[nodejs] Update dev dependencies to fix vulnerabilities

[cgoldberg]

User description

🔗 Related Issues

Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/197
Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/198
Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/202
Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/203
Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/219
Fixes https://github.com/SeleniumHQ/selenium/security/dependabot/220

💥 What does this PR do?

This PR updates JavaScript packages and generates a new pnpm-lock.yaml to address security vulnerabilities in dependencies.

🔄 Types of changes

• Build/Packaging

---

PR Type

Enhancement

---

Description

• Updates dev dependencies to fix security vulnerabilities

• Upgrades @bazel/runfiles, eslint, and related packages

• Updates testing and build tool dependencies

• Regenerates pnpm-lock.yaml with updated versions

---

Diagram Walkthrough

flowchart LR
  A["package.json files"] -- "update versions" --> B["Dev dependencies"]
  B -- "eslint, mocha, prettier" --> C["Security fixes"]
  A -- "regenerate" --> D["pnpm-lock.yaml"]

Loading

File Walkthrough

	Relevant files
Dependencies	package.json Update JavaScript dev dependencies versions                            javascript/selenium-webdriver/package.json Updates @bazel/runfiles from ^6.3.1 to ^6.5.0 Upgrades eslint and @eslint/js from ^9.18.0 to ^9.39.1 Updates eslint plugins (config-prettier, plugin-n, plugin-prettier) Upgrades testing tools (mocha, jsdoc, prettier, supports-color) Updates multer from 1.4.5-lts.2 to 2.0.2 +12/-12  package.json Update grid UI build and test dependencies                              javascript/grid-ui/package.json Upgrades esbuild from 0.24.2 to 0.27.0 Updates ts-jest from ^29.3.4 to ^29.4.5 +2/-2
Configuration changes	pnpm-lock.yaml Regenerate pnpm lockfile                                                                  pnpm-lock.yaml Regenerated lockfile to reflect all package.json updates Updates dependency tree with new package versions +664/-596
Documentation	CHANGES.md Document dependency updates                                                            javascript/selenium-webdriver/CHANGES.md Documents the dependency updates and security fixes +0/-1

---

[qodo-merge-pro]

PR Compliance Guide 🔍

(Compliance updated until commit 295d209)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit impact: The changes only update dependencies in package manifests without adding or modifying runtime code that performs critical actions, so there is no new code to assess for audit trail logging. Referred Code "@bazel/runfiles": "^6.5.0", "jszip": "^3.10.1", "tmp": "^0.2.5", "ws": "^8.18.3" }, "devDependencies": { "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", ... (clipped 4 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: No code changes: Only dependency version updates were added to package.json; there are no new identifiers or implementation code to evaluate for naming quality. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: The diff contains only dependency/version changes with no new error-producing code paths to assess for handling or edge case management. Referred Code "@bazel/runfiles": "^6.5.0", "jszip": "^3.10.1", "tmp": "^0.2.5", "ws": "^8.18.3" }, "devDependencies": { "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", ... (clipped 4 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: No user-facing error messages were introduced; only dev dependency updates are present, so secure error handling cannot be evaluated from this diff. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: No logging code: The added lines are dependency declarations only and do not introduce or modify any logging statements to assess for sensitive data exposure. Referred Code "@bazel/runfiles": "^6.5.0", "jszip": "^3.10.1", "tmp": "^0.2.5", "ws": "^8.18.3" }, "devDependencies": { "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", ... (clipped 4 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No input handling: Dependency version bumps do not include new input processing code, so input validation and data handling cannot be assessed from this diff. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit b3ef235

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance check up to commit 6354826

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit impact: The PR only updates devDependencies ('multer' and 'esbuild') with no new runtime code, so it neither adds nor removes audit logging; verifying broader repo impact may require checking regenerated lockfile or build scripts. Referred Code "multer": "2.0.0", "prettier": "^3.4.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: Only dependency versions were changed without any executable code, so there is no new error handling to assess; potential indirect effects via updated tooling may warrant human verification. Referred Code "esbuild": "0.25.0", "jest": "^29.7.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Dependency update risk: Updating 'multer' and 'esbuild' versions introduces no new input handling code here, but may change transitive behavior; confirm no breaking changes affect validation or security in build/test paths. Referred Code "multer": "2.0.0", "prettier": "^3.4.2", Learn more about managing compliance generic rules or creating your own custom rules

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Revert breaking lockfile version change Suggestion Impact: The commit changed lockfileVersion from '9.0' back to '6.0' as suggested. code diff: -lockfileVersion: '9.0' +lockfileVersion: '6.0' Revert the lockfileVersion update from '6.0' to '9.0'. This change requires a pnpm major version upgrade (to v9+) across all environments, which could break dependency installation if not coordinated. pnpm-lock.yaml [1] -lockfileVersion: '9.0' +lockfileVersion: '6.0' [Suggestion processed] Suggestion importance[1-10]: 10 __ Why: This suggestion correctly points out a critical, project-wide breaking change in the pnpm lockfileVersion, which could halt all development and CI/CD pipelines if not managed correctly.	High
	Revert breaking major version upgrade Revert the multer upgrade to version 2.0.0. This is a major update with breaking changes that requires code refactoring not included in this PR, which will break file uploads. javascript/selenium-webdriver/package.json [46] -"multer": "2.0.0", +"multer": "1.4.5-lts.2", Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that a major version upgrade of multer with breaking changes is being introduced without the required code refactoring, which will likely break existing functionality.	High
Update

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No runtime impact: The changes only update dev/build dependencies and do not add or modify any application code that would affect audit logging of critical actions. Referred Code "@bazel/runfiles": "^6.5.0", "jszip": "^3.10.1", "tmp": "^0.2.5", "ws": "^8.18.3" }, "devDependencies": { "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", ... (clipped 4 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: No source code: The PR only modifies dependency versions in package manifests and does not introduce new identifiers or source code to evaluate naming conventions. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: Only dependency version updates were made; no new executable code or error handling logic was added to assess robustness. Referred Code "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", "prettier": "^3.6.2", "serve-index": "^1.9.1", "sinon": "^19.0.5", "supports-color": "^10.2.2" }, Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: Dependency bumps in package.json do not change user-facing error messaging; there is no new code to assess for sensitive detail leakage. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: No logging changes: The PR updates dev dependencies and adds no new logging statements to evaluate for structure or sensitive data exposure. Referred Code "@bazel/runfiles": "^6.5.0", "jszip": "^3.10.1", "tmp": "^0.2.5", "ws": "^8.18.3" }, "devDependencies": { "@eslint/js": "^9.39.1", "clean-jsdoc-theme": "^4.3.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-mocha": "^10.5.0", "eslint-plugin-n": "^17.23.1", "eslint-plugin-no-only-tests": "^3.3.0", "eslint-plugin-prettier": "^5.5.4", "express": "^4.21.2", "globals": "^15.15.0", "has-flag": "^5.0.1", "jsdoc": "^4.0.5", "mocha": "^11.7.5", "mocha-junit-reporter": "^2.2.1", "multer": "2.0.2", ... (clipped 4 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Manifest-only change: There is no new input handling or data processing code introduced; only tooling versions are updated, so validation practices cannot be assessed from this diff. Referred Code "esbuild": "0.27.0", "jest": "^29.7.0", "jest-environment-jsdom": "^29.7.0", "ts-jest": "^29.4.5", "ts-standard": "12.0.2", Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Address breaking changes in Multer The major version update of multer to v2.0.2 introduces breaking changes that need to be addressed in the code. Update the implementation to be compatible with the new API, such as instantiating Multer as a class and explicitly setting the storage option. javascript/selenium-webdriver/package.json [46] +"multer": "2.0.2", - Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the major version update of multer introduces significant breaking changes that are not addressed in the PR, which will likely cause runtime failures.	Medium
Learned best practice	Align Node engine version constraints Align the package's Node engine constraint with the minimum versions required by upgraded tooling (ESLint/Mocha require >=18.18 or >=21.1.0), and document supported ranges explicitly. javascript/selenium-webdriver/package.json [22-24] "engines": { - "node": ">= 20.0.0" + "node": ">= 20.9.0 || >= 21.1.0" }, "devDependencies": { "@eslint/js": "^9.39.1", "eslint": "^9.39.1", ... "mocha": "^11.7.5", ... } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Guard external-facing scripts with validation and consistent Node engine constraints to avoid runtime incompatibilities.	Low
More

[harsha509]

LGTM!