fix: [Vulns #2,6,8] upgrade tap 11.x → 18.x to resolve 3 critical transitive dependency CVEs

[devin-ai-integration]

Summary

Upgrades tap from ^11.1.3 to ^18.0.0 to resolve 3 critical transitive dependency CVEs:

Vuln #	CVE	Package	Severity
#2	CVE-2025-7783	form-data@2.3.3	CRITICAL
#6	CVE-2025-9288	sha.js@2.4.11	CRITICAL
#8	CVE-2023-45133	babel-traverse@6.26.0	CRITICAL

All three packages were transitive dependencies pulled in through tap@11.x. After upgrading to tap@18.x:

• form-data@2.3.3 — no longer in the dependency tree
• babel-traverse@6.26.0 — no longer in the dependency tree
• sha.js@2.4.11 — no longer pulled through tap (remaining instances come from browserify and typeorm)

Files changed: package.json, package-lock.json

Review & Testing Checklist for Human

• Verify npm ls tap shows tap@18.x installed correctly
• Verify npm ls form-data no longer shows form-data@2.3.3 as a transitive dep of tap
• Verify npm ls babel-traverse returns empty (no longer in tree)
• Run a Snyk scan to confirm vulns [Snyk] Upgrade typeorm from 0.2.24 to 0.3.27 #2, [Snyk] Fix for 1 vulnerabilities #6, fix: Address critical security vulnerabilities #8 are resolved

Notes

• tap is listed under dependencies rather than devDependencies in this repo. The upgrade is scoped only to the tap version — no application code changes were needed.
• sha.js@2.4.11 still appears via browserify and typeorm — those are separate dependency paths unrelated to this fix.

Link to Devin session: https://app.devin.ai/sessions/d44b2a02e84f46e7874d5ac33659836c
Requested by: @jakejluo

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring