fix: Resolve npm security vulnerabilities

[darwintantuco]

Summary

• Ran npm audit fix to resolve security vulnerabilities
• Fixed 5 vulnerabilities (2 low, 3 moderate)
• Updated Babel and ESLint-related packages to patched versions

Context

Project seems to have few security vulnerabilities reported by npm audit. Running npm audit fix automatically updates dependencies to their latest secure versions within semver ranges. The main fixes include:

• @babel/helpers: Updated to fix RegExp complexity vulnerability
• @eslint/plugin-kit: Updated to fix ReDoS vulnerability
• brace-expansion: Updated to fix ReDoS vulnerability

All updates are non-breaking changes within the existing semver ranges.

Test plan

• Run npm audit and verify vulnerabilities are reduced
• Run npm install and verify no errors
• Run build and tests to ensure nothing broke
• Manual testing: Verify the application runs correctly in development mode
• Regression testing: Test key features to ensure no functionality broke

[Sheape]

Hi @darwintantuco. Thank you for taking a look at this.
I think it would be beneficial if package.json is also updated to match the updates from package-lock.json.
Also it seems like there are no breaking changes currently but I'll have a look at this later on.

[darwintantuco]

Hi @Sheape thank you for the feedback, attempted to fix on last commit: 8c8217f

[Sheape]

Looks good to me for the most part. I guess the only thing to fix left are these:

npm warn deprecated mkdirp@0.3.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated @types/react-leaflet@3.0.0: This is a stub types definition. react-leaflet provides its own type definitions, so you do not need this installed.

Do you also intend to fix them in this PR or we can just leave it as it is since these are just soft warnings?

[Sheape]

Ahh turns out this is the new maintained package instead of @ampproject/remapping.

[darwintantuco]

probably better to fix warnings here, will take a look soon

[Sheape]

Dont worry about it. It was just a comment, since this is the only one that changes from package A to package B instead of updating.

Serves as a reference for other reviewers/maintainers in case they want to check if it's malicious in npmjs.

[darwintantuco]

hi @Sheape

I think I was able to fix npm warn deprecated @types/react-leaflet@3.0.0: This is a stub types definition. react-leaflet provides its own type definitions, so you do not need this installed.

see recent commit, seems react-leaflet v5 includes its own TypeScript definitions, making the separate @types package redundant

for mkdirp, I agree, I think we can leave it as is for now, as it's a transitive dependency from hogan.js → instantsearch.js → react-instantsearch and seems even latest versions still use the old hogan.js with mkdirp@0.3.0

[Sheape]

@niculistana I'll mark this as pending for now. There are still on-going changes that needs to be made (specifically those 2 warnings), thus I cant approve of this yet.

[Sheape]

LGTM. I guess my only concern is this:

Tried patching it with npm audit fix --force, it seems to not break anything but I haven't fully tested it.

[github-actions]

Stale pull request message