[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1

[MHxGH-ServiceAccount]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15307072	165

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

---

Note

Medium Risk
Dependency upgrade only, but Lerna major-version changes can break release/publish workflows without additional config or lockfile updates.

Overview
Upgrades the monorepo tooling dependency lerna from ^3.0.0-rc.0 to ^6.4.1 in package.json (security-driven).

^{Written by Cursor Bugbot for commit c390a01. This will update automatically on new commits. Configure here.}

[MHxGH-ServiceAccount]

The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected.

Key Breaking Changes:

• Removal of lerna bootstrap: The iconic lerna bootstrap, lerna add, and lerna link commands have been removed in favor of using your package manager's native workspaces (npm, yarn, or pnpm). All dependency installation and linking is now expected to be handled by your package manager's install command.
• Nx Task Runner by Default: Lerna v6 uses the Nx task runner by default (useNx: true). This changes the behavior of lerna run and enables powerful caching capabilities, but it also makes several flags like --sort, --parallel, and --include-dependencies obsolete as Nx manages the task graph.
• New Configuration: A new nx.json file is required to configure task caching and pipelines. A helper command, lerna repair, is available to help migrate your lerna.json file.
• Node.js Version Support: Support for older Node.js versions has been dropped. Lerna v5 dropped support for Node 10 and 12, and subsequent versions have continued to drop end-of-life (EOL) versions.

Recommendation:

This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.

1. Migrate to Package Manager Workspaces: Update your root package.json to define workspaces and remove all calls to lerna bootstrap from your scripts, replacing them with npm install, yarn install, or pnpm install.
2. Configure Nx: Run npx lerna add-caching to generate a nx.json file and configure task caching.
3. Update lerna.json: Run lerna repair to update your configuration and remove obsolete properties.
4. Review lerna run commands: Check your scripts for obsolete flags that are now ignored by the Nx task runner.

Source: Lerna GitHub Releases, Lerna Documentation

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[MHxGH-ServiceAccount]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Lerna v6 upgrade breaks release scripts with removed flags

High Severity

Upgrading lerna from v3 to v6 breaks the existing release-canary script, which uses --cd-version and --npm-tag — both removed in Lerna v4+. The --cd-version flag was replaced by a positional argument (e.g., lerna publish prerelease), and --npm-tag was replaced by --dist-tag. Running npm run release-canary after this upgrade will fail. Additionally, lerna.json contains command.bootstrap configuration for the removed lerna bootstrap command.