[Snyk] Fix for 1 vulnerabilities

[rubybrowncoat]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15127355	596

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[Copilot]

Pull request overview

This PR addresses a directory traversal vulnerability (SNYK-JS-TAR-15127355) in the tar package by upgrading npm and Nuxt dependencies. However, the proposed changes include major version upgrades that introduce significant breaking changes incompatible with the current codebase.

Changes:

• Upgrades npm from ^6.11.3 to ^7.21.0 (major version change)
• Upgrades nuxt from ^2.9.2 to ^3.0.0 (major version change with extensive breaking changes)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The upgrade from Nuxt 2.9.2 to Nuxt 3.0.0 is a major version change with extensive breaking changes that will break the application. The codebase uses Nuxt 2-specific features that are incompatible with Nuxt 3:

1. The nuxt.config.js uses mode: 'spa' (line 13), which has been removed in Nuxt 3 and replaced with ssr: false
2. Pages use the asyncData method (pages/artefact/_magic.vue:77, pages/commune/_url.vue:173), which has a different API in Nuxt 3
3. Lifecycle hooks beforeDestroy are used, which have been renamed to beforeUnmount in Nuxt 3
4. The transition property syntax has changed in Nuxt 3
5. Dependencies like nuxt-clipboard2, nuxt-fontawesome, and @nuxtjs/dotenv may not be compatible with Nuxt 3

This upgrade requires a complete migration of the application code, not just a dependency version bump. Consider upgrading to a Nuxt 2.x version that addresses the tar vulnerability instead, such as Nuxt 2.18.1 (the latest 2.x version), which should include updated dependencies without requiring code changes.

Suggested change

	"nuxt": "^3.0.0",
	"nuxt": "^2.18.1",

[Copilot]

The upgrade from npm 6.11.3 to 7.21.0 is unnecessary and problematic. Having npm as a production dependency is unusual - npm is typically a tool used to install dependencies, not a dependency itself.

Additionally, npm 7.x introduced breaking changes including:

• Different handling of peer dependencies (automatically installed)
• Changes to package-lock.json format
• Different behavior for npm install

If npm is truly needed as a dependency for this project, consider whether the tar vulnerability can be addressed through updating transitive dependencies without requiring a major version upgrade of npm itself. If npm is not actually used in the application code, it should be removed from dependencies entirely.

Suggested change

"npm": "^7.21.0",