[Snyk] Fix for 1 vulnerabilities

[karencapiiro]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• deps/npm/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15307072	165

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[karencapiiro]

This is a large, coordinated set of major version upgrades for core dependencies of the npm CLI, aligning them with the requirements for npm v10 and later. The primary breaking change across all packages is an update to the required Node.js runtime environment.

The risk is assessed as 'Medium' because these upgrades drop support for Node.js versions 14 and 16. Projects must be running on Node.js ^18.17.0 or >=20.5.0 to use these new versions.

Key Package Analyses:

• pacote 13.6.2 → 21.0.1 (Medium Risk): As a primary package for fetching npm package data, its major version bump is tied directly to the new Node.js engine requirements of npm v10.
• @npmcli/arborist 5.6.3 → 9.0.0 (Medium Risk): This package manages the node_modules tree. The upgrade to v9 aligns it with the broader npm v10 ecosystem, which requires an updated Node.js version.
• make-fetch-happen 10.2.1 → 14.0.1 (Medium Risk): This is the underlying fetcher for npm. The v14 release explicitly drops support for Node.js versions older than 18.17.0.

Other Major Upgrades:

The remaining major version upgrades all follow the same pattern, dropping support for end-of-life Node.js versions as part of the npm v10 release cycle. This includes @npmcli/run-script, cacache, libnpm* packages, node-gyp, and tar.

Recommendation: Before merging, verify that your CI and production environments are running a compatible version of Node.js (v18.17.0+ or v20.5.0+). No significant API-level code changes are expected for consumers of the npm CLI itself, as these are internal dependency updates.

Source: npm v10.0.0 Release Notes, npm v9.0.0 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca