fix(security): update dependencies to fix security vulnerabilities

[jbocce]

Context

Address various security bulletins...

GHSA-r5fr-rjxr-66jc

GHSA-677m-j7p3-52f9

GHSA-rf6f-7fwh-wjgh

GHSA-2328-f5f3-gj25

GHSA-q67f-28xg-22rw

GHSA-5m6q-g25r-mvwx

GHSA-ppp5-5v6c-4jwp

GHSA-2w6w-674q-4c4q

GHSA-9cx6-37pm-9jff

GHSA-xhpv-hc6g-r9c6

GHSA-xjpj-3mr7-gcpf

GHSA-3mfm-83xf-c92r

GHSA-37ch-88jc-xwx2

GHSA-c2c7-rcm5-vvqj

Changes & Results

Patched some versions. Ignored dev only vulnerability.

Testing

Run automated tests.

Checklist

PR

• My Pull Request title is descriptive, accurate and follows the
  semantic-release format and guidelines.

Code

• My code has been well-documented (function documentation, inline comments,
  etc.)

Public Documentation Updates

• The documentation page has been updated as necessary for any public API
  additions or removals.

Greptile Summary

This PR addresses 14 security advisories by bumping several direct and transitive dependency overrides in package.json, and updating the corresponding yarn.lock and bun.lock files. A new advisory for picomatch (GHSA-c2c7-rcm5-vvqj) is intentionally ignored in CI, with the justification that it is only used in build/CI contexts.

Confidence Score: 5/5

Safe to merge — all security fixes are correctly reflected in yarn.lock; the only finding is a P2 cosmetic gap in bun.lock that does not affect runtime behavior.

All updated packages (path-to-regexp, node-forge, lodash, lodash-es, flatted, handlebars, socket.io-parser) are properly resolved with correct versions and integrity hashes in yarn.lock, which is the primary package manager. The single finding (missing bun.lock package entry for socket.io-parser) is a P2 style issue that does not affect how packages are actually installed or used at runtime.

bun.lock — socket.io-parser override lacks a resolved package entry

Important Files Changed

Filename	Overview
package.json	Bumps path-to-regexp, node-forge, lodash, lodash-es, flatted, handlebars; adds socket.io-parser and handlebars as new resolutions; adds picomatch advisory to the audit ignore list.
bun.lock	All updated packages reflected correctly except socket.io-parser: it appears only in the overrides section without a resolved package entry, meaning bun may not fully enforce the override.
yarn.lock	All updated and new packages (socket.io-parser@4.2.6, handlebars@4.7.9, lodash@4.18.1, etc.) are properly resolved with correct versions, URLs, and integrity hashes.
.circleci/config.yml	Adds GHSA-c2c7-rcm5-vvqj (picomatch) to the CI audit ignore list with a dev/CI-only justification comment.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Security Advisories Identified] --> B[Bump direct resolutions in package.json]
    B --> C{Package type}
    C -->|Bumped version| D[path-to-regexp 0.1.12 → 0.1.13]
    C -->|Bumped version| E[node-forge 1.3.2 → 1.4.0]
    C -->|Bumped version| F[lodash / lodash-es 4.17.23 → 4.18.1]
    C -->|Bumped version| G[flatted 3.4.0 → 3.4.2]
    C -->|Bumped version| H[handlebars 4.7.8 → 4.7.9]
    C -->|New override| I[socket.io-parser 4.2.6 added]
    C -->|Ignored - dev only| J[picomatch GHSA-c2c7-rcm5-vvqj]
    D & E & F & G & H --> K[yarn.lock + bun.lock updated]
    I --> L[yarn.lock fully resolved]
    I --> M[bun.lock overrides only - no package entry]
    J --> N[CI ignore list + bun audit --ignore flag]

Loading

_{Reviews (1): Last reviewed commit: "fix(security): update dependencies to fi..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[netlify]

✅ Deploy Preview for ohif-dev canceled.

Name	Link
🔨 Latest commit	750f8c5
🔍 Latest deploy log	https://app.netlify.com/projects/ohif-dev/deploys/69cee54b05dd6a00085867cb