build(deps): bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: pbkdf2, koa, lockfile-lint-api and ses.

Updates pbkdf2 from 3.1.2 to 3.1.3

Changelog

Sourced from pbkdf2's changelog.

v3.1.3 - 2025-06-20

Commits

• Only apps should have lockfiles 8b06730
• [lint] fix whitespace 9a76e2f
• [lint] fix parens/curlies/semis/etc 6fd84bf
• [meta] add auto-changelog 796c38d
• [Tests] fix tests in node 17 3661fb0
• Revert "[Tests] fix tests in node < 3" 7431b57
• [Tests] fix tests in node < 3 eb9f97a
• [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
• [Tests] add GHA, always run nyc 513906a
• [lint] fix a few more rules ab04da8
• [lint] switch to eslint 89694cf
• [Tests] add coverage d0d534b
• [Refactor] use to-buffer e3102a8
• [readme] improve badges fca0c9d
• [Tests] remove unused travis file a2c7d93
• [meta] switch from files to npmignore 7f31fbc
• [Tests] use .nycrc 8d628e8
• [Refactor] minor tweaks fc61005
• [Deps] update create-hmac, safe-buffer, sha.js ae2a7d0
• [Fix] pin create-hash, ripemd160 due to breaking changes e079968
• [Tests] fix tests in node 3 45fbcf3
• [meta] skip publishing benchmarks 19ea57b
• [Dev Deps] add missing peer dep 645e252

Commits

• 3e40827 v3.1.3
• e3102a8 [Refactor] use to-buffer
• 7431b57 Revert "[Tests] fix tests in node < 3"
• 19ea57b [meta] skip publishing benchmarks
• a2c7d93 [Tests] remove unused travis file
• 645e252 [Dev Deps] add missing peer dep
• 796c38d [meta] add auto-changelog
• d0d534b [Tests] add coverage
• 7f31fbc [meta] switch from files to npmignore
• fca0c9d [readme] improve badges
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for pbkdf2 since your current version.

Updates koa from 2.14.2 to 2.16.1

Release notes

Sourced from koa's releases.

v2.16.1

fix: don't render redirect values in anchor ref

2.16.0

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at koajs/koa#1593 and koajs/koa#1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (koajs/koa#1593) 399cb6b0dd2104224c0ef0ce8e92f84e4f7faf42

2.15.4

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

Commits

• ba14822 2.16.1
• 2ff6c3f 2.16.0
• 3d51d03 ci: allow codecov to fail
• eb84d89 fix: don't render redirect values in anchor ref
• 5f294bb Merge commit from fork
• 77cbf2e Release 2.15.3
• 1fad597 fix: require URL from 'url' module (#1809)
• ddbff30 Release 2.15.2
• 94e8def fix: handle upper case protocol like HTTP or HTTPS (#1806)
• 549455d Release 2.15.1
• Additional commits viewable in compare view

Updates lockfile-lint-api from 5.9.1 to 5.9.2

Release notes

Sourced from lockfile-lint-api's releases.

[email protected]

Patch Changes

• d91813411898315e8e064f616b698e129af40495 Thanks @​lirantal! - fix: trailing slash catch in policy test

Changelog

Sourced from lockfile-lint-api's changelog.

5.9.2

Patch Changes

• d91813411898315e8e064f616b698e129af40495 Thanks @​lirantal! - fix: trailing slash catch in policy test

Commits

• b3a5d0d chore: new release (#205)
• 9e5305b fix: add missing trailing slash (#204)
• See full diff in compare view

Updates ses from 1.2.0 to 1.14.0

Release notes

Sourced from ses's releases.

2025-07-11

@endo/immutable-arraybuffer 1.1.2

• Removes @endo/immutable-arraybufer/shim-hermes.js and absorbs the necessary features into @endo/immutable-arraybuffer/shim.js. We are not qualifying this as a breaking change since the feature did not exist long enough to become relied upon.

@endo/marshal 1.8.0

• Introduces an environment variable config option ENDO_RANK_STRINGS to change the rank ordering of strings from the current (incorrect) ordering by UTF-16 code unit used by JavaScript's < and .sort() operations to (correct and OCapN-conformant) ordering by Unicode code point. It currently defaults to "utf16-code-unit-order", matching the previously-unconditional behavior.

@endo/pass-style 1.6.3

• The exported function name isObject is ambiguous. It is unclear whether it includes functions or not. (It does.) To avoid this confusion, we're deprecating isObject and suggesting to use the new export isPrimitive instead, that has the opposite answer. IOW, for all x, isObject(x) === !isPrimitive(x)

@endo/patterns 1.7.0

• @endo/marshal introduces an environment variable config option ENDO_RANK_STRINGS to change the rank ordering of strings from the current (incorrect) ordering by UTF-16 code unit used by JavaScript's < and .sort() operations to (correct and OCapN-conformant) ordering by Unicode code point. It currently defaults to "utf16-code-unit-order", matching the previously-unconditional behavior.
  • @endo/patterns provides a compareKeys partial order that delegates some ordering, including strings, to the rank ordering provided by @endo/marshal. So when the ENDO_RANK_STRINGS default is not overridden, then compareKeys also follows the (incorrect) UTF-16 code unit order. But when it is overridden, then compareKeys also follows the (correct) Unicode code-point order.
• In errors explaining why a specimen does not match a pattern, sometimes the error message contains a quoted form of a nested pattern. This quoting was done with q, producing an uninformative rendering of these nested patterns. Now this quoting is done with qp, which renders these nested patterns into readable Justin source code.

2025-06-02 Releases

@endo/pass-style v1.6.0

BROKEN BUT PATCHED in 1.6.1, this version introduced a dependence on the underlying platform supporting ArrayBuffer.prototype.transferToImmutable. The patch restores the ability to use pass-style on older platforms without the immutable ArrayBuffer shim (as entrained by ses).

• Introduces support for byteArray.

ses v1.13.0

• Two new stackFiltering: options are added

  • 'omit-frames' -- Only omit likely uninteresting frames. Keep original paths.
  • 'shorten-paths' -- Only shorten paths to text likely clickable in an IDE

  This fills out the matrix of what should have been orthogonal options. The existing 'concise' setting both omits likely uninteresting frames and shortens their paths. The existing 'verbose' setting does neither.

• Uses the @endo/immutable-arraybuffer shim to add ArrayBuffer.p.immutable, ArrayBuffer.p.transferToImmutable, and ArrayBuffer.p.sliceToImmutable to ses, in order to emulate the Immutable ArrayBuffer proposal. These make an ArrayBuffer-like object whose contents cannot be mutated. However, due to limitations of the shim

  • Unlike ArrayBuffer and SharedArrayBuffer this shim's ArrayBuffer-like object cannot be transfered or cloned between JS threads.
  • Unlike ArrayBuffer and SharedArrayBuffer, this shim's ArrayBuffer-like object cannot be used as the backing store of TypeArrays or DataViews.
  • The shim depends on the platform providing either structuredClone or Array.prototype.transfer. Node <= 16 and provides neither, causing the shim to fail to initialize, and therefore SES to fail to initialize on such platforms.
  • Current Hermes has even stronger constraints, lacking structuredClone, transfer, private fields, and even class syntax. This requires other coping strategies. See endojs/endo#2785
  • Even after the upcoming transferToImmutable proposal is implemented by the platform, the current code will still replace it with the shim implementation, in accord with shim best practices. See endojs/endo#2311 . It will require a later manual step to delete the shim or have it avoid overriting a platform implementation, after manual analysis of the compat implications.

• The evalTaming option 'safe-eval' now can only throw error SES_DIRECT_EVAL. This allows SES to initialize with 'unsafe-eval' or 'no-eval' on hosts with no direct eval available such as Hermes for a successful lockdown that tolerates it's language features.

  The module name ses/hermes can now be required to call lockdown and repairIntrinsics only, Compartment is not yet available.

  It is currently compatible with Hermes v0.12.0, we plan to support v0.13.0 then subsequent Hermes tags or side-by-side versions built for React Native depending on ecosystem usage and official support, then Static Hermes when released.

... (truncated)

Changelog

Sourced from ses's changelog.

1.14.0 (2025-07-12)

Features

• cache-map: Promote makeLRUCacheMap into a new package (a39db9e)
• cache-map: Return a kit for exposing metrics (f513ebd)
• ses: add noAggregateLoadErrors flag (#2832) (b222f9f)

Bug Fixes

• immutable-arraybuffer: unify shim to work on more platforms (#2855) (25039f5), closes #2785 #2399 #2785 #2785

1.13.1 (2025-06-17)

Bug Fixes

• pass-style: better byteArray support (#2843) (492551a), closes #2248 #2248 #2248

1.13.0 (2025-06-02)

Features

• ses: ArrayBuffer.prototype.sliceToImmutable on Hermes (e432b14)
• ses: ArrayBuffer.prototype.transferToImmutable (#2400) (d714d1d)
• ses: Include ses-ava in stack frame filtering (bdbdb01)
• ses: init SES with evalTaming unsafe-eval or no-eval (0dfaa8d)

Bug Fixes

• ses,lockdown: make filenames in stacktraces clickable (#2747) (178e253), closes #2359 #2359
• ses: avoid depth-first loading sequence in loadNow to prevent getting stuck in cycles (#2804) (37bfad6)

1.12.0 (2025-03-24)

Features

• ses: add AsyncGeneratorFunctionInstance to commons (07516f5)
• ses: bundle and export shim compatible with Hermes compiler (cafc398)

... (truncated)

Commits

• 9815aea chore(release): publish
• f513ebd feat(cache-map): Return a kit for exposing metrics
• d899bcd refactor(cache-map): Relax "LRU" specificity
• a39db9e feat(cache-map): Promote makeLRUCacheMap into a new package
• ade5bc1 refactor: hasOwn rather than hasOwnPropertyOf or objectHasOwnProperty (...
• b222f9f feat(ses): add noAggregateLoadErrors flag (#2832)
• 75f4887 refactor(ses): Adopt ses eslint configuration
• 5efcf7d refactor(pass-style): faster isObject (#2860)
• 25039f5 fix(immutable-arraybuffer): unify shim to work on more platforms (#2855)
• 03b92fc chore(release): publish
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​endo/​cache-map@​1.1.0
	npm/​@​endo/​immutable-arraybuffer@​1.1.2
	npm/​@​endo/​env-options@​1.1.1 ⏵ 1.1.11				+4

View full report

[dependabot]

Superseded by #3.