fix(cli): Bump @xhmikosr/bin-wrapper to v14 to resolve CVE-2026-31808

[charpeni]

Summary

Resolves #123

Bumps @xhmikosr/bin-wrapper from ^13.0.5 to ^14.0.0, which pulls in @xhmikosr/downloader@16 → file-type@21.3.3, fixing CVE-2026-31808 (GHSA-5v7r-6r5c-r473) — an infinite loop DoS in file-type's ASF parser.

Before:

@swc/cli → @xhmikosr/bin-wrapper@13 → @xhmikosr/downloader@15 → file-type@19.6.0 (vulnerable)

After:

@swc/cli → @xhmikosr/bin-wrapper@14 → @xhmikosr/downloader@16 → file-type@21.3.3 (patched)

Changes

• packages/cli/package.json — Bump @xhmikosr/bin-wrapper from ^13.0.5 to ^14.0.0
• packages/cli/src/swcx/index.ts — Adapt to two breaking changes in v14:
  • export default class BinWrapper instead of a named export, so the require changes from { BinWrapper } to { default: BinWrapper } (works via require(esm), supported unflagged since Node 20.19.0 — our minimum engine version)
  • .path() is now a method instead of a property
• packages/cli/src/swcx/bin-wrapper.d.ts — Add local type declarations since v14 doesn't ship TypeScript types (follows existing pattern used for chokidar)

[changeset-bot]

🦋 Changeset detected

Latest commit: b29f873

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@swc/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​xhmikosr/​bin-wrapper@​14.2.2

View full report