[Snyk] Fix for 8 vulnerabilities

[jhamot]

Snyk has created this PR to fix 8 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• script/package.json
• script/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Code Injection SNYK-JS-LODASH-1040724	398
	Prototype Pollution SNYK-JS-LODASH-567746	319
	Prototype Pollution SNYK-JS-LODASH-6139239	267
	Prototype Pollution SNYK-JS-LODASH-450202	254
	Prototype Pollution SNYK-JS-LODASH-608086	250
	Directory Traversal SNYK-JS-TAR-15307072	165
	Prototype Pollution SNYK-JS-LODASH-15053838	144
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	104

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Code Injection
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn

[jhamot]

This upgrade includes a major version update to npm from v6 to v7, which introduces significant breaking changes. The update for babel-eslint is minor, but the package itself is deprecated.

High Risk: npm@6.14.16 → npm@7.21.0

The upgrade to npm v7 introduces fundamental changes to dependency management that can break existing projects and CI/CD pipelines.

Key Breaking Changes:

• Automatic Peer Dependency Installation: Unlike npm v6 which only showed warnings, npm v7 automatically installs peer dependencies. This can lead to installation failures if conflicting peer dependencies are found across your project. You may need to resolve these conflicts or use the --legacy-peer-deps flag to revert to the v6 behavior.
• New Lockfile Format: package-lock.json files will be upgraded to a new v2 format. While backwards-compatible, this is an automatic change upon running npm install.
• npx Behavior Change: npx has been rewritten and will now prompt for confirmation before running a command from a package that is not already installed.
• Modified npm audit Output: The structure of the npm audit output, including the JSON format, has changed, which may break any scripts that rely on it.

Recommendation:
This is a high-risk upgrade. Before merging, verify that your project's dependencies install correctly with the new peer dependency resolution logic. Test your deployment and CI scripts thoroughly. If you encounter unsolvable dependency conflicts, consider using the --legacy-peer-deps flag in your npm install commands as a temporary workaround.

Source: npm v7 Release Announcement, npm v7 Breaking Changes

Low Risk: babel-eslint@10.0.1 → babel-eslint@10.1.0

This is a minor update with no breaking changes. However, the babel-eslint package is deprecated and has been replaced by @babel/eslint-parser.

Recommendation:
While this specific upgrade is safe, you should plan to migrate from babel-eslint to @babel/eslint-parser to continue receiving updates and support.

Source: Package Documentation

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.