chore(deps): update lando and protobufjs

[sjinks]

This pull request updates several dependencies in the project, primarily focusing on the lando package and its related dependencies. The main goal is to upgrade lando to a newer commit, which in turn brings in newer versions of several key libraries, updates the minimum required Node.js version, removes some transitive dependencies, and fixes many security issues (including a critical severity vulnerability in protobufjs).

Dependency updates:

• Upgraded lando from commit c7dd51e8 to 78d382fc, which updates its dependencies, including bumping axios to ^1.15.2, dockerode to ^5.0.0, jsonfile to ^6.2.1, and lodash to ^4.18.1. The minimum required Node.js version for lando is also increased from >=14.0.0 to >=18.0.0. [1] [2] [3] [4]

• Updated direct and transitive dependencies:

  • axios from 1.14.0 to 1.15.2
  • dockerode from 4.0.12 to 5.0.0 [1] [2]
  • follow-redirects from 1.15.11 to 1.16.0
  • jsonfile from 6.2.0 to 6.2.1
  • protobufjs from 7.5.4 to 7.5.6, along with its dependencies: @protobufjs/codegen, @protobufjs/inquire, and @protobufjs/utf8 [1] [2] [3] [4]

Maintenance and cleanup:

• Removed the transitive dependency on uuid (was previously included via lando's old dockerode dependency).

These changes ensure the project uses the latest compatible versions of its dependencies, improves security and compatibility, and aligns with newer Node.js requirements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

package.json

Package	Version	License	Issue Type
lando	github:automattic/lando-cli#78d382fcf40357c4a4cebe4a3cfaef032eab743a	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/lando	github:automattic/lando-cli#78d382fcf40357c4a4cebe4a3cfaef032eab743a	Unknown	Unknown

Scanned Files

• package.json

[Copilot]

Pull request overview

This PR updates dependency pins/lockfile entries to bring lando (via a newer lando-cli commit) and protobufjs (and related @protobufjs/* packages) to newer versions, along with updated transitive dependencies reflected in the npm shrinkwrap.

Changes:

• Bump lando to commit 78d382fc… in package.json and lock it in npm-shrinkwrap.json.
• Update shrinkwrapped transitive dependencies including axios, dockerode, follow-redirects, jsonfile, and protobufjs (+ @protobufjs/*).
• Remove uuid as a transitive dependency (no longer present in the shrinkwrap).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updates the lando dependency to a newer GitHub commit.
npm-shrinkwrap.json	Locks updated dependency graph for the new lando commit and protobufjs bump; removes uuid entry.

Files not reviewed (1)

• npm-shrinkwrap.json: Language not supported

[Copilot]

dockerode is imported and used at runtime (e.g. src/lib/dev-environment/dev-environment-lando.ts imports dockerode), but in package.json it is listed under devDependencies. This relies on dockerode being present transitively (currently via lando) and can break if the transitive tree changes or consumers install without dev deps. Move dockerode to dependencies (and regenerate the shrinkwrap) so the runtime requirement is explicit.