[Snyk] Fix for 11 vulnerabilities

[saurabharch]

Snyk has created this PR to fix 11 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• scripts/bench/package.json
• scripts/bench/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	696
	Prototype Poisoning SNYK-JS-QS-3153490	696
	Denial of Service (DoS) SNYK-JS-WS-7266574	696
	Arbitrary File Write SNYK-JS-TAR-1579147	639
	Arbitrary File Write SNYK-JS-TAR-1579152	639
	Arbitrary File Write SNYK-JS-TAR-1579155	639
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	624
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	624
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	586
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	410

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Poisoning
🦉 Arbitrary File Overwrite

[gemini-code-assist]

Summary of Changes

Hello @saurabharch, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically created by Snyk, focuses on enhancing the project's security by upgrading outdated yarn dependencies within the scripts/bench directory. The changes aim to resolve 11 identified vulnerabilities, thereby improving the overall security posture of the project's development environment.

Highlights

• Security Vulnerability Remediation: This pull request addresses and fixes 11 identified security vulnerabilities within the yarn dependencies of the scripts/bench module. These vulnerabilities range in severity from high to low and include issues such as Denial of Service (DoS), Prototype Poisoning, Arbitrary File Write/Overwrite, and Regular Expression Denial of Service (ReDoS).
• Dependency Upgrades: To mitigate the reported vulnerabilities, several key development dependencies in scripts/bench/package.json have been upgraded to their latest stable and patched versions. Specifically, http-server, lighthouse, nodegit, and rimraf have received significant version bumps.
• Automated Pull Request: This pull request was automatically generated by Snyk, indicating an automated security scanning and remediation process in place for the repository's dependencies.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, upgrades several development dependencies to fix security vulnerabilities. While these security updates are important, I've identified two major version bumps that introduce critical breaking changes:

1. The lighthouse upgrade from v3 to v8 will break the benchmark scripts due to significant API changes and removed metrics.
2. The rimraf upgrade from v2 to v4 will break the build script because the new version is an ESM-only module, which is incompatible with the project's CommonJS setup.

These issues will prevent the benchmark and build scripts from running correctly and must be addressed before this pull request can be merged.

[gemini-code-assist]

This major version upgrade of lighthouse from ^3.2.1 to ^8.1.0 introduces significant breaking changes that will cause the benchmark scripts to fail.

Here are some of the issues I've identified by looking at the usage in scripts/bench/benchmark.js:

• API changes: The programmatic API has changed. For example, require('lighthouse') now returns a function lighthouse instead of a class Lighthouse.
• Removed metrics: The first-meaningful-paint metric, which is used in scripts/bench/benchmark.js, has been removed in newer versions of Lighthouse. This will cause a runtime error.
• Configuration path: The path to the performance config, lighthouse/lighthouse-core/config/perf-config, has likely changed.

To resolve this, the benchmark scripts (e.g., scripts/bench/benchmark.js) need to be updated to be compatible with the Lighthouse v8 API. Without these changes, the benchmarks will be broken.

[gemini-code-assist]

This major version upgrade of rimraf from ^2.6.1 to ^4.3.1 introduces breaking changes.

1. ESM Module: rimraf v4 and later are ESM-only packages. The benchmark scripts use CommonJS (require), which cannot import ESM modules directly. This will cause the script scripts/bench/build.js to fail with an ERR_REQUIRE_ESM error.
2. API Change: rimraf v3 changed its API to be promise-based, removing support for callbacks. The cleanDir function in scripts/build.js uses the old callback-style API, which will not work with rimraf v3+.

I suggest downgrading to rimraf@^3.0.2. This version is still CommonJS compatible, which resolves the first issue. The code in scripts/build.js will still need to be updated to use promises (async/await) instead of callbacks to fix the second issue.

    "rimraf": "^3.0.2",