chore: Bump ses from 1.12.0 to 1.13.0 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: ses.

Updates ses from 1.12.0 to 1.13.0

Release notes

Sourced from ses's releases.

2025-06-02 Releases

ses v1.13.0

• Two new stackFiltering: options are added

  • 'omit-frames' -- Only omit likely uninteresting frames. Keep original paths.
  • 'shorten-paths' -- Only shorten paths to text likely clickable in an IDE

  This fills out the matrix of what should have been orthogonal options. The existing 'concise' setting both omits likely uninteresting frames and shortens their paths. The existing 'verbose' setting does neither.

• Uses the @endo/immutable-arraybuffer shim to add ArrayBuffer.p.immutable, ArrayBuffer.p.transferToImmutable, and ArrayBuffer.p.sliceToImmutable to ses, in order to emulate the Immutable ArrayBuffer proposal. These make an ArrayBuffer-like object whose contents cannot be mutated. However, due to limitations of the shim

  • Unlike ArrayBuffer and SharedArrayBuffer this shim's ArrayBuffer-like object cannot be transfered or cloned between JS threads.
  • Unlike ArrayBuffer and SharedArrayBuffer, this shim's ArrayBuffer-like object cannot be used as the backing store of TypeArrays or DataViews.
  • The shim depends on the platform providing either structuredClone or Array.prototype.transfer. Node <= 16 and provides neither, causing the shim to fail to initialize, and therefore SES to fail to initialize on such platforms.
  • Current Hermes has even stronger constraints, lacking structuredClone, transfer, private fields, and even class syntax. This requires other coping strategies. See endojs/endo#2785
  • Even after the upcoming transferToImmutable proposal is implemented by the platform, the current code will still replace it with the shim implementation, in accord with shim best practices. See endojs/endo#2311 . It will require a later manual step to delete the shim or have it avoid overriting a platform implementation, after manual analysis of the compat implications.

• The evalTaming option 'safe-eval' now can only throw error SES_DIRECT_EVAL. This allows SES to initialize with 'unsafe-eval' or 'no-eval' on hosts with no direct eval available such as Hermes for a successful lockdown that tolerates it's language features.

  The module name ses/hermes can now be required to call lockdown and repairIntrinsics only, Compartment is not yet available.

  It is currently compatible with Hermes v0.12.0, we plan to support v0.13.0 then subsequent Hermes tags or side-by-side versions built for React Native depending on ecosystem usage and official support, then Static Hermes when released.

  Also ses/hermes can now be hooked into bundlers such as Metro to run Hardened JS.

@endo/compartment-mapper v1.6.1

• The dev flag for mapNodeModules() is no longer deprecated. The concept of a "condition" (conditional exports) is disinct from the flag's original meaning (instructs mapNodeModules() to consider devDependencies when graphing packages). Users who have switched to using a development condition for dev's purpose are encouraged to switch back to using the dev flag instead. In a future release, the presence of a development condition will no longer mimic an enabled dev flag and will only be considered when evaluating conditional exports.

@endo/evasive-transform v2.0.0

• The sourceType option is now restricted to script and module only. Function signature types have changed to be more precise.

@endo/bundle-source v4.1.0

• The 'endoZipBase64' moduleFormat now utilizes the importHook option to exit dependencies whose specifiers return a truthy value.

@endo/import-bundle v1.5.0

• The 'endoZipBase64' moduleFormat now utilizes the importHook option.

Changelog

Sourced from ses's changelog.

1.13.0 (2025-06-02)

Features

• ses: ArrayBuffer.prototype.sliceToImmutable on Hermes (e432b14)
• ses: ArrayBuffer.prototype.transferToImmutable (#2400) (d714d1d)
• ses: Include ses-ava in stack frame filtering (bdbdb01)
• ses: init SES with evalTaming unsafe-eval or no-eval (0dfaa8d)

Bug Fixes

• ses,lockdown: make filenames in stacktraces clickable (#2747) (178e253), closes #2359 #2359
• ses: avoid depth-first loading sequence in loadNow to prevent getting stuck in cycles (#2804) (37bfad6)

Commits

• 571b780 chore(release): publish
• 11c0eac docs: Update release notes
• 13c173b chore(types): conform to TS 5.8.3
• 6a5a410 chore(deps): bump typescript to 5.8.3
• ae1fae2 test: fix ses-ava Ava usage
• 7eb22cf lint: skipLibCheck in ses
• b9c0a35 chore(types): conform
• 589c0e5 lint: include eslint-ed files in tsconfig
• 7108ca2 chore(types): conform "ses"
• 108ddfe lint(types): include "test"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.16%. Comparing base (323ac42) to head (09290c9).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3438   +/-   ##
=======================================
  Coverage   98.16%   98.16%           
=======================================
  Files         402      402           
  Lines       11116    11116           
  Branches     1755     1755           
=======================================
  Hits        10912    10912           
  Misses        204      204           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.