Address the open dependabot advisories manually:
- shell-quote (CRITICAL, GHSA-w7jw-789q-3m8p) -> override ^1.8.4
- ws in SFU (HIGH, GHSA-96hv-2xvq-fx4p) -> SFU dep ^7.5.10 -> ^7.5.11
- tar (GHSA-vmf3-w455-68vh) -> override 7.5.11 -> 7.5.16
- launch-editor (GHSA-v6wh-96g9-6wx3) -> override ^2.14.1
- js-yaml (GHSA-h67p-54hq-rp68) -> scoped override js-yaml@^4 -> ^4.2.0,
plus refresh of the standalone Extras/eslint/plugin-check-copyright lock
- @babel/core (GHSA-4x5r-pxfx-6jf8) -> override ^7.29.6
The ws advisory only affects the 7.x line, so Common/Signalling/SS_Test
stay on v8 (already forced to ^8.20.1 by the existing ws@^8 override);
only SFU needed bumping. This avoids the broken dependabot PR #902, which
downgraded the v8 packages to v7 and crashed the signalling server.
The js-yaml override is deliberately scoped to js-yaml@^4 (not a blanket
js-yaml). express-openapi -> openapi-framework depends on js-yaml ^3 and
calls the v3-only jsYaml.safeLoad to parse the OpenAPI spec; a blanket
^4.2.0 override force-upgrades it to v4 (safeLoad removed), so OpenAPI
route registration throws and /api/status 404s -- which is exactly what
broke streaming-test-win. Scoping to ^4 patches the genuinely vulnerable
v4 instance while leaving the three v3 consumers (openapi-framework,
@istanbuljs/load-nyc-config, read-yaml-file) intact. Those v3 instances
remain flagged by the advisory but are not exploitable: all parse trusted
local files (the app's own OpenAPI spec, nyc config), never untrusted
network input, and no v3 fix exists.
(cherry picked from commit d0572cfaa0e9d7b57706e02eb8ebcc85687be188)