chore(deps): bump pg and @types/pg

[dependabot]

Bumps pg and @types/pg. These dependencies needed to be updated together.
Updates pg from 8.18.0 to 8.19.0

Changelog

Sourced from pg's changelog.

pg@8.19.0

• Deprecate interal query queue.
• Pass connection parameters to password callback.

Commits

• f2d7d11 Publish
• 5a4bafc Deprecate Client's internal query queue (#3603)
• a215bfb Typo fix in PgPass deprecation (funciton) (#3605)
• 01e0556 fix(pg-query-stream): invoke this.callback on cursor end/error (#2810)
• e6e3692 Pass connection parameters to password callback (#3602)
• d80d883 test: Fix TLS connection test ending too early
• f332f28 fix: Connection timeout handling for native clients in connected state (#3512)
• b2e9cb1 Remove testAsync - its redundant (#3588)
• 46cdf9e [fix] fix unhandled callback error for submittables (#3589)
• See full diff in compare view

Updates @types/pg from 8.16.0 to 8.18.0

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[riendeau]

Dependency Review: pg 8.18.0 → 8.19.0 and @types/pg 8.16.0 → 8.18.0

Version changes

• pg: 8.18.0 → 8.19.0 (minor — runtime production dependency)
• @types/pg: 8.16.0 → 8.18.0 (minor — two minor versions at once)
• Transitive: pg-pool 3.11.0 → 3.12.0, pg-protocol 1.11.0 → 1.12.0

CI coverage

All three jobs passed:

• lint-and-typecheck (32s): TypeScript compilation verified the new @types/pg types are compatible.
• unit-tests (25s): Game logic unit tests; none touch the database layer.
• e2e-tests (3m25s): Full Playwright suite ran — but in dev mode (NODE_ENV !== 'production'). Per the project's auth architecture, when DATABASE_URL is absent the in-memory session store is used. connect-pg-simple and pg itself are never loaded or exercised during CI runs.

What CI does not catch: the production PostgreSQL session-store code path is entirely untested. The green CI checks do not validate pg@8.19.0 behavior.

Breaking changes

pg@8.19.0 deprecates the internal Client query queue (#3603). In practice this affects direct pg.Client usage that queues many concurrent queries. This project uses pg.Pool exclusively (via connect-pg-simple for session storage), which checks clients out and in rather than queuing; the deprecated path is not triggered.

Other changes are safe: connection-parameter forwarding to password callbacks (not used here), a pg-query-stream cursor fix, and an unhandled-callback-error fix.

Config and documentation drift

No drift. CLAUDE.md does not reference a pg version. No engines changes.

Verdict

✅ Safe to merge. No breaking changes for the Pool-based usage pattern in this project. The deprecation of the internal query queue does not affect pg.Pool consumers. Note that the pg upgrade is not validated by CI (dev mode skips the DB path), so this relies on the backwards-compatible nature of the minor-version bump.

No follow-up changes recommended.

[riendeau]

@dependabot rebase