chore(deps): upgrade project dependencies to latest versions

[Sourav-kashyap]

Description

This issue tracks upgrading all project dependencies to their latest stable versions.

Changes

• Updated all dependencies and devDependencies to latest versions
• Resolved version conflicts and peer dependency issues
• Fixed breaking changes introduced by major version upgrades

Checklist:

• Performed a self-review of my own code
• npm test passes on your machine

Tested

[rohit-sourcefuse]

Overall Review

What this PR does:

• Bumps all dependencies and devDependencies in package.json and regenerates package-lock.json
• Upgrades core LoopBack packages (@loopback/boot, @loopback/core, @loopback/rest, @loopback/context) to latest patch releases
• Upgrades several major devDependency versions: commitlint v17→v20, husky v7→v9, jsdom v21→v29, nodemailer v6→v8, nyc v17→v18, pubnub v8→v10, typescript ~5.2.2→~5.7.3, @parse/node-apn v5→v8, @semantic-release/* toolchain
• Adds three new overrides entries: lodash, undici, picomatch (vulnerability remediation)
• Updates the Trivy CI action reference from @0.28.0 to @master
• Bumps @types/node from ^16 all the way to ^25

---

Must-fix before merge

1. Trivy action pinned to @master — This is a security regression. A mutable branch reference in a supply-chain-sensitive security scanner is unacceptable. Pin to a specific release tag or commit SHA (e.g., aquasecurity/trivy-action@v0.30.0). See inline comment.

2. lodash override version ^4.18.0 does not exist — The latest lodash v4 is 4.17.21. There is no 4.18.x published. This override is silently ineffective. Change to ^4.17.21. See inline comment.

3. aws-sdk v2 is EOL — AWS ended maintenance for SDK v2 on September 8, 2025. It will receive no further security patches. This PR bumps it to ^2.1693.0 but should migrate to the modular @aws-sdk/client-* v3 packages (which are already present as transitive deps). If migration is out of scope, open and link a tracked issue. See inline comment.

4. twilio not upgraded — Still at ^3.82.0 while Twilio Node SDK v5.x is current. Twilio v3 is maintenance-only. Either upgrade or document the deferral with a follow-up issue. See inline comment.

5. Husky v7→v9 migration completeness — The .husky/ hook files likely need to be updated to v9 format (no shebang, no husky.sh source line). If those files were not updated in this PR, fresh contributor installs will encounter broken hooks. Please confirm and include the .husky/ changes. See inline comment.

---

Nice-to-have follow-ups

• @types/node@25.x vs LTS runtime — Using ^25.5.0 types when the minimum engine is Node 20 LTS can mask runtime availability issues. Consider aligning types to ^20.19.0 or ^22.15.0. See inline comment.

• firebase-admin not upgraded — Still at ^12.1.1; current stable is v13.x. Inconsistent with the stated goal of upgrading all deps to latest.

• @parse/node-apn v5→v8 (3 majors) — Confirm test coverage exercises the APN send path with the new major version. Three major versions is a significant jump for a notification-critical library.

• @semantic-release/commit-analyzer v9→v13 — This is a significant jump in the release toolchain. Worth manually running a dry-run release to confirm the changelog and version-bump behaviour is as expected before merging.

• nodemailer v6→v8 — Major version bump in the email transport layer. Ensure the @types/nodemailer upgrade to ^7 covers the v8 API surface and that any nodemailer-specific test coverage is in place.

• Consider running npm audit output as a CI artifact or adding it as a step to the workflow so future PRs make the security posture of the lock file explicit.

[rohit-sourcefuse]

@types/node is still ^16.18.119. The project targets Node 20+ and the @loopback/* packages have been bumped to v7/v8, which assume Node 20 globals. The ^16 types cause type inaccuracies and miss Node 20 additions.

"@types/node": "^20.19.0"

Low-risk change — straightforward to include with this update pass.

[Sourav-kashyap]

i'll update this in follow-up PR since it is a major version change.

[rohit-sourcefuse]

trivy-action@0.35.0 is a mutable tag. The upstream maintainer can force-push this tag to a different commit at any time, silently changing what runs in your security scan — a known supply chain risk.

Pin to the commit SHA instead:

uses: aquasecurity/trivy-action@57a97c7e8b8c6e9c1a7a20db8c5e540c31cf79a8 # v0.35.0

[Sourav-kashyap]

sir we are using the same pattern in other projects

[Copilot]

While using a version tag like @0.35.0 is common across projects, mutable tags can be force-pushed by upstream maintainers, which introduces a supply-chain risk — especially in a security-scanning workflow. Pinned to the immutable commit SHA in 7e4e51f:

uses: aquasecurity/trivy-action@57a97c7e8b8c6e9c1a7a20db8c5e540c31cf79a8 # v0.35.0

This ensures the exact same code runs every time regardless of any upstream tag changes.

[rohit-sourcefuse]

Hi @Sourav-kashyap ,

Thanks for the response and for flagging that the same pattern is used across other projects — that's a fair observation and I appreciate you checking.

That said, I want to explain why I'm still flagging this even though it's consistent with other workflows.

The core issue with mutable tags like @0.35.0:

A version tag in GitHub Actions is not the same as a pinned version in package.json. Any repository owner can silently force-push a tag like 0.35.0 to point to a completely different commit — no changelog, no notification, no trace.
When your CI picks it up next time, it runs different code than it did yesterday.

This matters most in two places:

1. Security scanning workflows — if the scanner itself is compromised, it can suppress findings or report clean results on malicious code
2. Actions that have broad repository access — which trivy-action does by nature

The fix is simple — just add the commit SHA as a comment anchor:
uses: aquasecurity/trivy-action@57a97c7e8b8c6e9c1a7a20db8c5e540c31cf79a8 # v0.35.0
This still reads clearly as v0.35.0 but is now immutable — a force-push upstream has zero effect on your pipeline.

[rohit-sourcefuse]

Correction: the SHA 57a97c7e8b8c6e9c1a7a20db8c5e540c31cf79a8 I suggested earlier does not resolve — CI confirmed this with Unable to resolve action.

The correct commit SHA for v0.35.0 (verified via git ls-remote):

uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0

Apologies for the incorrect SHA in the earlier comment.

[rohit-sourcefuse]

@copilot revert your commit or correct it with right SHA :
uses: aquasecurity/trivy-action@57a97c7 # v0.35.0

[Copilot]

Corrected in c7af0ac — the SHA is now updated to the valid v0.35.0 commit:

uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0

[rohit-sourcefuse]

Summary

Good dependency hygiene pass overall — the @loopback/* bumps, TypeScript ~5.7.3 pin, and lodash/node-forge overrides are all correct. Two issues need to be resolved before this can merge, as they will break the release pipeline on the current Node 20 CI baseline.

Must fix before merge:

• @semantic-release/github@12.0.6 requires Node ^22.14.0 || >= 24.10.0 — CI runs Node 20 and will fail. Downgrade to ^11.0.0.
• undici override ^6.24.0 conflicts with @semantic-release/github@12.0.6 which requires undici ^7.0.0. This will silently break semantic-release at runtime. Update the override to ^7.0.0 (or pair with the downgrade above).

Nice to have:

• Bump @types/node from ^16.18.119 to ^20.19.0 to match the actual Node 20 runtime.
• Pin trivy-action to a commit SHA rather than the mutable @0.35.0 tag to eliminate supply chain risk.

[rohit-sourcefuse]

Thanks for the updates — resolved the threads that are addressed. Two blocking issues still need to be fixed before this can merge:

1. @semantic-release/github@12.0.6 — Node engine incompatibility

This version requires node: "^22.14.0 || >= 24.10.0". The project's engines field is >=20 and CI runs Node 20, so semantic-release will fail on the next release run. Downgrade to ^11.0.0 which supports Node ^18.17.0 || >= 20.6.5:

"@semantic-release/github": "^11.0.0"

2. undici override ^6.24.0 conflicts with @semantic-release/github@12.0.6

@semantic-release/github@12.0.6 declares a peer requirement on undici ^7.0.0. The ^6.24.0 override will force the wrong major version onto it, breaking the release pipeline silently at runtime. Fix by updating the override — or pair with the downgrade above (in which case undici 6.x is fine):

"undici": "^7.0.0"

These two issues are linked — the simplest fix is downgrading @semantic-release/github to ^11.0.0 and dropping the undici override entirely (since v11 doesn't require it).

[Copilot]

Pull request overview

This PR updates Node/LoopBack tooling dependencies and the Trivy GitHub Actions workflow to newer versions as part of a repo-wide dependency refresh.

Changes:

• Bumped LoopBack framework/build/test dependencies and core tooling (TypeScript, eslint, simple-git, semantic-release plugins).
• Added additional overrides entries to force certain transitive dependency versions.
• Updated Trivy GitHub Action version and adjusted YAML quoting.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File	Description
package.json	Updates runtime/dev dependency versions and adds new overrides entries.
.github/workflows/trivy.yaml	Updates Trivy action version and refines workflow step configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The project declares Node >=20, but devDependencies still pin @types/node to ^16.18.119. With TypeScript upgraded to ~5.7.3, this can cause missing/incorrect Node API typings for development and CI builds. Consider bumping @types/node to a major that matches your supported Node range (e.g., 20/22) and ensure it stays consistent with the engines field and CI Node version.

[yeshamavani]

@Sourav-kashyap

[Copilot]

The new global overrides for undici (^7.0.0) and picomatch (^4.0.4) force major versions across the entire dependency tree, even where upstream packages declare older major ranges (the current lockfile includes transitive deps requesting undici ^5 and ^6). This bypasses semver constraints and can create hard-to-debug runtime issues. Prefer scoping overrides to specific packages/paths or upgrading the upstream packages so their declared ranges include these majors.

Suggested change

	"lodash": "^4.17.21",
	"undici": "^7.0.0",
	"picomatch": "^4.0.4"
	"lodash": "^4.17.21"

[Copilot]

This workflow still uses actions/checkout@v3. Since GitHub Actions has moved off the Node 16 runtime, v3-based JS actions can become unsupported/break; please upgrade to actions/checkout@v4 to keep the workflow compatible long-term.

Suggested change

	- uses: actions/checkout@v3
	- uses: actions/checkout@v4

[Sourav-kashyap]

resolved

[yeshamavani]

why downgrade

[Sourav-kashyap]

Rohit sir comment on this

[yeshamavani]

@Sourav-kashyap

[sonarqubecloud]

SonarQube reviewer guide

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud