SWI-3723 [Snyk] Fix for 2 vulnerabilities

[bwappsec]

Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json
• yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-LODASH-15053838	115
	Allocation of Resources Without Limits or Throttling SNYK-JS-UNDICI-14943963	38

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Allocation of Resources Without Limits or Throttling

[bwappsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[bwappsec]

The primary change is a major version upgrade for @actions/github which introduces a breaking change. The lodash upgrade is a low-risk patch.

• @actions/github: 6.0.0 → 7.0.0 (Medium Risk)

  • Breaking Change: Support for Node.js 14 and 16 has been dropped. These versions reached their end-of-life in 2023.
  • Recommendation: Ensure your GitHub Actions workflows are using a supported version of Node.js, such as Node 20 or newer.

• lodash: 4.17.21 → 4.17.23 (Low Risk)

  • This is a patch release with security fixes and no breaking changes.

Source: actions/toolkit RELEASES.md

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

The analysis highlights a major version upgrade for @actions/github from 6.0.0 to 7.0.0. While specific release notes for v7.0.0 could not be located, a major version increase often includes breaking changes. Manual validation is recommended to ensure compatibility with your workflows.

The lodash upgrade from 4.17.21 to 4.17.23 is a patch release containing security fixes and is considered low risk.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.