[Snyk] Fix for 1 vulnerabilities

[mnk-blr]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438	170

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[mnk-blr]

⛔ Snyk checks have failed. 20 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (20)
⛔	Open Source Security	2	18	0	0	20 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[claude]

⚠️ Critical Compatibility Issue: ESLint 10 requires flat configuration format (eslint.config.js) but the codebase uses legacy .eslintrc.js. Additionally, @typescript-eslint/eslint-plugin: ^5.59.5 and @typescript-eslint/parser: ^5.59.5 may not be compatible with ESLint 10.

Required actions:

1. Update @typescript-eslint/* packages to ESLint 10 compatible versions
2. Migrate from .eslintrc.js to eslint.config.js format
3. Update eslint-config-prettier from ^6.9.0 to a version supporting ESLint 10

[claude]

⚠️ Critical Dependency Missing: Upgrading Jest to v29 requires coordinated updates to related packages:

Missing updates needed:

• ts-jest: ^27.1.1 → ^29.1.0 (v27 is incompatible with Jest v29)
• @types/jest: ^27.0.3 → ^29.5.0 (type definitions mismatch)
• jsdom: ^19.0.0 → ^20.0.0+ (compatibility with Jest 29)

Configuration migration required:
Jest 29 deprecated the globals.ts-jest configuration format. The current jest.config.sdk.js needs migration from:

globals: { 'ts-jest': { ... } }

to:

transform: { '^.+\\.tsx?$': ['ts-jest', { ... }] }

[claude]

Code Review Summary

This Snyk security fix addresses a critical ReDoS vulnerability but introduces breaking compatibility issues that prevent safe merging in its current state.

🚨 Critical Issues Preventing Merge

1. ESLint 10 Compatibility Breaking Changes

   • Requires flat config format (eslint.config.js) but codebase uses legacy .eslintrc.js
   • Current @typescript-eslint/* v5.59.5 packages incompatible with ESLint 10
   • Multiple ESLint plugins may not support ESLint 10 yet

2. Jest 29 Migration Incomplete

   • Missing required updates: ts-jest (^27→^29), @types/jest (^27→^29), jsdom (^19→^20+)
   • Jest config needs migration from deprecated globals.ts-jest to new transform syntax
   • Risk of test failures and build breakage

3. Missing Lock File Update

   • Snyk warning about failed pnpm-lock.yaml update is critical
   • Could cause dependency resolution failures and inconsistent installs

4. Documentation Outdated

   • CLAUDE.md still references "Jest 27" instead of Jest 29
   • No migration guidance for developers

⚠️ Recommendation: NOT READY TO MERGE

Before merging, this PR needs:

1. Complete dependency coordination (ts-jest, @types/jest, @typescript-eslint/*, jsdom)
2. Jest configuration migration to new format
3. ESLint configuration migration or downgrade to ESLint 8.x
4. Regenerated pnpm-lock.yaml with proper dependency resolution
5. Documentation updates and migration guide

💡 Alternative Approach

Consider creating a more targeted security fix that:

• Updates only the minimum dependencies needed to resolve the ReDoS vulnerability
• Delays major version upgrades until a planned migration can be properly executed
• Ensures all related dependencies are updated together

The current approach risks breaking CI/CD, local development environments, and downstream consumers despite fixing the security vulnerability.