Skip to content

chore(deps): update dependency pm2 to v7#21601

Merged
giancorderoortiz merged 4 commits into
developfrom
renovate/pm2-7.x
Jul 3, 2026
Merged

chore(deps): update dependency pm2 to v7#21601
giancorderoortiz merged 4 commits into
developfrom
renovate/pm2-7.x

Conversation

@renovate

@renovate renovate Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pm2 (source) ^5.4.3^7.0.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

Unitech/pm2 (pm2)

v7.0.3

Compare Source

Bug Fixes
  • Fix daemon failing to boot on Node.js < 14.18 — embedded vizion used node:-scheme requires; switched to bare specifiers

v7.0.2

Compare Source

Bug Fixes
  • Fix pm2 serve returning 403 Forbidden on Windows — traversal guard used hardcoded / separator #​6109
  • Fix pm2 ls table misalignment when a username exceeds the user column width — cli-tableau's truncate() miscounts ANSI bytes, leaking bold into the watching column
  • Fix long status lines (e.g. Applying action … on app […]) wrapping on narrow terminals — Common.printOut now ANSI-aware crops single-line TTY output to terminal width (piped output unaffected)
Features
  • pm2 ls host-metrics line now shown by defaultpm2 update)
  • pm2 ls adaptive layout: picks the widest layout that fits the terminal — full → condensed → new ultra-compact mini (id · name · status · cpu · mem) — and caps the name column so long names can't overflow the table
  • pm2 ls host-metrics line only lists network interfaces carrying traffic (hides idle utun/awdl/bridge/anpi/unused en*)
  • pm2 ls host-metrics line: replaced mem free with ram usage (%), added GPU memory/temperature when reported, per-interface network errors/drops shown when non-zero
Core Refactor
  • Drop old vizion module, refactor to support only git and drop 3 submodules
  • Replace the bundled pm2-sysmonit module and systeminformation with lib/tools/SysMetrics.js (Linux/macOS); pm2 slist/getSystemData and the Docker metrics path now read this collector. Covered by test/programmatic/sysmetrics.mocha.js
Security
  • Bump js-yaml 4.1.1 → 4.3.0 — fixes quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68) #​6122
  • Bump ws 8.20.0 → 8.21.0 — fixes uninitialized-memory disclosure and tiny-fragment DoS (GHSA-58qx-3vcg-4xpx, GHSA-96hv-2xvq-fx4p) #​6116
  • Bump @pm2/js-api 0.8.0 → 0.8.1, pulling in patched ws@8.21.0 (its transitive ws was pinned to the vulnerable 7.x). Production deps are now advisory-free (npm audit --omit=dev clean)

v7.0.1

Compare Source

Bug Fixes
  • Fix Python (and other non-Node) interpreter regression on Ubuntu: bun runtime detection used a naive includes('bun') substring check that matched any path containing the letters "bun" — most notably /home/ubuntu/.... Affected paths were routed through ProcessContainerForkBun.js and crashed with SyntaxError: unterminated string literal when Python tried to parse the JS container. Anchored the match to the end of the interpreter path (=== 'bun' or /bun$/) in both lib/God/ForkMode.js and lib/Common.js #​5990
  • Display max_memory_restart in pm2 describe output when set #​5925
  • Add missing port option to StartOptions TypeScript declaration #​6045
  • Fix incorrect file permissions on openrc.tpl template (0755 → 0644) #​5957
  • Fix Windows cmd.exe regression: revert bin/pm2* launchers to #!/usr/bin/env node shebang (was polyglot #!/bin/sh). Polyglot worked on Linux/macOS but broke npm's pm2.cmd shim on Windows — cmd.exe can't interpret /bin/sh shebang and failed with '"/bin/sh"' is not recognized as an internal or external command. PowerShell's auto-generated pm2.ps1 shim happened to call node directly so it kept working, masking the regression. Bun-only Linux/macOS users (no Node installed) need to symlink node to bun (sudo ln -s $(which bun) /usr/local/bin/node) — same workaround used in the project's bun test Dockerfile. Documented in README #​6108

v7.0.0

Compare Source

Breaking Changes
  • Require Node.js >= 18.0.0 (dropped Node.js 16 support)
Core Refactor
  • Internalize pm2-axon, pm2-axon-rpc, pm2-io-bpm, pm2-io-agent, fclone as local modules (reduced supply chain surface)
  • Internalize pm2-multimeter and charm into lib/tools/multimeter (zero external deps)
  • Add Bun runtime support (ProcessContainerBun.js, ProcessContainerForkBun.js)
  • Replace needle with native fetch (CliAuth, TAR publish)
  • Replace enquirer with lightweight built-in prompt (boilerplate selector)
  • Replace promptly with built-in lib/tools/prompt
  • Replace mkdirp with native fs.mkdirSync({ recursive: true })
  • Replace source-map-support with native process.setSourceMapsEnabled()
  • Replace sprintf-js with template literals (Dashboard)
  • Replace url.parse() with native URL constructor (Serve, Utility, CliAuth)
  • Remove fclone npm dep, use internalized module
  • Drop auto source map file detection in Common.prepareAppConf
Security
  • CVE-2025-5891 Fix ReDoS in Config.js string-to-array split regex #​6075
  • CVE-2026-27699 Update proxy-agent to 6.5.0, basic-ftp to 5.3.1 #​6088
  • Fix command injection in WebAuth.js open() — replace exec() with execFile() #​6089
  • Fix command injection in PM2IO.js open() — replace exec() with execFile(), validate SUDO_USER
  • Fix command injection in lib/tools/open.js — replace exec() with execFile(), validate SUDO_USER
  • Fix prototype pollution in Configuration.set/unset via proto key traversal #​6089
  • Fix HttpInterface env stripping never executing (WEB_STRIP_ENV_VARS) #​6089
Bug Fixes
  • Rewrite TreeKill: single ps snapshot + in-memory tree build, eliminates race conditions. SIGKILL escalation now targets surviving child processes directly instead of re-walking a dead tree #​6084
  • Fix [object Object] env vars leaked to fork mode subprocesses #​6073
  • Fix Windows home path: use os.homedir() instead of HOMEPATH/HOMEDRIVE env vars #​6106
  • Fix Windows TreeKill callback consistency
  • Fix missing BPM monitoring injection in Bun cluster mode (ProcessContainerBun.js)
  • Fix ReferenceError crash in Bun cluster console overrides when disable_logs is true
  • Fix CliAuth wrong credentials error displaying "undefined" instead of error message
Features
  • Add --ftp option to pm2 serve for directory listing (python http.server style)
Dependencies
  • Add OpenTelemetry tracing as direct dependencies (@​opentelemetry/api, sdk-node, auto-instrumentations-node)
  • Upgrade OpenTelemetry packages to latest
  • Update pidusage from 3.0.2 to 4.0.1
  • Upgrade ws to ^8.18.0, eventemitter2 to ^6.4.9
  • Remove needle, enquirer, promptly, mkdirp, source-map-support, sprintf-js, fclone from npm dependencies
Testing
  • Add Docker parallel test runner with Node.js and Bun support
  • Add Windows test suite (test/windows.sh)
  • Add OpenTelemetry tracing tests
  • Add TreeKill unit tests
  • Add test scripts for internalized modules (bpm, axon, axon-rpc, io-agent)
  • Fix test compatibility for Node.js 22+ and Bun
  • CI matrix: Node.js 18, 20 + latest

v6.0.14

Compare Source

v6.0.13

Compare Source

  • Fix blessed package import

v6.0.12

Compare Source

  • #​6037 Drop npm-shrinkwrap in favor of fixed dependencies versions
  • #​5577 fix pm2 monit crash

v6.0.11

Compare Source

v6.0.10

Compare Source

v6.0.9

Compare Source

  • updates all typescript definitions
  • upgrade github ci workflows
  • upgrade mocha dep and adapt tests
  • bump packages
  • fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #​5971

v6.0.8

Compare Source

  • fix: package-lock update

v6.0.7

Compare Source

v6.0.6

Compare Source

  • refactor: replace chalk with smaller alternative by @​webdiscus

v6.0.5

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.
Managed by the SAP Open Source Program Office. For questions/issues please raise an issue in the renovate-controller repository.

@renovate renovate Bot requested a review from a team as a code owner June 9, 2026 16:54
@github-actions github-actions Bot marked this pull request as draft June 9, 2026 16:54
@renovate renovate Bot force-pushed the renovate/pm2-7.x branch from c84ab10 to c6d5078 Compare June 29, 2026 16:53
@renovate

renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@giancorderoortiz giancorderoortiz marked this pull request as ready for review July 3, 2026 10:25
@cypress

cypress Bot commented Jul 3, 2026

Copy link
Copy Markdown

spartacus    Run #53880

Run Properties:  status check passed Passed #53880  •  git commit 8defea18e0 ℹ️: Merge cd161d83003f26e447489764f7c1ee54911754e1 into 987a0b8d025a59d6a17f9d34580a...
Project spartacus
Branch Review renovate/pm2-7.x
Run status status check passed Passed #53880
Run duration 04m 15s
Commit git commit 8defea18e0 ℹ️: Merge cd161d83003f26e447489764f7c1ee54911754e1 into 987a0b8d025a59d6a17f9d34580a...
Committer renovate[bot]
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 3
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 103
View all changes introduced in this branch ↗︎

@github-actions github-actions Bot marked this pull request as draft July 3, 2026 13:13
@giancorderoortiz giancorderoortiz marked this pull request as ready for review July 3, 2026 14:00
@giancorderoortiz giancorderoortiz merged commit d4bd754 into develop Jul 3, 2026
46 checks passed
@giancorderoortiz giancorderoortiz deleted the renovate/pm2-7.x branch July 3, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants