fix(deps): Address npm security advisories (#327)

diff (GHSA-73rr-hh4g-fpgx) - Fixed via overrides:
- Override diff to 5.2.2 under mocha and sinon (patch bump, ^5.x range)
- Override diff to 4.0.4 under tslint (patch bump, ^4.x range)
- Removes the .nsprc exception since the vulnerability is now resolved

eslint RuleTester (GHSA-p5wg-g6qr-c7cg) - Removed:
- Advisory was withdrawn in Feb 2026, exception no longer needed

tar (GHSA-83g3-92jg-28cx) - Fixed via override bump:
- Bump tar override from 7.5.7 to 7.5.8 (patch fix)

elliptic (GHSA-848j-6mx2-7j84) - Exception retained:
- No fix available, dev-only transitive dep, not used for signing
- Extended expiry to 2026-08-15

undici (GHSA-g9mf-h72j-4rw9) - Exception retained:
- Fix requires major version jump (5.x -> 7.x) breaking @actions/http-client
- Extended expiry to 2026-08-15

ajv (GHSA-2g4f-4pwh-qvx6) - New exception:
- Fix requires ajv@8.x but consumers (@jupyterlab/settingregistry, table) are on 6.x
- Dev-only, not bundled in extension

minimatch (GHSA-3ppc-4f35-3m26) - New exception:
- Fix requires minimatch@10.x but consumers (mocha, glob) are on 3.x-5.x
- Dev-only, not bundled in extension

Author: Artmann

.github/workflows/ci.yml

@@ -213,7 +213,8 @@ jobs:
         run: npm ci --prefer-offline --no-audit
 
       - name: Run audit for production dependencies
-        run: npm audit --production
+        # Uses better-npm-audit with .nsprc exceptions file
+        run: npx better-npm-audit audit --production
 
   audit-all:
     name: Audit - All

.nsprc

@@ -1,18 +1,18 @@
 {
-    "GHSA-73rr-hh4g-fpgx": {
-        "notes": "diff DoS via infinite loop when parsing patches with special line break characters. Accepted risk: dev-only dependency (mocha, sinon, tslint), only affects development/CI, not bundled in extension.",
-        "expiry": "2026-04-15"
+    "GHSA-2g4f-4pwh-qvx6": {
+        "notes": "ajv ReDoS when using $data option. Accepted risk: dev-only transitive dependency (@jupyterlab/settingregistry, table), fix requires ajv@8.18.0 but consumers are on 6.x, not bundled in extension.",
+        "expiry": "2026-08-15"
+    },
+    "GHSA-3ppc-4f35-3m26": {
+        "notes": "minimatch ReDoS via repeated wildcards. Accepted risk: dev-only transitive dependency (mocha, glob, @vscode/test-cli), fix requires minimatch@10.2.1 but consumers are on 3.x-5.x, not bundled in extension.",
+        "expiry": "2026-08-15"
     },
     "GHSA-848j-6mx2-7j84": {
         "notes": "CVE-2025-14505: elliptic ECDSA signature corruption can lead to private key recovery if attacker obtains both faulty and correct signatures for identical inputs. Accepted risk: dev-only transitive dependency (node-stdlib-browser -> crypto-browserify -> browserify-sign), not used for signing in this project, no fix available.",
-        "expiry": "2026-04-08"
+        "expiry": "2026-08-15"
     },
     "GHSA-g9mf-h72j-4rw9": {
-        "notes": "undici DoS via unbounded decompression chain. Accepted risk: dev-only transitive dependency (@actions/core, @actions/github), only affects CI/CD workflows, not bundled in extension.",
-        "expiry": "2026-04-15"
-    },
-    "GHSA-p5wg-g6qr-c7cg": {
-        "notes": "CVE-2025-50537: eslint Stack Overflow in RuleTester.run() when serializing objects with circular references. Accepted risk: dev-only dependency, requires local access and user interaction, only affects test authoring, not bundled in extension.",
-        "expiry": "2026-04-15"
+        "notes": "undici DoS via unbounded decompression chain. Accepted risk: dev-only transitive dependency (@actions/core, @actions/github), only affects CI/CD workflows, not bundled in extension. Fix requires major version jump (5.x -> 6.x/7.x) breaking @actions/http-client constraint.",
+        "expiry": "2026-08-15"
     }
 }

package-lock.json

@@ -2933,7 +2933,16 @@
         "d3-color": "3.1.0",
         "vega-embed": "^7.1.0",
         "@mermaid-js/layout-elk": "npm:empty-pkg@1.0.0",
-        "tar": "7.5.7",
+        "tar": "7.5.8",
+        "mocha": {
+            "diff": "5.2.2"
+        },
+        "sinon": {
+            "diff": "5.2.2"
+        },
+        "tslint": {
+            "diff": "4.0.4"
+        },
         "lodash-es": "^4.17.23"
     }
 }