chore: address dependabot security alerts

[Copilot]

Overview

This PR addresses all 20 dependabot security alerts in the repository by updating vulnerable dependencies to their patched versions.

Changes Made

Automatic Fixes (npm audit fix)

Updated the following vulnerable packages automatically:

• @babel/helpers to v7.26.10 - Fixes ReDoS vulnerability (GHSA-968p-4wvh-cqc8)
• @eslint/plugin-kit to v0.3.4 - Fixes ReDoS vulnerability (GHSA-xffm-g5w8-qvg7)
• form-data to v4.0.4 - Fixes critical vulnerability with unsafe random function (GHSA-fjxv-7rqg-78g4)
• lerna to v8.1.9+ - Resolves @octokit vulnerabilities
• eslint to v9.27.0 - Addresses plugin-kit dependency issue
• Various transitive dependencies updated automatically

Manual Updates

Updated @inquirer/prompts from v5.4.0 to v7.9.0 across all package.json files:

• Root package.json (devDependencies)
• packages/core/package.json (dependencies)
• packages/cli/package.json (dependencies)

This major version update was necessary to resolve the tmp package vulnerability (GHSA-52f5-9888-hmc6) that allows arbitrary file/directory writes via symbolic links. The update is backwards compatible with our usage patterns.

Security Impact

Before: 20 vulnerabilities

• 8 low severity
• 9 moderate severity
• 1 high severity
• 2 critical severity

After: 0 vulnerabilities ✅

Testing

• ✅ All builds pass successfully
• ✅ Linting passes with no new warnings
• ✅ Test suite passes (306 of 308 specs - same pre-existing failures)
• ✅ npm audit reports 0 vulnerabilities
• ✅ CodeQL security scan completed with no issues

Breaking Changes

None. The @inquirer/prompts update from v5 to v7 maintains API compatibility for our usage of input, select, checkbox, and Separator.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.google-analytics.com
  • Triggering command: Ignite UI CLI (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

chore: address dependabot alerts

Dependabot alerts for the repo are listed here: https://github.com/IgniteUI/igniteui-cli/security/dependabot

If possible to be addressed in one PR.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[coveralls]

coverage: 70.252%. remained the same
when pulling 3e2165d on copilot/fix-dependabot-alerts
into fa917cd on master.

[Copilot]

Pull Request Overview

This PR updates the @inquirer/prompts and @inquirer/type dependencies to newer major versions across the monorepo. The upgrade affects both production dependencies and devDependencies.

• Updated @inquirer/prompts from ~5.4.0/^5.4.0 to ^7.9.0 across all packages
• Updated @inquirer/type from ^1.5.3 to ^3.0.0 in the core package
• Changes maintain consistency across the workspace for the inquirer dependencies

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
packages/core/package.json	Updated both @inquirer/prompts to 7.9.0 and @inquirer/type to 3.0.0
packages/cli/package.json	Updated @inquirer/prompts dependency to 7.9.0
package.json	Updated @inquirer/prompts devDependency to 7.9.0 in the root workspace

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.