fix: resolve dependabot alerts

[lscheffel-tbx]

What did I change:

• Fixed dependabot alerts.

QA Notes:

https://linear.app/testbox/issue/SEC-75/browsersdk-resolve-browsersdk-dependabot-vulnerabilities

Related Tickets:

https://linear.app/testbox/issue/SEC-75/browsersdk-resolve-browsersdk-dependabot-vulnerabilities

Did you...

• test the code locally?
• run unit tests and updated to account for the changes?
• lint the code?
• format the code?
• test the code on staging?

Summary by CodeRabbit

Chores

• Updated semantic-release dependency from ^19.0.5 to ^24.2.9
• Reorganized development dependencies including html-webpack-plugin and typescript
• Internal build configuration and development environment adjustments
• No changes to public APIs, exported entities, or user-facing functionality

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The package.json file was updated with semantic-release version bumped from ^19.0.5 to ^24.2.9. Minor reordering of devDependencies entries occurred. No exported signatures or public entity changes were introduced.

Changes

Cohort / File(s)	Summary
Dependency Version Updates package.json	semantic-release upgraded to ^24.2.9; devDependencies entries (html-webpack-plugin, typescript) reordered

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify semantic-release ^24.2.9 addresses all intended security/functional goals per SEC-75 linked issue
• Confirm whether additional transitive dependency updates (ip, ws, braces, body-parser, glob, node-forge) are reflected in package-lock.json but not visible in the summary
• Check that dependency reordering does not affect resolution order or conflict resolution

Suggested reviewers

• LeonardoL3
• augustolgunsch
• kalel-testbox
• deyton

Poem

🐰 A hop, a skip, a version bump high,
semantic-release soars toward the sky!
Dependencies shuffled, reordered with care,
vulnerabilities vanquished, no more midnight scare! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR appears incomplete: semantic-release was upgraded but no evidence of ws, braces, body-parser, glob, or node-forge upgrades in the package.json summary provided.	Verify that all required dependency upgrades (ws 8.17.1+, braces 3.0.3+, body-parser 1.20.3+, glob 10.5.0+, node-forge 1.3.2+) are included in the package.json changes.
Out of Scope Changes check	⚠️ Warning	The semantic-release upgrade and html-webpack-plugin/typescript repositioning appear unrelated to the six specific vulnerabilities listed in SEC-75.	Focus changes solely on addressing the six identified Dependabot vulnerabilities; explain any additional upgrades in the PR description.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: resolving dependabot alerts through dependency updates.
Description check	✅ Passed	The description covers the main change and includes QA notes and related tickets, though technical details about specific upgrades are minimal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch SEC-75

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 564052f and df01581.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Cypress tests

🔇 Additional comments (2)

package.json (2)

38-38: Verify semantic-release major version upgrade is compatible.

The upgrade from semantic-release ^19.0.5 to ^24.2.9 is a significant major-version bump (5 major versions). While this may have been necessary to resolve transitive dependency vulnerabilities, verify that:

1. The upgrade was intentional and required for the security fixes
2. No breaking changes in v24.2.9 impact the release automation workflow
3. Your release configuration (if any) is compatible with v24

---

34-43: The review comment references non-existent PR objectives and SEC-75.

This is the initial project commit ("fix: resolve dependabot alerts" from Dec 9, 2025), not a security vulnerability response PR. The six packages referenced (ws, braces, body-parser, glob, node-forge, ip) are present in package-lock.json as transitive dependencies from dev tools (webpack, npm, commitlint, etc.) with appropriate versions—they don't appear in package.json because they're not direct dependencies. The assertion that none of the vulnerable packages appear is technically correct but irrelevant; transitive resolution through package-lock.json is the expected behavior.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}