chore: update packages to fix CVEs

[axi92]

Fixes: CVE-2025-25288, CVE-2025-25290, CVE-2025-25289

NPM Audit

Before:

7 vulnerabilities (1 low, 6 moderate)

After:

found 0 vulnerabilities

Trivy Audit

Before:

Report Summary

┌───────────────────┬──────┬─────────────────┬─────────┐
│      Target       │ Type │ Vulnerabilities │ Secrets │
├───────────────────┼──────┼─────────────────┼─────────┤
│ package-lock.json │ npm  │        3        │    -    │
└───────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


package-lock.json (npm)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/plugin-paginate-rest │ CVE-2025-25288 │ MEDIUM   │ fixed  │ 2.21.3            │ 11.4.1, 9.2.2 │ octokit/plugin-paginate-rest: @octokit/plugin-paginate-rest  │
│                               │                │          │        │                   │               │ has a Regular Expression in iterator that Leads to ReDoS...  │
│                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-25288                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request              │ CVE-2025-25290 │          │        │ 5.6.3             │ 9.2.1, 8.4.1  │ octokit/request: @octokit/request has a Regular Expression   │
│                               │                │          │        │                   │               │ in fetchWrapper that Leads to ReDoS...                       │
│                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-25290                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request-error        │ CVE-2025-25289 │          │        │ 2.1.0             │ 5.1.1, 6.1.7  │ @octokit/request-error: @octokit/request-error has a Regular │
│                               │                │          │        │                   │               │ Expression in index that Leads to ReDoS...                   │
│                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-25289                   │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

After:

Report Summary

┌───────────────────┬──────┬─────────────────┬─────────┐
│      Target       │ Type │ Vulnerabilities │ Secrets │
├───────────────────┼──────┼─────────────────┼─────────┤
│ package-lock.json │ npm  │        0        │    -    │
└───────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Test Output

> step-security-harden-runner@2.7.0 test
> jest

 PASS  src/arc-runner.test.ts
 PASS  src/common.test.ts
 PASS  src/policy-utils.test.ts
  ● Console

    console.log
      Attempt: 1

      at src/policy-utils.ts:28:15

    console.log
      {
        owner: 'h0x0er',
        policyName: 'policy1',
        allowed_endpoints: [ 'github.com:443' ],
        egress_policy: 'audit',
        disable_telemetry: false,
        disable_sudo: false,
        disable_file_monitoring: false
      }

      at src/policy-utils.test.ts:24:11

 PASS  src/tls-inspect.test.ts
[!] Checking TLS_STATUS: h0x0er
[!] TLS_ENABLED: h0x0er
[!] Checking TLS_STATUS: step-security
[!] TLS_NOT_ENABLED: step-security

Test Suites: 4 passed, 4 total
Tests:       6 passed, 6 total
Snapshots:   0 total
Time:        3.184 s
Ran all test suites.

[varunsh-coder]

Thanks @axi92 for the PR. We will review soon

[axi92]

I have updated the branch and it includes now changes for this as well: #568

[varunsh-coder]

Hi @axi92, thanks a lot for contributing this! 🙏 I wanted to let you know that I’ve addressed the npm vulnerabilities in another PR, which also included some additional changes and an update to the dist folder. Because of that, we won’t be merging this one.

I really appreciate you taking the time to spot and fix these issues — contributions like this are super helpful for the project. Please do keep an eye out for other improvements you’d like to make.

In case some npm vulnerabilities were missed and are not in main, do let me know.