fix(deps): Address npm security advisories

[Artmann]

diff (GHSA-73rr-hh4g-fpgx) - Fixed via overrides:

• Override diff to 5.2.2 under mocha and sinon (patch bump, ^5.x range)
• Override diff to 4.0.4 under tslint (patch bump, ^4.x range)
• Removes the .nsprc exception since the vulnerability is now resolved

eslint RuleTester (GHSA-p5wg-g6qr-c7cg) - Removed:

• Advisory was withdrawn in Feb 2026, exception no longer needed

tar (GHSA-83g3-92jg-28cx) - Fixed via override bump:

• Bump tar override from 7.5.7 to 7.5.8 (patch fix)

elliptic (GHSA-848j-6mx2-7j84) - Exception retained:

• No fix available, dev-only transitive dep, not used for signing
• Extended expiry to 2026-08-15

undici (GHSA-g9mf-h72j-4rw9) - Exception retained:

• Fix requires major version jump (5.x -> 7.x) breaking @actions/http-client
• Extended expiry to 2026-08-15

ajv (GHSA-2g4f-4pwh-qvx6) - New exception:

• Fix requires ajv@8.x but consumers (@jupyterlab/settingregistry, table) are on 6.x
• Dev-only, not bundled in extension

minimatch (GHSA-3ppc-4f35-3m26) - New exception:

• Fix requires minimatch@10.x but consumers (mocha, glob) are on 3.x-5.x
• Dev-only, not bundled in extension

Summary by CodeRabbit

• Chores
  • Replaced and consolidated several security advisory entries, removed obsolete advisories, and extended advisory expiry dates.
  • Applied dependency overrides to address transitive vulnerabilities and bumped affected packages.
  • Switched CI audit tooling to a more comprehensive audit command and added a corresponding exceptions configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Updates security advisory records in .nsprc: replaces GHSA-73rr-hh4g-fpgx with GHSA-2g4f-4pwh-qvx6 and GHSA-3ppc-4f35-3m26, removes GHSA-g9mf-h72j-4rw9 and GHSA-p5wg-g6qr-c7cg, extends GHSA-848j-6mx2-7j84 expiry, and consolidates the undici DoS note under a GHSA block with a note about an @actions/http-client major-version constraint. package.json bumps tar to 7.5.8 and adds overrides for mocha, sinon, and tslint. CI workflow replaces npm audit --production with npx better-npm-audit audit --production and adds a comment about .nsprc.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: addressing npm security advisories through dependency updates and exception management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Updates Docs	✅ Passed	PR addresses npm security advisories through dependency updates and CI configuration adjustments. Documentation updates not required since no new features are implemented, only security vulnerabilities addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 216-217: Pin the better-npm-audit tool to a specific version
instead of calling it unpinned with npx; update the CI run step that currently
uses "npx better-npm-audit audit --production" to either call "npx
better-npm-audit@<stable-version> audit --production" or add better-npm-audit as
a devDependency and invoke it via "npm exec better-npm-audit audit --production"
to ensure reproducibility and supply-chain safety.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (cbd437a) to head (19d49ad).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@     Coverage Diff     @@
##   main   #327   +/-   ##
===========================
===========================

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.