[js] update vulnerable dependency with a range

[titusfortner]

🔗 Related Issues

#17465

💥 What does this PR do?

Fixes security issue but uses a range instead of hard coding so it won't happen again.

[qodo-code-review]

Review Summary by Qodo

Update multer dependency with semantic versioning range

✨ Enhancement

Walkthroughs

Description

• Update multer dependency to use semantic versioning range
• Prevents future security vulnerabilities through automatic patch updates
• Upgrades from pinned version 2.0.2 to ^2.1.1

Diagram

flowchart LR
  A["multer 2.0.2<br/>pinned version"] -- "security fix<br/>with range" --> B["multer ^2.1.1<br/>semantic versioning"]

Loading

File Changes

1. javascript/selenium-webdriver/package.json Dependencies +1/-1

Update multer to semantic versioning range

• Changed multer dependency from pinned version 2.0.2 to ^2.1.1
• Enables automatic patch and minor version updates for security fixes
• Maintains compatibility while allowing dependency updates

javascript/selenium-webdriver/package.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Lockfile pins old multer ✓ Resolved 🐞 Bug ≡ Correctness

Description

javascript/selenium-webdriver/package.json now requires multer ^2.1.1, but pnpm-lock.yaml still
resolves javascript/selenium-webdriver’s devDependency multer to 2.0.2, so Bazel/npm_translate_lock
will keep using the old version (or fail due to mismatch). This defeats the intended dependency
upgrade and can break CI/reproducible builds.

Code

javascript/selenium-webdriver/package.json[46]

+    "multer": "^2.1.1",

Evidence

The repo’s Bazel setup explicitly translates dependencies from the workspace package.json files
using the root pnpm-lock.yaml. The updated package.json asks for multer ^2.1.1, but the lockfile
still records multer specifier/version as 2.0.2 for javascript/selenium-webdriver and includes a
pinned packages entry for multer@2.0.2.

javascript/selenium-webdriver/package.json[35-50]
MODULE.bazel[90-104]
pnpm-lock.yaml[179-181]
pnpm-lock.yaml[3005-3008]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`javascript/selenium-webdriver/package.json` was updated to require `multer: ^2.1.1`, but the workspace lockfile (`pnpm-lock.yaml`) still pins `javascript/selenium-webdriver` to `multer 2.0.2`. Because Bazel uses `npm_translate_lock` with `pnpm_lock`, the dependency upgrade will not be realized (or lock verification may fail due to specifier mismatch).

### Issue Context
Bazel’s `npm_translate_lock` consumes `javascript/selenium-webdriver/package.json` together with `pnpm-lock.yaml`. The lockfile must be updated whenever a workspace package.json changes dependency specifiers.

### Fix Focus Areas
- pnpm-lock.yaml[179-181]
- pnpm-lock.yaml[3005-3008]
- MODULE.bazel[90-104]
- javascript/selenium-webdriver/package.json[35-50]

### What to do
1. Regenerate/update `pnpm-lock.yaml` so the `importers.javascript/selenium-webdriver.devDependencies.multer` specifier matches `^2.1.1` and the resolved version is >=2.1.1.
2. Ensure the `packages:` section no longer pins only `multer@2.0.2` and includes the updated resolved version entry.
3. Re-run the Bazel JS dependency translation step (if part of your workflow) to confirm it succeeds with the updated lock.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

Persistent review updated to latest commit f313f7e