[Snyk] Fix for 2 vulnerabilities

[Robthreefold]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Infinite loop SNYK-JS-BRACEEXPANSION-15789759	555
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-15789761	545

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[Robthreefold]

This release includes several major version upgrades with significant breaking changes. The upgrade for tap and express-fileupload are high-risk and require immediate developer attention and code modifications.

Top 3 Most Impactful Upgrades

• tap (11.1.5 → 18.0.0): HIGH RISK
  This is a massive upgrade spanning seven major versions, including a complete rewrite of the library in TypeScript for v18. Numerous breaking changes will require significant migration effort.

  Key Breaking Changes:

  • Coverage Enforcement (v18): Test coverage is now enabled by default and enforced at 100%. Missing or incomplete coverage is treated as a test failure. This is a major change from previous versions where coverage was opt-in. Builds will likely fail until coverage is addressed or explicitly disabled.
  • API and CLI Changes (v18): The library was rewritten in TypeScript. The nyc coverage tool was replaced with c8. Many CLI options were removed or changed, such as --check-coverage and --no-cov.
  • Configuration (v18): test-regex for file matching has been replaced with include and exclude glob patterns.
  • Node.js Support: Support for Node.js versions below 12 has been dropped in tap v16 and older.
  • Assertion Synonyms (v18): Deprecated assertion aliases (e.g., t.notOk) have been removed and are now available only through the optional @tapjs/synonyms plugin.

  Recommendation: This upgrade will require a thorough review of your test suite, configuration files, and CI/CD pipeline. Allocate time for refactoring tests, updating configuration to the new glob-based format, and addressing the new default 100% coverage requirement.
  Source: Changelog, Upgrading Guide

• express-fileupload (0.0.5 → 1.1.10): HIGH RISK
  This major version upgrade introduces a critical breaking change in how MD5 checksums are handled.

  Key Breaking Changes:

  • MD5 Property Change: In versions prior to 1.0.0, the req.files.foo.md5 property contained the MD5 checksum string of the uploaded file. In v1.0.0 and later, this property is now a function that must be called to compute the hash. Any code that directly accesses req.files.foo.md5 as a string will break.
  • Temporary Files: The useTempFiles option was introduced, which alters the default behavior of storing uploaded files in memory (req.files.foo.data buffer) to using temporary files on disk (req.files.foo.tempFilePath).

  Recommendation: Audit all usage of express-fileupload and update any code that uses the .md5 property to call it as a function (e.g., req.files.foo.md5()). Verify that your file handling logic is compatible with the useTempFiles option if you enable it.
  Source: NPM Page

• express (4.16.0 → 4.22.0): LOW RISK
  This is a minor version upgrade within the same major series (v4). It contains bug fixes, performance improvements, and security patches without introducing any documented breaking API changes.

  Source: Package documentation

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Robthreefold]

⛔ Snyk checks have failed. 7 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (7)
⛔	Open Source Security	0	4	3	0	7 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.