fix: resolve SOC2 security vulnerabilities in dependencies

[JungMinu]

Summary

Resolves all npm audit vulnerabilities (26 on default branch → 0) to satisfy SOC2 compliance requirements.

Production Vulnerabilities Fixed

Package	From	To	Severity	Advisory
semver	^5.5.1	^5.7.2	High	CVE-2022-25883 ReDoS
graphql-request	^1.8.2	^3.7.0	High	GHSA-r683-j2x4-v87g node-fetch forwards secure headers to untrusted sites
node-fetch (transitive)	≤2.6.6	fixed via above	High	GHSA-w7rc-rwvf-8q5r size option ignored after redirect
minimatch (transitive)	≤3.1.3	fixed via above	High	GHSA-f8q6-p94x-37v3 ReDoS
hosted-git-info (transitive)	<2.8.9	fixed via above	Moderate	GHSA-43f8-2h32-f4cj ReDoS
brace-expansion (transitive)	≤1.1.12	fixed via above	Moderate	GHSA-v6h2-p8h4-qcjw ReDoS

npm audit --omit=dev → 0 vulnerabilities ✅

Dev Dependency Updates

• standard: ^11.0.1 → ^17.1.2 — fixes transitive vulns in ajv, acorn, braces, ansi-regex
• dependency-check: ^3.2.1 → ^4.1.0 — fixes transitive vulns in braces/micromatch/globby

npm audit (all deps) → 0 vulnerabilities ✅

Code Changes

Minor fixes required by standard v17's stricter rules (auto-fixed via standard --fix):

• index.js: remove unnecessary destructuring renames (no-useless-rename)
• index.js: let data → const data (prefer-const)
• package.json: update test:deps script — dependency-check v4 removed --quiet, requires explicit --missing flag

Backwards Compatibility

graphql-request v3 maintains the same GraphQLClient constructor and client.request() API as v1 — no changes to lib/graphql.js required.

Summary by CodeRabbit

• Chores
  • Updated development and runtime dependencies for improved stability and compatibility.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0f7bd523-d6fe-4673-a325-21cfdb58e9aa

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The analyze function's parameters now use property shorthand with default values instead of redundant syntax. The internal data variable is changed from reassignable to const. Package dependencies are updated: dependency-check, standard, graphql-request, and semver versions are bumped, with the test:deps script flag modified.

Changes

Cohort / File(s)	Summary
Code Syntax Optimization index.js	Updated analyze function's destructured parameters to use property shorthand with default values; changed internal data variable from let to const.
Dependency Updates package.json	Bumped dependency-check (^3.2.1 → ^4.1.0), standard (^11.0.1 → ^17.1.2), graphql-request (^1.8.2 → ^3.7.0), and semver (^5.5.1 → ^5.7.2); updated test:deps script to use --missing flag.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 With cleaner syntax, our code now shines,
Dependencies refreshed, all in their lines,
From shorthand to const, we hop along,
Each version bump keeps our project strong! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of the PR: resolving SOC2 security vulnerabilities in dependencies through version upgrades and code fixes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/soc2-dependency-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

12-17: Declare engines.node with a minimum Node version floor.

The package.json has no engines field despite upgrading dependencies with Node requirements. The upgraded standard@17.1.2 requires node ^12.22.0 || ^14.17.0 || >=16.0.0, which will cause install/runtime failures on older Node versions. Add an engines field (e.g., "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" }) to declare the minimum supported runtime.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 12 - 17, Add an "engines" field to package.json to
declare the minimum supported Node version so installs won't fail with newer
dependencies (e.g., add "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
}); update the package.json JSON object (next to "dependencies" /
"devDependencies") to include this "engines" key and ensure the version string
matches the requirements of standard@17.1.2.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@index.js`:
- Around line 11-14: Validate and clamp/guard the caller-provided pageSize and
concurrency before they’re used for batching: ensure pageSize is a positive
integer within a safe upper bound (e.g., 1..1000) and concurrency is a positive
integer within a safe upper bound (e.g., 1..50); if values are invalid, fallback
to the default constants (pageSize = 50, concurrency = 5) or throw a clear
error. Apply this validation in the same scope where pageSize and concurrency
are read (before any batching/looping or calls to fetchData or spawn workers),
so downstream code like the batching logic and fetchData calls never receive
non-positive or excessively large values. Use Number.isInteger checks and clamp
or replace values rather than trusting raw inputs.

---

Nitpick comments:
In `@package.json`:
- Around line 12-17: Add an "engines" field to package.json to declare the
minimum supported Node version so installs won't fail with newer dependencies
(e.g., add "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" }); update
the package.json JSON object (next to "dependencies" / "devDependencies") to
include this "engines" key and ensure the version string matches the
requirements of standard@17.1.2.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 442931fc-17fc-47c5-ad2e-8af3c6627013

📥 Commits

Reviewing files that changed from the base of the PR and between 1f10036 and e573273.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• index.js
• package.json

[jdaison]

LGTM

[jdaison]

LGTM but
I checked this branch against master, and there are two separate issues in npm test.

master already fails later because example.js points to https://api.nodesource.com/ncm2/api/v2/graphql, which currently returns 404. That looks like an existing issue, not something introduced here.

This PR does introduce a new earlier failure, though: the updated package-lock.json uses lockfile v3, and universal-module-tree@2.2.0 still expects the older lockfile structure. As a result, npm run test:deps now fails with:

TypeError: Cannot read properties of undefined (reading 'graphql-request')

So I think the dependency update needs one more adjustment before this can be considered safe to merge.

[JungMinu]

Fixed in d530580. I regenerated package-lock.json as npm lockfile v2 so universal-module-tree@2.2.0 can read it again. Verified that npm run test:deps now passes. I also re-checked the separate example.js failure and it remains an existing endpoint/network issue, not part of this change.

[jdaison]

LGTM