[Snyk] Fix for 3 vulnerabilities

[philvarner-snyk]

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Check for Unusual or Exceptional Conditions SNYK-JS-HANDLEBARS-15807042	213
	Improper Encoding or Escaping of Output SNYK-JS-HANDLEBARS-15807040	210
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-15810938	181

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Improper Encoding or Escaping of Output

[philvarner-snyk]

This update includes a major, high-risk upgrade for tap and a medium-risk patch upgrade for dompurify.

tap 11.1.5 → 18.0.0 (High Risk)

This is a significant upgrade across 7 major versions, including a full rewrite in v18. Expect substantial breaking changes requiring developer action.

Key Breaking Changes:

• Node.js Version: Support for Node.js versions below 14 has been dropped.
• ESM & TypeScript: The library was rewritten in TypeScript and now ships as a hybrid ESM/CJS package. Native ES Modules are now used instead of @std/esm.
• Coverage Enforcement: Test coverage is now enabled by default and fails if 100% coverage is not met. This can be configured but is a major behavioral change.
• Mocha-style Globals: The Mocha-like DSL (describe, it) has been moved to an optional plugin, @tapjs/mocha-globals. You must install and configure this plugin to continue using them.
• Assertion Synonyms: Deprecated assertion aliases have been moved to the @tapjs/synonyms plugin.
• Configuration: File matching has moved from test-regexp to include/exclude glob patterns. All temporary files are now stored in a single .tap directory.

Recommendation: This upgrade requires significant migration effort. Developers must review the official upgrade guide, update their Node.js version, install new plugins for previous functionality, and adjust test configurations.

dompurify 3.3.0 → 3.3.2 (Medium Risk)

Although a patch release with security fixes, version 3.3.2 introduced a strict requirement for Node.js >= 20. This is a breaking change for projects running on older but still common Node.js LTS versions (e.g., 16, 18) and may cause build failures.

Source: tap Changelog, tap v18 Upgrade Guide

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[philvarner-snyk]

⛔ Snyk checks have failed. 8 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (8)
⛔	Open Source Security	0	4	4	0	8 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.