "^4.22.2",
+    "rimraf": "^6.1.3",
     "tsup": "^8.5.1"
   },
   "peerDependencies": {

packages/puppeteer-renderer/package.json

@@ -2,7 +2,7 @@
   "name": "puppeteer-renderer",
   "author": "yeongjinnn@gmail.com",
   "private": true,
-  "version": "4.0.1",
+  "version": "4.0.3",
   "description": "",
   "main": "src/index.js",
   "scripts": {
@@ -17,28 +17,29 @@
   "license": "MIT",
   "dependencies": {
     "content-disposition": "^0.5.4",
-    "express": "^4.18.1",
-    "lodash": "^4.17.21",
+    "express": "^4.22.2",
+    "lodash": "^4.18.1",
     "pixelmatch": "^5.3.0",
     "pngjs": "^7.0.0",
-    "puppeteer": "^24.32.0",
-    "qs": "^6.14.1",
-    "zod": "^4.1.13"
+    "puppeteer": "^24.43.1",
+    "qs": "^6.15.2",
+    "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@swc/core": "^1.10.1",
-    "@types/content-disposition": "^0.5.8",
-    "@types/express": "^5.0.0",
-    "@types/lodash": "^4.17.13",
-    "@types/node": "^22.10.2",
+    "@swc/core": "^1.15.40",
+    "@types/content-disposition": "^0.5.9",
+    "@types/express": "^5.0.6",
+    "@types/lodash": "^4.17.24",
+    "@types/node": "^22.19.19",
     "@types/pixelmatch": "^5.2.6",
     "@types/pngjs": "^6.0.5",
-    "@types/qs": "^6.9.17",
-    "eslint": "^9.17.0",
-    "rimraf": "^6.0.1",
+    "@types/qs": "^6.15.1",
+    "eslint": "^9.39.4",
+    "rimraf": "^6.1.3",
     "tsconfig": "workspace:*",
     "tsup": "^8.5.1",
-    "typescript": "^5.7.2",
-    "vitest": "^4.0.15"
+    "typescript": "^5.9.3",
+    "vite": "^7.3.2",
+    "vitest": "^4.1.7"
   }
 }

packages/puppeteer-renderer/src/lib/wait-for-animations.ts

@@ -18,7 +18,7 @@ export default async function waitForAnimations(
 
   while (new Date().getTime() - t0 < timeout) {
     const buffer = await page.screenshot({ ...options, type: 'png' })
-    const current = PNG.sync.read(buffer as Buffer)
+    const current = PNG.sync.read(Buffer.isBuffer(buffer) ? buffer : Buffer.from(buffer))
 
     if (previous !== null && previous.data.length === current.data.length) {
       const diff = pixelmatch(previous.data, current.data, null, previous.width, previous.height)