chore(deps): upgrade project dependencies to latest versions

[Sourav-kashyap]

Description

This issue tracks upgrading all project dependencies to their latest stable versions.

Changes

• Updated all dependencies and devDependencies to latest versions
• Resolved version conflicts and peer dependency issues
• Fixed breaking changes introduced by major version upgrades

Checklist:

• Performed a self-review of my own code
• npm test passes on your machine

[rohit-sourcefuse]

Overall Review

What this PR does:

• Bumps all dependencies and devDependencies in package.json and regenerates package-lock.json
• Upgrades core LoopBack packages (@loopback/boot, @loopback/core, @loopback/rest, @loopback/context) to latest patch releases
• Upgrades several major devDependency versions: commitlint v17→v20, husky v7→v9, jsdom v21→v29, nodemailer v6→v8, nyc v17→v18, pubnub v8→v10, typescript ~5.2.2→~5.7.3, @parse/node-apn v5→v8, @semantic-release/* toolchain
• Adds three new overrides entries: lodash, undici, picomatch (vulnerability remediation)
• Updates the Trivy CI action reference from @0.28.0 to @master
• Bumps @types/node from ^16 all the way to ^25

---

Must-fix before merge

1. Trivy action pinned to @master — This is a security regression. A mutable branch reference in a supply-chain-sensitive security scanner is unacceptable. Pin to a specific release tag or commit SHA (e.g., aquasecurity/trivy-action@v0.30.0). See inline comment.

2. lodash override version ^4.18.0 does not exist — The latest lodash v4 is 4.17.21. There is no 4.18.x published. This override is silently ineffective. Change to ^4.17.21. See inline comment.

3. aws-sdk v2 is EOL — AWS ended maintenance for SDK v2 on September 8, 2025. It will receive no further security patches. This PR bumps it to ^2.1693.0 but should migrate to the modular @aws-sdk/client-* v3 packages (which are already present as transitive deps). If migration is out of scope, open and link a tracked issue. See inline comment.

4. twilio not upgraded — Still at ^3.82.0 while Twilio Node SDK v5.x is current. Twilio v3 is maintenance-only. Either upgrade or document the deferral with a follow-up issue. See inline comment.

5. Husky v7→v9 migration completeness — The .husky/ hook files likely need to be updated to v9 format (no shebang, no husky.sh source line). If those files were not updated in this PR, fresh contributor installs will encounter broken hooks. Please confirm and include the .husky/ changes. See inline comment.

---

Nice-to-have follow-ups

• @types/node@25.x vs LTS runtime — Using ^25.5.0 types when the minimum engine is Node 20 LTS can mask runtime availability issues. Consider aligning types to ^20.19.0 or ^22.15.0. See inline comment.

• firebase-admin not upgraded — Still at ^12.1.1; current stable is v13.x. Inconsistent with the stated goal of upgrading all deps to latest.

• @parse/node-apn v5→v8 (3 majors) — Confirm test coverage exercises the APN send path with the new major version. Three major versions is a significant jump for a notification-critical library.

• @semantic-release/commit-analyzer v9→v13 — This is a significant jump in the release toolchain. Worth manually running a dry-run release to confirm the changelog and version-bump behaviour is as expected before merging.

• nodemailer v6→v8 — Major version bump in the email transport layer. Ensure the @types/nodemailer upgrade to ^7 covers the v8 API surface and that any nodemailer-specific test coverage is in place.

• Consider running npm audit output as a CI artifact or adding it as a step to the workflow so future PRs make the security posture of the lock file explicit.

[sonarqubecloud]

SonarQube reviewer guide

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rohit-sourcefuse]

undici is overridden to ^6.23.0 here, but @semantic-release/github@12.0.6 (a direct devDependency) declares a peer requirement on undici ^7.0.0. This override will force 6.x onto a package expecting 7.x, silently breaking the release pipeline at runtime.

Either update the override to ^7.0.0, or downgrade @semantic-release/github to a version compatible with undici 6.x:

"overrides": {
  "lodash": "^4.17.21",
  "undici": "^7.0.0",
  "picomatch": "^4.0.4"
}

[rohit-sourcefuse]

@semantic-release/github@12.0.6 declares engines: { node: "^22.14.0 || >= 24.10.0" }. This project's CI runs on Node 20, so this package will fail to install or run on the CI runners.

Downgrade to the last version that supports Node 20:

"@semantic-release/github": "^11.0.0"

v11.x supports Node ^18.17.0 || >= 20.6.5 and is otherwise compatible with the rest of the release config.

[rohit-sourcefuse]

@types/node is still ^16.18.119. The project targets Node 20+ and the @loopback/* packages have been bumped to v7/v8, which assume Node 20 globals. The ^16 types cause type inaccuracies and miss Node 20 additions.

"@types/node": "^20.19.0"

Low-risk change — straightforward to include with this update pass.

[rohit-sourcefuse]

trivy-action@0.35.0 is a mutable tag. The upstream maintainer can force-push this tag to a different commit at any time, silently changing what runs in your security scan — a known supply chain risk.

Pin to the commit SHA instead:

uses: aquasecurity/trivy-action@57a97c7e8b8c6e9c1a7a20db8c5e540c31cf79a8 # v0.35.0

[rohit-sourcefuse]

Summary

Good dependency hygiene pass overall — the @loopback/* bumps, TypeScript ~5.7.3 pin, and lodash/node-forge overrides are all correct. Two issues need to be resolved before this can merge, as they will break the release pipeline on the current Node 20 CI baseline.

Must fix before merge:

• @semantic-release/github@12.0.6 requires Node ^22.14.0 || >= 24.10.0 — CI runs Node 20 and will fail. Downgrade to ^11.0.0.
• undici override ^6.24.0 conflicts with @semantic-release/github@12.0.6 which requires undici ^7.0.0. This will silently break semantic-release at runtime. Update the override to ^7.0.0 (or pair with the downgrade above).

Nice to have:

• Bump @types/node from ^16.18.119 to ^20.19.0 to match the actual Node 20 runtime.
• Pin trivy-action to a commit SHA rather than the mutable @0.35.0 tag to eliminate supply chain risk.

[rohit-sourcefuse]

Thanks for the updates — resolved the threads that are addressed. Two blocking issues still need to be fixed before this can merge:

1. @semantic-release/github@12.0.6 — Node engine incompatibility

This version requires node: "^22.14.0 || >= 24.10.0". The project's engines field is >=20 and CI runs Node 20, so semantic-release will fail on the next release run. Downgrade to ^11.0.0 which supports Node ^18.17.0 || >= 20.6.5:

"@semantic-release/github": "^11.0.0"

2. undici override ^6.24.0 conflicts with @semantic-release/github@12.0.6

@semantic-release/github@12.0.6 declares a peer requirement on undici ^7.0.0. The ^6.24.0 override will force the wrong major version onto it, breaking the release pipeline silently at runtime. Fix by updating the override — or pair with the downgrade above (in which case undici 6.x is fine):

"undici": "^7.0.0"

These two issues are linked — the simplest fix is downgrading @semantic-release/github to ^11.0.0 and dropping the undici override entirely (since v11 doesn't require it).