Security: Fix Critical and High Severity Vulnerabilities

[kevin-bigler]

Summary

This PR addresses all critical and high severity security vulnerabilities identified in the project dependencies. The changes eliminate 18 vulnerabilities including 1 critical, 7 high, and all moderate/low severity issues.

Changes Made

Updated Dependencies

Production Dependencies:

• Updated axios from ^1.8.4 to ^1.11.1
  • Fixes: DoS vulnerability through lack of data size check (GHSA-4hjh-wcwx-xvwj)

Development Dependencies:

• Updated glob from ^7.2.3 to ^11.0.4
  • Fixes: Command injection vulnerability via -c/--cmd flag (GHSA-5j98-mcp5-4vw2)
  • Updated test/suite/index.ts to use modern async/await API (glob v8+ removed callback support)
• Updated @types/glob from ^7.2.0 to ^8.1.0 to match glob version
• Replaced cpx with cpy-cli ^5.0.0
  • Fixes: Multiple ReDoS vulnerabilities in braces dependency (GHSA-g95f-p29q-9xw4, GHSA-grv7-fg5c-xmjg)
  • Updated pretest script to use cpy-cli syntax

Additional Security Hardening

• Added npm overrides for diff package to ^8.0.3
  • Fixes: DoS vulnerability in jsdiff (GHSA-73rr-hh4g-fpgx)
  • Ensures mocha test framework uses secure diff version

Vulnerability Status

Before:

• 18 total vulnerabilities
  • 1 Critical (form-data)
  • 7 High (axios, braces, glob, jws, qs, tar-fs, tmp)
  • 5 Moderate
  • 5 Low

After:

• 0 vulnerabilities

Testing

✅ All tests pass successfully:

• 12 tests passing
• No regressions detected
• Build process completes successfully
• Test suite updated to use modern glob v11 async/await API

Notes

• All critical and high severity vulnerabilities have been resolved
• Changes primarily affect development dependencies and don't impact runtime behavior
• The transitive dependencies (form-data, jws, qs, tar-fs, tmp, undici) were automatically updated through the main dependency updates