[Snyk] Fix for 1 vulnerabilities

[rubybrowncoat]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15032660	693

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[Copilot]

Pull request overview

This PR attempts to fix a directory traversal vulnerability (SNYK-JS-TAR-15032660) in the tar package by upgrading npm from 6.14.18 to 7.21.0 and Nuxt from 2.18.1 to 3.0.0.

Changes:

• Upgrade npm from ^6.11.3 to ^7.21.0
• Upgrade nuxt from ^2.9.2 to ^3.0.0

Comments suppressed due to low confidence (1)

package.json:58

• Several dependencies in package.json are likely incompatible with Nuxt 3. Specifically:

• nuxt-clipboard2 and nuxt-fontawesome are Nuxt 2 modules that have different equivalents for Nuxt 3
• vue-router ^3.1.3 and vuex ^3.1.1 are for Vue 2, while Nuxt 3 uses Vue 3 which requires vue-router 4+ and vuex 4+ (or Pinia)
• @nuxtjs/axios, @nuxtjs/dotenv, and other @nuxtjs/* modules need to be checked for Nuxt 3 compatibility

These incompatibilities will cause the application to fail at runtime or build time.

    "nuxt-clipboard2": "^0.2.1",
    "nuxt-fontawesome": "^0.4.0",
    "snyk": "^1.103.1",
    "vue-router": "^3.1.3",
    "vuex": "^3.1.1",
    "vuex-persist": "^2.1.0"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Upgrading from Nuxt 2 to Nuxt 3 is a major breaking change that requires extensive code refactoring. The existing nuxt.config.js uses Nuxt 2 syntax (e.g., "mode: 'spa'", modules configuration), which is incompatible with Nuxt 3. Nuxt 3 uses a completely different configuration system (nuxt.config.ts), different directory structures, Composition API by default, and different module loading patterns. This upgrade would require:

1. Rewriting nuxt.config.js to use Nuxt 3's configuration format
2. Migrating all Vue components to use Composition API or compatible Options API patterns
3. Updating all Nuxt module imports and usage
4. Potentially updating or replacing incompatible modules like nuxt-fontawesome and nuxt-clipboard2

Consider finding an alternative fix for the tar vulnerability that doesn't require a major framework upgrade, such as using npm audit fix or upgrading only the tar dependency indirectly through a minor version bump of nuxt 2.x.

Suggested change

	"nuxt": "^3.0.0",
	"nuxt": "^2.17.0",

[Copilot]

The npm package should not be listed as a runtime dependency in package.json. npm is a package manager that should be installed globally on the system, not as a project dependency. Including it here can cause conflicts with the system's npm installation and creates unnecessary bloat in node_modules. If the tar vulnerability is the concern, it should be resolved by upgrading packages that transitively depend on tar, not by adding npm as a dependency.

Suggested change

"npm": "^7.21.0",

[Copilot]

The yarn.lock file is out of sync with these package.json changes. The lock file still references nuxt@^2.9.2, but package.json now specifies nuxt ^3.0.0. This mismatch will cause inconsistent dependency resolution. After updating package.json, yarn.lock must be regenerated by running yarn install to ensure all dependencies and their transitive dependencies are correctly resolved for the new versions.

Suggested change

	"nuxt": "^3.0.0",
	"nuxt": "^2.9.2",