[Snyk] Fix for 8 vulnerabilities

[jhamot]

Snyk has created this PR to fix 8 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• script/package.json
• script/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Code Injection SNYK-JS-LODASH-1040724	398
	Prototype Pollution SNYK-JS-LODASH-567746	317
	Prototype Pollution SNYK-JS-LODASH-6139239	267
	Prototype Pollution SNYK-JS-LODASH-450202	254
	Prototype Pollution SNYK-JS-LODASH-608086	250
	Inefficient Algorithmic Complexity SNYK-JS-MINIMATCH-15353389	170
	Prototype Pollution SNYK-JS-LODASH-15053838	144
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	104

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Code Injection
🦉 Prototype Pollution

[jhamot]

This release includes multiple high-risk major version upgrades that require significant developer action. Key changes involve eslint, glob, and the now-deprecated babel-core.

Top 3 Most Impactful Upgrades

• eslint@5.16.0 → eslint@9.0.0 (HIGH): This is a massive jump across four major versions (v6, v7, v8, v9). Each version introduced significant breaking changes. Most notably, ESLint v9 switched to a new "flat" configuration file (eslint.config.js) by default, deprecating the traditional .eslintrc.* format. Many rules have been removed or updated, and the plugin API has changed, which will likely break existing plugins and shared configurations. Support for Node.js versions below 18.18.0 has also been dropped.

  • Recommendation: A staged migration is highly recommended. First, upgrade to ESLint v8 while still using the old configuration format. Then, migrate to the new flat config system before finally upgrading to v9. This will require a full audit of your ESLint configuration, rules, and plugins.

• glob@7.0.3 → glob@12.0.0 (HIGH): This upgrade spans several major versions with significant API changes. The most critical change is the move to a Promise-based API, replacing the traditional callback pattern. The main exported function names have changed, and the Glob class is no longer an event emitter. Additionally, support for Node.js versions below v16 has been dropped, and backslashes (\) are now treated exclusively as escape characters, not path separators, which is a critical change for Windows environments.

  • Recommendation: All code using the glob package must be refactored to use the new Promise-based glob() function or the synchronous globSync() variant. Pay close attention to path handling, especially on Windows.

• babel-core@5.8.38 → babel-core@6.10.4 (HIGH): This is an upgrade from a very old and long-deprecated version. Babel v6 introduced a complete architectural overhaul, moving from a monolithic design to a plugin-based ecosystem. Configuration moved from the package.json babel key to a dedicated .babelrc file. Presets (like babel-preset-es2015) are now required to transpile modern JavaScript features, as Babel 6 does nothing by default.

  • Recommendation: This is a major refactoring effort. The entire Babel setup, including configuration, plugins, and presets, must be recreated according to the Babel v6+ standards. Given the age of this upgrade, consider migrating directly to a modern Babel version (v7+).

Other Major Upgrades

• npm@6.14.16 → npm@11.0.0 (MEDIUM): This upgrade crosses multiple major versions (v7-v11). Key breaking changes include dropping support for older Node.js versions (npm 10+ requires Node 16.14+), changes to package-lock.json, and the introduction of workspaces. While this primarily affects the development and CI/CD environment rather than application code, the changes are significant enough to warrant verification.
• electron-packager@15.4.0 → electron-packager@17.1.2 (MEDIUM): This upgrade likely drops support for older, end-of-life Node.js and Electron versions, requiring environment updates.
• stylelint@9.3.0 → stylelint@13.0.0 (MEDIUM): This upgrade requires Node.js 10+ and updates glob pattern handling to only use forward slashes (/). Several rules and configuration options have been changed or added.
• npm-check@5.9.2 → npm-check@6.0.1 (LOW): This major version bump requires Node.js 10.9.0 or higher. No significant breaking API changes were found.
• babel-eslint@10.0.1 → babel-eslint@10.1.0 (LOW): While a minor upgrade, the babel-eslint package is deprecated and has been replaced by @babel/eslint-parser. A future migration to the new package is required.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.