fix(deps): update dependency buffer to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
buffer	^5.7.1 → ^6.0.3

---

Release Notes

feross/buffer (buffer)

v6.0.3

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 and 15 of the month (* 0-3 1,15 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates a single dependency in package.json: the buffer package version is bumped from ^5.7.1 to ^6.0.3. No other package metadata, scripts, or dependencies were modified. The change allows the project to use a newer minor version of the buffer polyfill library.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately describes the main change: updating the buffer dependency from v5 to v6.
Description check	✅ Passed	The pull request description is directly related to the changeset, providing dependency update details and release notes for the buffer package upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/buffer-6.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 37: Package.json upgraded "buffer" to ^6.0.3 which removes the deprecated
new Buffer(...) constructor; search the codebase and tests for any usage of new
Buffer(...) (and any downstream libraries/polyfills that may bundle it), replace
occurrences with Buffer.from(...), Buffer.alloc(...), or Buffer.allocUnsafe(...)
as appropriate, add/adjust unit tests to cover Buffer allocation and encoding
behavior against the v6 API (e.g., tests that previously relied on new Buffer
semantics), and run your dependency/security scan to verify no incompatible
consumers remain and no advisories are introduced.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0d92c330-f858-454c-8d6e-4dfb5ea4a479

📥 Commits

Reviewing files that changed from the base of the PR and between 0aaf71c and 76c9750.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

buffer npm package version 6 breaking changes migration guide

💡 Result:

The npm package buffer (which provides the Node.js Buffer API for the browser) released version 6.0.0 in November 2020 [1][2]. This package is designed to track the official Node.js Buffer API [1]. There is no formal "migration guide" for the buffer npm package itself, because it is intended to remain compatible with the Node.js standard [1]. The breaking changes in version 6.0.0 of the npm package were primarily driven by its alignment with changes in the Node.js ecosystem, specifically the deprecation and removal of older, insecure Buffer constructors that occurred in the Node.js core [3][4][5]. If you are migrating your code to comply with the modern Buffer API (which is what version 6 of the buffer package supports), you should follow these standard Node.js best practices: 1. Replace new Buffer(size) with Buffer.alloc(size) or Buffer.allocUnsafe(size). 2. Replace new Buffer(array) with Buffer.from(array). 3. Replace new Buffer(string) with Buffer.from(string, encoding). The Node.js Buffer API deprecated the new Buffer constructor in favor of these more explicit methods to improve security and reliability [5][6]. For further technical details on these changes, you can refer to the official Node.js documentation from the v6.x era, which outlines these requirements [5][6].

Citations:

• 1: https://registry.npmjs.org/buffer
• 2: https://www.npmjs.com/package/buffer
• 3: https://nodejs.org/en/blog/release/v6.0.0/
• 4: nodejs/node@ce3e3c5
• 5: https://r2.nodejs.org/docs/v6.6.0/api/buffer.html
• 6: https://r2.nodejs.org/docs/v6.14.4/api/buffer.html

---

🌐 Web query:

buffer npm package version 6.0.3 security vulnerabilities CVE

💡 Result:

As of June 11, 2026, there are no known security vulnerabilities (CVEs) associated with version 6.0.3 of the npm buffer package [1][2][3]. Authoritative vulnerability databases and security analysis platforms consistently report that this version is free of direct security vulnerabilities [1][3][4][5]. While historically the Node.js Buffer API itself has been the subject of security discussions regarding how memory is allocated (specifically concerning uninitialized memory allocation) [6], version 6.0.3 of this package implements the modern, safer allocation patterns, and no specific CVEs have been issued for this release [1][4]. Users should always ensure their projects are scanned for indirect vulnerabilities, as their own applications or other dependencies may interact with the Buffer API in ways that could introduce risks [1][4].

Citations:

• 1: https://security.snyk.io/package/npm/buffer/6.0.3
• 2: https://intel.aikido.dev/packages/npm/buffer
• 3: https://www.meterian.io/components/nodejs/buffer/6.0.3/
• 4: https://security.snyk.io/package/npm/buffer
• 5: https://secure.software/npm/packages/buffer/6.0.3
• 6: https://snyk.io/blog/exploiting-buffer/

---

Buffer@5→6 bump: primary break is new Buffer(...) removal—check polyfill usage + downstream compatibility

• buffer@6.0.0 breaking changes mainly align with modern Node: the insecure/deprecated new Buffer(...) constructor is deprecated/removed in favor of Buffer.from(...), Buffer.alloc(...), and Buffer.allocUnsafe(...) (no dedicated buffer npm “migration guide”).
• No known CVEs for buffer@6.0.3 are reported in common advisory sources, but you should still run your normal dependency scan.
• Because this dependency backs a browser Node polyfill, ensure the repo (and any downstream consumers) doesn’t rely on new Buffer(...), and expand tests to cover the relevant Buffer allocation/encoding behaviors for the v6 API expectations.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 37, Package.json upgraded "buffer" to ^6.0.3 which
removes the deprecated new Buffer(...) constructor; search the codebase and
tests for any usage of new Buffer(...) (and any downstream libraries/polyfills
that may bundle it), replace occurrences with Buffer.from(...),
Buffer.alloc(...), or Buffer.allocUnsafe(...) as appropriate, add/adjust unit
tests to cover Buffer allocation and encoding behavior against the v6 API (e.g.,
tests that previously relied on new Buffer semantics), and run your
dependency/security scan to verify no incompatible consumers remain and no
advisories are introduced.