WEBUI-2038: Fix remaining Dependabot vulnerabilities (round 2) [LTS-2023]

[madhurkulshrestha-hyland]

WEBUI-2038: Fix remaining Dependabot vulnerabilities (round 2)

JIRA: https://hyland.atlassian.net/browse/WEBUI-2038

Changes

Addresses remaining Dependabot alerts after the initial round of fixes (PRs #3162/#3163). Reduces total vulnerabilities from 59 → 9 (0 critical).

Dependency Removals (unused)

• karma-sauce-launcher — Sauce Labs is disabled in CI (commented out in test.yaml); removes got, http-cache-semantics, semver-regex transitive vulns
• webpack-log — replaced with inline console.warn wrapper (only 2 log calls); removes nanoid v2 transitive vuln
• babel-preset-env (ftest) — unused; project uses @babel/preset-env
• babel-register (ftest) — unused; project uses @babel/register
• cucumber-junit (ftest) — no reporter configured; legacy leftover
• fs-finder (ftest) — no imports found; project uses glob

Dependency Upgrades

• workbox-cli 7.3.0 → 7.4.1 (removes got vuln via update-notifier)
• http-server ^0.11.1 → ^14.1.1 (removes ecstatic vuln)

Overrides Added/Updated

• ws 8.17.1 → 8.20.1 (uninitialized memory disclosure)
• form-data ^2.5.4 (SSRF via crafted filename)
• qs ^6.14.1 (arrayLimit bypass DoS)
• cross-spawn ^7.0.6 (command injection)
• minimatch ^3.1.4 (ReDoS)
• tmp ^0.2.4 (insecure temp files)

Karma Config Cleanup

• Removed dead Sauce Labs conditional code and config

Lockfiles

• Regenerated package-lock.json and packages/nuxeo-web-ui-ftest/package-lock.json

Remaining 9 vulnerabilities (unfixable without major refactoring)

All from @open-wc/karma-esm — the unit test ESM framework. Its transitive es-dev-server → request chain pulls deprecated/vulnerable packages (@koa/cors, tough-cookie, useragent, request itself). No upgrade path exists without replacing the entire Karma ESM approach.

Testing

• ✅ npm run lint passes
• ✅ npm test (1882 unit tests) passes
• ✅ npm start (webpack dev server) works
• ✅ ftest package: 0 vulnerabilities
• No production code changes — dev/test tooling only

[Copilot]

Pull request overview

This PR continues the WEBUI-2038 effort by updating dependency overrides and dev tooling dependencies to address remaining Dependabot-reported vulnerabilities, with corresponding lockfile regeneration.

Changes:

• Upgraded ws override to 8.20.1 in both root and ftest packages.
• Added several root-level security overrides (tmp, cross-spawn, nanoid, minimatch) and upgraded http-server to ^14.1.1.
• Regenerated package-lock.json and packages/nuxeo-web-ui-ftest/package-lock.json to reflect updated resolutions.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
package.json	Updates security overrides and bumps http-server to a non-vulnerable major line.
package-lock.json	Regenerated lockfile reflecting updated resolutions (but still contains an outdated tmp in the ftest subtree).
packages/nuxeo-web-ui-ftest/package.json	Bumps ws override for the functional test package.
packages/nuxeo-web-ui-ftest/package-lock.json	Regenerated ftest lockfile to pick up updated ws (and other dependency shifts).

Files not reviewed (1)

• packages/nuxeo-web-ui-ftest/package-lock.json: Language not supported

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud