Fix Dependabot security alerts #45, #47, #48: upgrade npm and Python build dependencies

[Copilot]

Fix Dependabot security alerts #45, #47, #48: upgrade npm and Python build dependencies, drop Python 3.8 support.

Changes

npm (Dependabot alert #48)

• mocha ^9.2.1 → ^11.7.5 — eliminates bulk of transitive vulns (minimatch ReDoS, nanoid, etc.)
• Added overrides in package.json to force patched transitive deps that mocha v11 still pins to vulnerable ranges:
  • diff → ^8.0.3 (DoS — GHSA-73rr-hh4g-fpgx)
  • serialize-javascript → ^7.0.3 (RCE — GHSA-5c6j-r48x-rmvq)
• npm audit fix patched @octokit/endpoint, @octokit/request, @octokit/request-error, js-yaml
• Updated package-lock.json accordingly

Python build deps — pyproject.toml (alerts #45, #47)

• setuptools>=61 → setuptools>=78.1.1 — patches:
  • PYSEC-2022-43012: ReDoS (< 65.5.1)
  • CVE-2024-6345: command injection via package URL (< 70.0.0)
  • PYSEC-2025-49: path traversal / arbitrary file write (< 78.1.1)

Drop Python 3.8 support

setuptools>=78.1.1 requires Python >= 3.9, so Python 3.8 builds can no longer succeed. Removed 3.8 from:

• .github/workflows/python.yml — CI test matrix
• release-pypi-linux.sh — build loop and twine upload env (py3.8 → py3.9)
• release-pypi-macos.sh — build loop and twine upload env (py3.8 → py3.9)
• release-pypi-windows.cmd — build loop and twine upload env (py3.8 → py3.9)

GitHub Actions

• .github/workflows/release-pypi.yml: actions/checkout@v1 → @v4

Files changed

File	Description
package.json	Upgrade mocha, add overrides for diff & serialize-javascript
package-lock.json	Regenerated lockfile
pyproject.toml	Bump setuptools minimum to 78.1.1
.github/workflows/python.yml	Remove Python 3.8 from CI matrix
.github/workflows/release-pypi.yml	Upgrade actions/checkout to v4
release-pypi-linux.sh	Drop Python 3.8, update twine env to py3.9
release-pypi-macos.sh	Drop Python 3.8, update twine env to py3.9
release-pypi-windows.cmd	Drop Python 3.8, update twine env to py3.9

Remaining known issues

3 moderate @octokit/plugin-paginate-rest ReDoS alerts remain via node-pre-gyp-github@^2.0.0's pinned @octokit/rest@20.1.1 — no fix available without reverting to node-pre-gyp-github@1.4.5, which re-introduces 7 moderate vulns through an older @octokit/rest.

[Copilot]

Pull request overview

Addresses Dependabot security alerts by upgrading JavaScript dev dependencies and Python build tooling, plus updating CI/release automation to reflect the new supported Python baseline.

Changes:

• Upgrade mocha and add npm overrides to force patched transitive dependencies.
• Raise Python build requirement to setuptools>=78.1.1 and update CI/release scripts to drop Python 3.8.
• Update PyPI release workflow to use actions/checkout@v4.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
package.json	Bumps mocha and adds overrides for vulnerable transitive deps.
package-lock.json	Lockfile updates reflecting the dependency upgrades and audits.
pyproject.toml	Raises setuptools minimum for builds.
.github/workflows/release-pypi.yml	Updates checkout action version for the PyPI release workflow.
.github/workflows/python.yml	Removes Python 3.8 from the unit-test matrix.
release-pypi-linux.sh	Removes Python 3.8 from the build loop and changes upload env to py3.9.
release-pypi-macos.sh	Removes Python 3.8 from the build loop and changes upload env to py3.9.
release-pypi-windows.cmd	Removes Python 3.8 from the build loop and changes upload env to py3.9.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Mocha v11 requires Node ^18.18.0 || ^20.9.0 || >=21.1.0 (per the lockfile), but this package advertises engines.node: >=20 <25. With Node 20.0–20.8, npm test will fail even though the engine range claims support; consider bumping the minimum engine to >=20.9.0 (or widening to include 18.18 if intended).

[Copilot]

This invokes conda.bat from within a batch script without CALL, which transfers control and prevents the subsequent python -m pip ... / twine upload commands from running. Use CALL C:\Miniconda\condabin\conda.bat activate py3.9 (consistent with the other conda calls above).

Suggested change

	C:\Miniconda/condabin/conda.bat activate py3.9
	CALL C:\Miniconda/condabin/conda.bat activate py3.9

[Copilot]

This build-system change effectively drops Python 3.8 (newer setuptools does not support it), but the repository's package metadata (e.g., setup.py) does not declare a minimum supported Python version. Consider adding python_requires >=3.9 (and/or classifiers) so pip can fail fast with a clear message instead of failing during build.

Suggested change

	build-backend = "setuptools.build_meta"
	build-backend = "setuptools.build_meta"
	[project]
	requires-python = ">=3.9"
	classifiers = [
	"Programming Language :: Python :: 3",
	"Programming Language :: Python :: 3.9",
	"Programming Language :: Python :: 3.10",
	"Programming Language :: Python :: 3.11",
	"Programming Language :: Python :: 3.12",
	"Programming Language :: Python :: 3 :: Only",
	]

[Copilot]

This PR removes Python 3.8 from the test matrix, which is a support-policy change beyond dependency upgrades. Please reflect this explicitly in the PR description/changelog (and ensure release scripts / packaging metadata align with the new minimum Python version).

[Copilot]

steps: is followed by list items at the same indentation level, which makes this workflow YAML invalid and will prevent the workflow from running. Indent the - uses: / - name: entries under steps: (as done in other workflows).