[Snyk] Fix for 3 vulnerabilities

[q1blue]

Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• www/build_common/package.json
• www/build_common/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	210
	Use of a Cryptographic Primitive with a Risky Implementation SNYK-JS-ELLIPTIC-14908844	146
	Prototype Pollution SNYK-JS-LODASH-15053838	88

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

---

Important

Update html-webpack-plugin, webpack, and webpack-dev-server in package.json to fix vulnerabilities and note for zero-installs users.

• Dependencies Updated:
  • Upgrade html-webpack-plugin from ^3.2.0 to ^4.0.0 in package.json.
  • Upgrade webpack from ^4.30.0 to ^5.0.0 in package.json.
  • Upgrade webpack-dev-server from ^3.3.1 to ^4.0.0 in package.json.
• Vulnerabilities Fixed:
  • Fixes vulnerabilities: SNYK-JS-TAR-15038581, SNYK-JS-ELLIPTIC-14908844, SNYK-JS-LODASH-15053838.
• Zero-Installs Note:
  • Users of Yarn's zero-installs need to run yarn to update the cache directory.

^{This description was created by for eb6ca05. You can customize this summary. It will automatically update as commits are pushed.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
buildbot	Error		Jan 23, 2026 2:38am
csb-b6x6kw	Ready	Preview, Comment	Jan 23, 2026 2:38am

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[changeset-bot]

⚠️ No Changeset found

Latest commit: eb6ca05

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to eb6ca05 in 40 seconds. Click for details.

• Reviewed 25 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 3 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. www/build_common/package.json:15

• Draft comment:
  html-webpack-plugin upgraded to ^4.0.0. This major version bump may require changes in your webpack config.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is about a dependency change, specifically a major version upgrade of a plugin. It suggests that the upgrade may require changes in the webpack configuration, but it doesn't provide a specific suggestion or ask for confirmation of an intentional change. According to the rules, comments on dependency changes should be ignored unless they provide specific actionable feedback.

2. www/build_common/package.json:35

• Draft comment:
  Webpack upgraded to ^5.0.0. Ensure all webpack configs and related plugins/loaders are compatible with webpack 5.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is related to a dependency change, specifically the upgrade of Webpack to version 5. The comment advises ensuring compatibility with the new version, which falls under the rule of not asking the PR author to ensure compatibility or test changes. Therefore, this comment should be removed.

3. www/build_common/package.json:37

• Draft comment:
  webpack-dev-server upgraded to ^4.0.0. Verify that your devServer configuration matches the breaking changes in v4.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is related to a dependency change, specifically the upgrade of webpack-dev-server to version 4. The comment asks the PR author to verify their configuration against breaking changes, which is not allowed according to the rules. The comment does not provide a specific suggestion or point out a specific issue with the code.

Workflow ID: wflow_3W0f1NW8XcYFoRY4

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}