[Snyk] Fix for 3 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Infinite loop SNYK-JS-BRACEEXPANSION-15789759	99
	Prototype Pollution SNYK-JS-HANDLEBARS-15789775	99
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-15789761	50

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)

[snyk-io]

This upgrade includes a major version update for the tap testing framework which introduces significant breaking changes. The other two packages, express and express-fileupload, have low-risk updates.

Top Impactful Changes

• tap (11.1.5 → 18.0.0) - High Risk

  This is a very large version jump across 7 major versions, including a complete rewrite of the library in v18. Expect significant effort to migrate.

  Key Breaking Changes:

  • Node.js Support: Support for Node.js versions below 10 was dropped in tap v15. [2]
  • Coverage Enforcement: Test coverage is now enabled by default, uses c8 instead of nyc, and enforces a 100% threshold. Missing coverage will cause tests to fail. [1, 18] The --cov, --check-coverage, and other nyc-related flags have been removed or replaced. [2]
  • Configuration: Test file matching via test-regex is removed in favor of include and exclude glob patterns in your .taprc file. [1]
  • API and Tooling: Many assertion aliases were removed in v18 (e.g., t.not()). [1] The t.beforeEach and t.afterEach methods no longer accept a callback and must return a promise for async operations. [7] The entire library was rewritten in TypeScript for v18. [11, 12]

  Recommendation: This upgrade will require significant changes to your testing configuration, CI scripts, and potentially test code. It is highly recommended to handle this migration in a separate, dedicated effort.
  Source: Upgrading to tap v18, Changelog

• express-fileupload (0.0.5 → 1.1.10) - Low Risk

  This upgrade crosses a major version, but the primary breaking change was reverted within the upgrade range. In version 1.0.0, the md5 property on the uploaded file object was changed from a checksum string to a function. However, this was reverted in version 1.1.1, and the property is once again a string value. [5] As the upgrade is to v1.1.10, there is no net breaking change.
  Source: Package documentation

• express (4.12.4 → 4.22.0) - Low Risk

  This is a minor version upgrade within the stable Express 4.x line. It contains bug fixes, security patches, and performance improvements without any documented breaking API changes. [3, 4]
  Source: Express Release History

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

⛔ Snyk checks have failed. 4 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (4)
⛔	Open Source Security	0	4	0	0	4 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.