[Snyk] Security upgrade bcrypt from 5.1.1 to 6.0.0

[javiertelioz]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15127355	596

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[Copilot]

Pull request overview

This PR upgrades the bcrypt package from version 5.1.1 to 6.0.0 to address a directory traversal vulnerability (SNYK-JS-TAR-15127355) in the tar dependency that was part of bcrypt's previous build toolchain. The upgrade eliminates the vulnerable dependency by replacing @mapbox/node-pre-gyp with node-gyp-build.

Changes:

• Upgraded bcrypt from 5.1.1 to 6.0.0 to fix security vulnerability
• Removed @mapbox/node-pre-gyp and its entire dependency tree (including vulnerable tar package)
• Added node-gyp-build as the new build system and upgraded node-addon-api from 5.1.0 to 8.5.0

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updates bcrypt version to 6.0.0
package-lock.json	Updates bcrypt to 6.0.0, removes @mapbox/node-pre-gyp and transitive dependencies, adds node-gyp-build and upgrades node-addon-api

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

bcrypt 6.0.0 requires Node.js >= 18, which is a breaking change from the previous version that required >= 10. While your Dockerfile and CI configuration already use compatible Node.js versions (21.2 and 20 respectively), package.json should include an engines field to explicitly document this requirement and prevent users from attempting to run the project on unsupported Node.js versions. Consider adding an engines field specifying the minimum Node.js version required.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (ec7861e) to head (d7c3d68).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #174   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           20        20           
  Lines          148       148           
  Branches        21        26    +5     
=========================================
  Hits           148       148           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.