Fix npm security vulnerabilities: lodash, minimatch overrides + sass update

[stweil]

No description provided.

[stweil]

This fix was created by Claude Sonnet 4.6. Here is its summary:

Summary of Changes

Files Modified

1. package.json - Two changes:

   • Updated sass from 1.72.0 to 1.99.0 (latest stable)
   • Added overrides section to force secure versions of vulnerable transitive dependencies:
     • lodash: "4.18.1" - fixes GHSA-r5fr-rjxr-66jc (Code Injection) and GHSA-f23m-r3pf-42rh (Prototype Pollution)
     • minimatch: "3.1.5" - fixes GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74 (ReDoS vulnerabilities)

2. package-lock.json - Regenerated to reflect updated dependency versions

Vulnerabilities Fixed

Package	Old Version	New Version	CVEs Fixed
lodash	4.17.23	4.18.1	GHSA-r5fr-rjxr-66jc (HIGH), GHSA-f23m-r3pf-42rh (MEDIUM)
minimatch	3.0.8 (nested)	3.1.5	GHSA-3ppc-4f35-3m26 (HIGH), GHSA-7r86-cg39-jmmj (HIGH), GHSA-23c5-xmqv-rm74 (HIGH)
sass	1.72.0	1.99.0	General security maintenance update

Status

• npm audit: 0 vulnerabilities (down from 10 HIGH severity)
• composer audit --locked: No security vulnerabilities (all PHP packages confirmed safe)
• themes/bootstrap5 npm: 0 vulnerabilities (already clean)

Notes

• The npm overrides mechanism forces all transitive uses of lodash and minimatch to use the patched versions, even when the declaring packages use ~4.17.x or ~3.0.x constraints
• All PHP composer packages (mpdf/mpdf, guzzlehttp/guzzle, stripe/stripe-php, symfony/*, etc.) were verified to have no known security vulnerabilities in their current versions
• The themes/bootstrap5/package.json and its lock file were already clean and didn't need changes

[stweil]

It looks like the newer sass release adds several hundred deprecation warnings for npm run build:scss. These warnings should be addressed separately. They are caused my a small number of issues:

DEPRECATION WARNING [color-functions]: adjust-hue() is deprecated. Suggestion:
DEPRECATION WARNING [color-functions]: darken() is deprecated. Suggestions:
DEPRECATION WARNING [color-functions]: lighten() is deprecated. Suggestions:
DEPRECATION WARNING [global-builtin]: Global built-in functions are deprecated and will be removed in Dart Sass 3.0.0.
DEPRECATION WARNING [if-function]: The Sass if() syntax is deprecated in favor of the modern CSS syntax.
DEPRECATION WARNING [import]: Sass @import rules are deprecated and will be removed in Dart Sass 3.0.0.
DEPRECATION WARNING [legacy-js-api]: The legacy JS API is deprecated and will be removed in Dart Sass 2.0.0.

[demiankatz]

@stweil, I believe that some of the SASS deprecations may be related to the third-party cookie consent implementation; if I'm remembering correctly, #5163 may fix that part by entirely reimplementing cookie consent. This one should be merged soon -- I just need to find time for a final review, though that may take another couple of weeks due to the size of my backlog. I believe the remaining issues are related to Grunt, which will be removed when #4591 is finished. There hasn't been progress on #4591 in some time, but now that @crhallberg is back from leave, I expect we'll see activity there again soon. I would prefer to complete these two efforts rather than force non-standard dependencies, since I think that will result in a cleaner solution.

Since the impacted libraries are only used for command line tooling and not for anything web accessible, I do not believe these security issues are of real concern, so I think it is safe to wait. I'll leave this open in case it still proves to be necessary, but I don't want to merge it right away, since I'd rather finish those other two PRs first and see what challenges remain.

[EreMaijala]

Depending on the case we also have the option to suppress specific deprecation warnings. That's of course not a long-term solution, but would suffice for the time being.

[stweil]

Some of the warnings are fixed in pull request #5220, and some more can be fixed by upgrading font-awesome (pull request will follow when #5219 was merged). The current bootstrap release also produces deprecation warnings, but this is already known, so we have to wait for a newer release which fixes them. Replacing @import by @use in VuFind's scss files is another task, but needs more than a simple search+replace.