SERVER: Bump the npm group across 1 directory with 17 updates

[dependabot]

Bumps the npm group with 16 updates in the /server directory:

Package	From	To
@azure/identity	4.9.1	4.13.0
@azure/keyvault-secrets	4.9.0	4.10.0
pdfmake	0.2.19	0.3.3
pg	8.16.3	8.17.1
pg-promise	12.1.3	12.3.0
puppeteer	24.19.0	24.35.0
puppeteer-cluster	0.24.0	0.25.0
winston	3.17.0	3.19.0
@types/compression	1.7.5	1.8.1
@types/express-session	1.18.1	1.18.2
@types/morgan	1.9.9	1.9.10
@types/node	25.0.8	25.0.9
@types/passport-google-oauth20	2.0.16	2.0.17
@types/pdfmake	0.2.11	0.2.12
@typescript-eslint/eslint-plugin	8.53.0	8.53.1
nodemon	3.1.10	3.1.11

Updates @azure/identity from 4.9.1 to 4.13.0

Commits

• 980d126 [Identity] Prepare release Oct 25 (#36121)
• 29a8eab Azure.Communication.Email 1.1.0 - 2025-09-01 (#36008)
• 05a9860 [notification-hubs] fix TypeError when parsing AppleTemplateRegistrationDescr...
• cdbd31b [EngSys] automatic pnpm update (#36119)
• 953fcf9 Sync eng/common directory with azure-sdk-tools for PR 12337 (#36113)
• 259da84 [Identity] Remove inappropriate @​internal tags from non-exported members (#36...
• d9c8393 [Identity] Disable probe in DAC when MICred is set exclusively (#36047)
• 6ac80a8 [load-testing-rest] pass PolledOperationOptions to getLongRunningPoller (#35164)
• e92d51a Sync eng/common directory with azure-sdk-tools for PR 12325 (#36109)
• 3dccef7 [perf] update published package versions to latest versions (#36100)
• Additional commits viewable in compare view

Updates @azure/keyvault-secrets from 4.9.0 to 4.10.0

Commits

• 4ff2c18 [core-client-rest] Delete dom.d.ts (#34753)
• 95b5fc6 [eventgrid-systemevents] re-generate June 2025 (#34759)
• d25f710 [EngSys] upgrade typescript-eslint* dev dependencies to ~8.34.0 (#34116)
• c3aaf5a [ServiceBus] reduce max count of messages to delete (#34719)
• f1861c9 Release peraparation for communication.identity package (#34745)
• f3f8beb [keyvault] Add missing key wrap algos (#34768)
• 05fc344 [Monitor OpenTelemetry Exporter][Monitor OpenTelemetry] Release Distro 1.12.0...
• d837415 Use common publish for partner-release (#34601)
• 50da1a3 Sync eng/common directory with azure-sdk-tools for PR 10835 (#34760)
• 5ec071f Ignore various eng files en masse with cspell (#34706)
• Additional commits viewable in compare view

Updates pdfmake from 0.2.19 to 0.3.3

Release notes

Sourced from pdfmake's releases.

0.3.3

• Added properties for ToC:
  • hideEmpty - set to true if you can hide an empty ToC
  • sortBy - 'page' (default) or 'title'
  • sortLocale - custom locale to sort by property sortBy
• Added property decorationThickness for text to set width of the decoration line
• Added inherited/extends styles, use property extends in style with style name or array of string with style names
• Fixed margin override with 0 value
• Fixed margin override from multiple styles
• Fixed text decoration for superscript and subscript
• Fixed svg-to-pdfkit - TypeError: t.classList.contains is not a function

0.3.2

• Fixed non-working open() and print() methods in browser
• Added SVG validation: width and height must be specified (in SVG string/element or svg node)
• Added support for image scaling with only height defined
• Added custom markerColor for each item of ul and ol

0.3.1

• Added auto page height for multiple pages (for section or after custom page break)
• Added type validation for parameters in method createPdf
• Added support SVGElement object for svg node (SVGElement object is available only in browser)
• Updated svg-to-pdfkit library to the latest GitHub master commit
• Fixed a bug in the write method where it did not wait for the file write operation to complete
• Fixed SVG loading
• Fixed rendering SVG without viewBox

0.3.0

Changelog (compared to version 0.2.21)

• Reverted to the original pdfkit package, moving away from @foliojs-fork
• Drop support Internet Explorer 11 (Microsoft will not support from 2022)
• Minimal supported version Node.js 20 LTS
• Port code base to ES6+
• Unify interface for node and browser (breaking change)
• All methods return promise instead of using callback (breaking change)
• Change including virtual font storage in client-side (breaking change)
• Change parameters of pageBreakBefore function (breaking change)
• Support for loading font files and images via URL adresses (https:// or http:// protocol) in Node.js (client and server side now)
• Used fetch API for downloading fonts and images
• Attachments embedding
• Added section node

There is no difference between the stable version 0.3.0 and version 0.3.0-beta.19.

Documentation

Documentation for version 0.3: here Migration guide: here

0.3.0-beta.19

... (truncated)

Changelog

Sourced from pdfmake's changelog.

0.3.3 - 2026-01-18

• Added properties for ToC:
  • hideEmpty - set to true if you can hide an empty ToC
  • sortBy - 'page' (default) or 'title'
  • sortLocale - custom locale to sort by property sortBy
• Added property decorationThickness for text to set width of the decoration line
• Added inherited/extends styles, use property extends in style with style name or array of string with style names
• Fixed margin override with 0 value
• Fixed margin override from multiple styles
• Fixed text decoration for superscript and subscript
• Fixed svg-to-pdfkit - TypeError: t.classList.contains is not a function

0.3.2 - 2026-01-11

• Fixed non-working open() and print() methods in browser
• Added SVG validation: width and height must be specified (in SVG string/element or svg node)
• Added support for image scaling with only height defined
• Added custom markerColor for each item of ul and ol

0.3.1 - 2026-01-07

• Added auto page height for multiple pages (for section or after custom page break)
• Added type validation for parameters in method createPdf
• Added support SVGElement object for svg node (SVGElement object is available only in browser)
• Updated svg-to-pdfkit library to the latest GitHub master commit
• Fixed a bug in the write method where it did not wait for the file write operation to complete
• Fixed SVG loading
• Fixed rendering SVG without viewBox

0.3.0 - 2026-01-01

• Reverted to the original pdfkit package, moving away from @foliojs-fork
• Drop support Internet Explorer 11 (Microsoft will not support from 2022)
• Minimal supported version Node.js 20 LTS
• Port code base to ES6+
• Unify interface for node and browser (breaking change)
• All methods return promise instead of using callback (breaking change)
• Change including virtual font storage in client-side (breaking change)
• Change parameters of pageBreakBefore function (breaking change)
• Support for loading font files and images via URL addresses (https:// or http:// protocol) in Node.js (client and server side now)
• Used fetch API for downloading fonts and images
• Attachments embedding
• Added section node

Commits

• a9812eb 0.3.3
• cc2df44 refresh pdf examples
• c2e80c7 update dependencies
• 7285c78 cleanup example docdefinition
• 136487b fixed text decoration for superscript and subscript #2365
• 79c8e0b added inherited/extends styles, use property extends in style with style na...
• 3f25593 added property decorationThickness for text to set width of the decoratio...
• 0812fb1 fixed margin override from multiple styles #1713
• 666d694 Update CHANGELOG.md
• 8dee97a run 3rdparty manually
• Additional commits viewable in compare view

Updates pg from 8.16.3 to 8.17.1

Changelog

Sourced from pg's changelog.

All major and minor releases are briefly explained below.

For richer information consult the commit log on github with referenced pull requests.

We do not include break-fix version release in this file.

[email protected]

• Throw correct error if database URL parsing fails.

[email protected]

• Add support for min connection pool size.

[email protected]

• Add support for esm importing. CommonJS importing is still also supported.

[email protected]

• Add support from SCRAM-SAH-256-PLUS i.e. channel binding.

[email protected]

• Add ability to specify query timeout on per-query basis.

[email protected]

• Add queryMode config option to force use of the extended query protocol on queries without any parameters.

[email protected]

• Emit release event when client is returned to the pool.

[email protected]

• Add support for stream factory.
• Better errors for SASL authentication.
• Use native crypto module for SASL authentication.

[email protected]

• Bump minimum required version of native bindings.
• Catch previously uncatchable errors thrown in pool.query.
• Prevent the pool from blocking the event loop if all clients are idle (and allowExitOnIdle is enabled).
• Support lock_timeout in client config.
• Fix errors thrown in callbacks from interfering with cleanup.

[email protected]

... (truncated)

Commits

• 4eb7529 Publish
• b94c8e1 Don't use prefix import as it breaks in old nodes. (#3578)
• 6bf475c Improve Deno compatibility: config-first and safe env access (#3547)
• d10e09c Publish
• 9174783 test: Replace dead row length check with similar shape check (#3532)
• 27a2754 Deprecations (#3510)
• See full diff in compare view

Updates pg-promise from 12.1.3 to 12.3.0

Release notes

Sourced from pg-promise's releases.

12.3.0

• Dependencies update for DEV + for spex, to allow for proper types resolution, see PR#19

12.2.0

• Adding official support for PostgreSQL v18, including in GitHub CI.
• Dev dependencies updated.

It is more of a landmark release, without any code changes.

Commits

• f8e79a0 deps
• 1a3c2ce deps
• 29307e4 docs
• 325c20a reverse port
• a8d7e78 updating package
• 4f518fd docs
• 9cb97c5 docs
• e837a44 docs
• 3452b67 docs
• See full diff in compare view

Updates puppeteer from 24.19.0 to 24.35.0

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v24.35.0

24.35.0 (2026-01-12)

🎉 Features

• support background flag when creating pages (#14547) (77245fd)

🛠️ Fixes

• puppeteer-core: Deprecate Cookie attribute sameParty (#14550) (d128a84)
• roll to Chrome 143.0.7499.192 (#14541) (d3127b7)
• webdriver: closing page with iframes via webdriver (#14549) (b89ce87)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.11.0 to 2.11.1

puppeteer: v24.35.0

24.35.0 (2026-01-12)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.11.0 to 2.11.1
    • puppeteer-core bumped from 24.34.0 to 24.35.0

puppeteer-core: v24.34.0

24.34.0 (2025-12-19)

🎉 Features

• publish page.resize() (#14525) (ee31c21)

🛠️ Fixes

• roll to Chrome 143.0.7499.169 (#14529) (40c73cd)

... (truncated)

Changelog

Sourced from puppeteer's changelog.

24.35.0 (2026-01-12)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.11.0 to 2.11.1

🎉 Features

• support background flag when creating pages (#14547) (77245fd)

🛠️ Fixes

• puppeteer-core: Deprecate Cookie attribute sameParty (#14550) (d128a84)
• roll to Chrome 143.0.7499.192 (#14541) (d3127b7)
• webdriver: closing page with iframes via webdriver (#14549) (b89ce87)

24.34.0 (2025-12-19)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.33.1 to 24.34.0

🎉 Features

• publish page.resize() (#14525) (ee31c21)

🛠️ Fixes

• roll to Chrome 143.0.7499.169 (#14529) (40c73cd)

... (truncated)

Commits

• 853796e chore: release main (#14542)
• 7deeb78 chore: expose originating targetId on ConsoleMessage (#14556)
• 2f56831 chore(deps): bump ws from 8.18.3 to 8.19.0 in the dependencies group (#14553)
• b89ce87 fix(webdriver): closing page with iframes via webdriver (#14549)
• 695624e chore: add internal _tabId to page (#14548)
• 77245fd feat: support background flag when creating pages (#14547)
• 2ab534b chore: npm audit fix --force (#14546)
• d128a84 fix(puppeteer-core): Deprecate Cookie attribute sameParty (#14550)
• 84d8de3 chore(deps-dev): bump the dev-dependencies group with 3 updates (#14537)
• d3127b7 fix: roll to Chrome 143.0.7499.192 (#14541)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for puppeteer since your current version.

Updates puppeteer-cluster from 0.24.0 to 0.25.0

Release notes

Sourced from puppeteer-cluster's releases.

v0.25.0

Note: Use a version older than 0.25.0 if you want to use a puppeteer version older than 24.0.0.

Changed

• Updated puppeteer types to version 24
• Updated dependencies to their latest versions
• Exported more types for improved TypeScript use

Fixed

• Cluster retrying in error cases when it was already closed

Changelog

Sourced from puppeteer-cluster's changelog.

[0.25.0] - 2025-11-13

Note: Use a version older than 0.25.0 if you want to use a puppeteer version older than 24.0.0.

Changed

• Updated puppeteer types to version 24
• Updated dependencies to their latest versions
• Exported more types for improved TypeScript use

Fixed

• Cluster retrying in error cases when it was already closed

Commits

• 79a906b v0.25.0
• e7df270 Updated CHANGELOG
• 4ad0a90 Github actions ubuntu 24 not working, try ubuntu-22 for now
• ee3376a Updated testing matrix
• 53a5875 Merge branch 'pr-462'
• 3472375 Fix bad link in README
• 368df25 Check if cluster is already closed before retrying, closes #325
• 2be678d Upgrade dependencies
• 7bb6808 Merge branch 'pr-560'
• d610499 Fix typos
• Additional commits viewable in compare view

Updates winston from 3.17.0 to 3.19.0

Release notes

Sourced from winston's releases.

v3.19.0

• Run npm audit fix e7ccdc4
• Don't include jest.config.js in npm package 5a63c8c
• fix: append error cause when using logger.child() (#2467) e74a7ae
• Bump rimraf from 5.0.1 to 5.0.10 (#2517) 8a956fd
• fix: ensure File transport flushes all data before emitting finish (#2594) 86c890f
• Bump actions/setup-node from 4 to 6 (#2589) 3b8be02
• Bump @​babel/core from 7.28.0 to 7.28.5 (#2591) f4c3e2c
• Bump actions/checkout from 4 to 6 (#2593) dd7906e
• chore: migrate test runner from mocha to jest (#2567) 2e9eb18

---

winstonjs/winston@v3.18.3...v3.19.0

v3.18.3

• Update diagnostics dependency (removes fix-esm transitive dependency) a15a9e9

---

winstonjs/winston@v3.18.2...v3.18.3

v3.18.2

• Bump diagnostics package to resolve #2583 (again) f4582c3

---

winstonjs/winston@v3.18.1...v3.18.2

v3.18.1

• Bump diagnostics package to resolve #2583 e668c2c

---

winstonjs/winston@v3.18.0...v3.18.1

v3.18.0

• Update diagnostics package to latest version to remove vulnerability 376e331
• add @​initd.sg/winston-cloudwatch (#2532) 71ee92a
• Update transports.md (#2549) 3547a95
• docs: update transport.md (#2550) dc88db0
• feat: adds helper function for highest log level (#2514) c69cdb0

---

winstonjs/winston@v3.17.0...v3.18.0

Commits

• ed45345 3.19.0
• e7ccdc4 Run npm audit fix
• 5a63c8c Don't include jest.config.js in npm package
• e74a7ae fix: append error cause when using logger.child() (#2467)
• 8a956fd Bump rimraf from 5.0.1 to 5.0.10 (#2517)
• 86c890f fix: ensure File transport flushes all data before emitting finish (#2594)
• 3b8be02 Bump actions/setup-node from 4 to 6 (#2589)
• f4c3e2c Bump @​babel/core from 7.28.0 to 7.28.5 (#2591)
• dd7906e Bump actions/checkout from 4 to 6 (#2593)
• 2e9eb18 chore: migrate test runner from mocha to jest (#2567)
• Additional commits viewable in compare view

Updates @types/compression from 1.7.5 to 1.8.1

Commits

• See full diff in compare view

Updates @types/express-session from 1.18.1 to 1.18.2

Commits

• See full diff in compare view

Updates @types/morgan from 1.9.9 to 1.9.10

Commits

• See full diff in compare view

Updates @types/node from 25.0.8 to 25.0.9

Commits

• See full diff in compare view

Updates @types/passport-google-oauth20 from 2.0.16 to 2.0.17

Commits

• See full diff in compare view

Updates @types/pdfmake from 0.2.11 to 0.2.12

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.53.0 to 8.53.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
• utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.53.1 (2026-01-19)

🩹 Fixes

• utils: make RuleCreator root defaultOptions optional (#11956)
• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

Commits

• 9940e53 chore(release): publish 8.53.1
• e0f2a01 fix(utils): make RuleCreator root defaultOptions optional (#11956)
• 76f8ff7 fix(eslint-plugin): [consistent-indexed-object-style] skip fixer if interface...
• See full diff in compare view

Updates @typescript-eslint/parser from 8.53.0 to 8.54.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.54.0

8.54.0 (2026-01-26)

🚀 Features

• eslint-plugin-internal: add prefer-tsutils-methods rule (#11974, #11625)
• scope-manager: support ScopeManager#addGlobals (#11914)
• typescript-estree: add shortcut methods to ParserServicesWithTypeInformation (#11965, #11955)

🩹 Fixes

• eslint-plugin: [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• eslint-plugin: [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967, #11559)
• scope-manager: fix catch clause scopes def.name (#11982)
• scope-manager: prevent misidentification of "use strict" directives (#11995)
• utils: handle missing FlatESLint and LegacyESLint (#11958)

❤️ Thank You

• Brad Zacher @​bradzacher
• fnx @​DMartens
• Francesco Trotta
• Josh Goldberg
• MinJae @​Ju-MINJAE
• Minyeong Kim @​minyeong981
• overlookmotel
• Yuya Yoshioka @​YuyaYoshioka
• 김현수 @​Kimsoo0119

You can read about our versioning strategy and releases on our website.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
• utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.54.0 (2026-01-26)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.53.1 (2026-01-19)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

• d423e57 chore(release): publish 8.54.0
• 9940e53 chore(release): publish 8.53.1
• See full diff in compare view

Updates nodemon from 3.1.10 to 3.1.11

Release notes

Sourced from nodemon's releases.

v3.1.11

3.1.11 (2025-11-11)

Bug Fixes

• script.start with missing file (8d927f1), closes #2258

Commits

• 8d927f1 fix: script.start with missing file
• 9c966c1 chore: website
• 1bf915d chore: website
• 89e92da chore: website
• 838ea0c chore: website
• 7a64464 chore: website
• 079c683 chore: website
• 71934a3 chore: website
• d6ec490 chore: website
• 745a994 Merge branch 'main' of github.com:remy/nodemon
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.