fix: bump uuid to ^11, sinon back to ^17, pin TypeScript to 5.5.4

Three coupled changes to clear the remaining OSV finding cleanly:

1. uuid: ^9.0.0 -> ^11.1.1 (both top-level dep and the override that
   constrains thrift's transitive uuid). Clears GHSA-w5hq-g745-h8pq
   (CVSS 7.5, buffer-bounds bug in v3/v5/v6). Driver uses only v4,
   stringify, NIL — not the vulnerable functions — but the CVE
   surfaces in consumers' own OSV/Snyk scans against our lockfile,
   so we need it actually patched, not just suppressed.

2. typescript: ^4.9.3 -> 5.5.4 (exact pin). uuid@11's d.ts uses
   `export type *` (TS 5.0+). TypeScript is pinned to <5.6 because
   TS 5.6+ tells @types/node to use its newer generic Buffer
   declaration (Buffer<TArrayBuffer extends ArrayBufferLike>),
   which would leak into our published d.ts as
   `Buffer<ArrayBufferLike>[]` and break consumers on stale
   @types/node. TS 5.5 uses the ts5.6/ fallback shim that keeps
   the emit as plain `Buffer[]` — byte-equivalent to today's d.ts.

3. sinon: ^19.0.5 -> ^17.0.2. The sinon@19 bump in this PR was
   redundant for security (all CVEs in sinon's transitive tree are
   covered by our existing overrides on flatted, serialize-javascript,
   etc.) and broke the FeatureFlagCache.test.ts upstream test on
   Node 16 due to sinon 19's broader fake-timer faking
   (@sinonjs/fake-timers 13 vs 11). Reverting to ^17.0.2 restores
   the test pass with no CVE re-introduction.

Source change in FederationProvider.ts: TS 5 caught a real but
benign type incompatibility between node-fetch's AbortSignal shim
and the native AbortSignal that TS 4 missed. Cast the controller
signal through `any` — the two are runtime-compatible; this is a
typings-only mismatch.

Verified locally:
- npm ci + npm test pass on Node 16.20.2 and 18.20.8 (904 passing)
- OSV-Scanner reports zero findings against the regenerated lockfile
- Emitted dist/*.d.ts and dist/*.js diff against current main only
  in cosmetic ways (removed obsolete /// <reference> directives,
  preserved source comments, TS 5's improved enum/export emit) —
  no behavior changes for consumers

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

lib/connection/auth/tokenProvider/FederationProvider.ts

@@ -163,7 +163,11 @@ export default class FederationProvider implements ITokenProvider {
           'Content-Type': 'application/x-www-form-urlencoded',
         },
         body,
-        signal: controller.signal,
+        // node-fetch ships its own AbortSignal shim that differs slightly
+        // from the native AbortSignal (subtle `this`-typing mismatch on
+        // onabort handler). TS 4 didn't catch this; TS 5+ does. The two
+        // are runtime-compatible, so cast through any.
+        signal: controller.signal as any,
       });
 
       if (!response.ok) {

package-lock.json

@@ -72,9 +72,9 @@
     "mocha": "^10.8.2",
     "nyc": "^15.1.0",
     "prettier": "^2.8.4",
-    "sinon": "^19.0.5",
+    "sinon": "^17.0.2",
     "ts-node": "^10.9.2",
-    "typescript": "^4.9.3"
+    "typescript": "5.5.4"
   },
   "dependencies": {
     "apache-arrow": "^13.0.0",
@@ -85,7 +85,7 @@
     "openid-client": "^5.4.2",
     "proxy-agent": "^6.3.1",
     "thrift": "^0.23.0",
-    "uuid": "^9.0.0",
+    "uuid": "^11.1.1",
     "winston": "^3.8.2"
   },
   "optionalDependencies": {
@@ -109,6 +109,6 @@
     "ip-address": "^10.1.1",
     "js-yaml": "^4.1.1",
     "micromatch": "^4.0.8",
-    "uuid": "^9.0.0"
+    "uuid": "^11.1.1"
   }
 }