[Snyk] Fix for 1 vulnerabilities

[DiogoRDuarte]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	170

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[DiogoRDuarte]

This upgrade contains several high-risk major version updates, most notably for npm and npmi. The upgrade from npm v3 to v7 introduces significant breaking changes to dependency installation, and the npmi upgrade adopts this new behavior. Other major version bumps for juice and tiny-lr also carry risk.

Top 3 Most Impactful Upgrades:

• npm @ 3.9.2 → 7.0.0 (High Risk): This major version upgrade introduces fundamental changes to dependency management that will likely impact your build process.

  • Highlights:
    • Automatic Peer Dependency Installation: npm v7 now automatically installs peer dependencies, which can block installations if it detects conflicts in the dependency tree. This is a major departure from npm v3-v6, which only showed warnings.
    • npx Rework: npx has been rewritten and now uses npm exec. It will prompt for confirmation before running a command for a package that is not already installed.
  • Source: npm documentation.
  • Recommendation: Test all installation workflows thoroughly. Use the --legacy-peer-deps flag as a temporary workaround if peer dependency conflicts block your builds.

• npmi @ 2.0.1 → 4.0.0 (High Risk): This upgrade changes how npmi executes installations. Version 2 bundled npm@3, whereas version 4 uses the globally available npm instance. Given the parallel upgrade to npm@7, npmi will now use the new engine and inherit all of its breaking changes, including the mandatory peer dependency resolution.

  • Source: npmi documentation.
  • Recommendation: Validate that all npmi-based scripts work as expected with the new npm@7 installation behavior.

• juice @ 2.0.0 → 7.0.0 (High Risk): This is a large jump across multiple major versions. While a specific migration guide was not found, an update of this magnitude almost certainly includes breaking API changes. The risk is high due to the significant version gap.

  • Source: Package documentation. [8, 12

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[DiogoRDuarte]

This release includes several high-risk major version upgrades. The update from npm 3.x to 7.x is the most significant, introducing fundamental changes to dependency resolution. juice and npmi also have major breaking changes.

Top Breaking Changes:

• npm 3.9.2 → 7.0.0 (high): This upgrade crosses four major versions (v4, v5, v6, v7). Key breaking changes include the introduction of package-lock.json in v5, which replaces npm-shrinkwrap.json for deterministic installs, and a new peer dependency resolution algorithm in v7 that automatically installs peer dependencies and will fail if conflicts are found. The npx command was also rewritten.

• juice 2.0.0 → 7.0.0 (medium): This is a large version jump. While specific breaking changes between each major version are not detailed in the search results, the gap is substantial. The web-resources-scripts option has been renamed, and developers should review the current documentation for other potential API changes.

• npmi 2.0.1 → 4.0.0 (medium): npmi v4 removes npm as a direct dependency and instead uses the globally installed npm. This is a significant architectural change. Version 3 also updated its internal npm dependency to npm@5, inheriting its breaking changes like package-lock.json creation.

Other Upgrades:

• tiny-lr 0.2.1 → 1.0.0 (low): The 1.0 release drops support for older Internet Explorer versions (6-9).
• cheerio 0.20.0 → 0.22.0 (low): No significant breaking changes were found for this minor version bump.

Recommendation: The npm upgrade requires immediate attention. Developers must validate their dependency resolution, especially regarding peer dependencies. Use the --legacy-peer-deps flag as a temporary workaround if builds fail due to peer dependency conflicts. Review the juice and npmi documentation to adapt to their new APIs and behaviors.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.