chore(deps): bump hot-shots from 14.3.1 to 15.0.0 in /superset-websocket

[dependabot]

Bumps hot-shots from 14.3.1 to 15.0.0.

Changelog

Sourced from hot-shots's changelog.

15.0.0 (2026-5-28)

• @​bdeitte A number of updates to improve callback and error handling:
  • Default error listener on every transport socket so that in the cases we didn't have one, an error doesn't crash the host
  • Wrap interval flushes (buffer + telemetry) and the close-time telemetry flush in try/catch to prevent host crashing
  • Fix child-close error routing so there's no double-delivery for inherited handlers
  • Fix buffered-message callback being sometimes (but not always) misrouted to the prior buffer's flush- new callback now fires synchronously after enqueue for consistency
  • Ensure the errorHandler is used when there's an issue with the flush performed inside close()
  • Updated error section in README to explain better how things work, especially the differences between buffered and unbuffered modes
• @​bdeitte A number of security improvements:
  • Sanitize \r in metric names, tag keys, and tag values alongside newlines, since some receivers split lines on \r and could otherwise be tricked into accepting injected metrics
  • Add files allowlist to package.json so npm publishes only index.js, index.mjs, lib/, and the TypeScript definitions
  • dev-only library updates. Override uuid to 14.x to fix GHSA-w5hq-g745-h8pq and add diff override to ^8.0.3 to resolve GHSA-73rr-hh4g-fpgx transitively pulled in via mocha and sinon.
• @​bdeitte A few smaller cleanups and fixups:
  • Replace polling in close() with a Promise-based drain that handles async-queued follow-up sends
  • Warn (via console.error) on invalid port, sampleRate, bufferFlushInterval config values and use default config values
  • Misc cleanups: for-of over array routes, simpler EAGAIN access, dedup Buffer.byteLength in sendMessage

Commits

• 7129573 15.0.0
• da3053b Changes update
• d15d412 Merge pull request #319 from bdeitte/best-practices
• 6920863 Silence no-invalid-this lint for mocha this.timeout in TS test
• acc1306 Bump TypeScript-compilation test timeout for slow Windows CI
• f20cfd8 Address review feedback
• 3f75e9e Better changes update and fix extra info that is not needed
• dffc900 Address PR review comments
• 5e1e59e More small reviewing updates
• 53c46b4 More small reviewing updates
• Additional commits viewable in compare view

[bito-code-review]

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	8446445
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a233b15eecf890008c88706
😎 Deploy Preview	https://deploy-preview-40789--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[bito-code-review]

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it