chore(deps): update dependency nyc to v18

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nyc (source)	^17.0.0 → ^18.0.0

---

Release Notes

istanbuljs/nyc (nyc)

v18.0.0

Compare Source

⚠ BREAKING CHANGES

• deps: transitive dependencies now require node 20 || >=22.

Bug Fixes

• deps: update dependencies pulling in old glob (#​1612) (0707729)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[cursor]

Stale comment

Security Review: No Issues Found

This PR updates the nyc dev dependency from v17.1.0 to v18.0.0. Reviewed the dependency change and transitive dependency tree:

• nyc is a devDependency only (code coverage tool) — not shipped in production builds.
• 4 direct/transitive packages updated (nyc, istanbul-lib-processinfo, spawn-wrap, test-exclude); 31 new nested packages added (well-known ecosystem packages: glob, rimraf, minimatch, brace-expansion, etc.).
• All resolved packages point to the official npm registry (registry.npmjs.org) with integrity hashes present.
• No suspicious or non-standard registry sources detected.
• Lockfile version is unchanged (v2).

No security concerns with this update.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No vulnerabilities detected

This PR upgrades the nyc devDependency from ^17.0.0 to ^18.0.0. No security concerns found:

• nyc v18.0.0 has zero known direct vulnerabilities (Snyk).
• This upgrade actually remediates the transitive prototype pollution in js-yaml (CVE-2025-64718) that was present in nyc v17.x via @istanbuljs/load-nyc-config.
• nyc is a devDependency only — not included in production bundles.
• The lockfile regeneration is consistent with a standard major version bump.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No issues found

This PR bumps nyc (a dev-only code coverage tool) from ^17.0.0 to ^18.0.0. Checked:

• Supply-chain: All resolved URLs point to registry.npmjs.org; all integrity hashes use sha512. No anomalous registries or missing hashes.
• Install scripts: No new preinstall/postinstall scripts introduced by added or updated transitive dependencies.
• Scope: nyc is listed under devDependencies — it is not bundled into production artifacts.
• Code changes: The diff is limited to web/package.json (version bump) and web/package-lock.json (lockfile regeneration). No application code is modified.

No medium, high, or critical findings.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No Issues Found

This PR updates the nyc dev dependency from ^17.0.0 to ^18.0.0 along with the corresponding package-lock.json regeneration.

Analysis performed:

• Registry integrity: All resolved URLs in the lockfile point to registry.npmjs.org with SHA-512 integrity hashes. No suspicious or non-standard registries detected.
• Install scripts: No nyc-related packages declare hasInstallScript, eliminating postinstall supply-chain attack vectors.
• Lockfile version: Remains at lockfileVersion: 2 (no downgrade that could weaken resolution guarantees).
• Transitive dependency changes: Expected major bumps (glob 7→13, rimraf 3→6, spawn-wrap 2→3, istanbul-lib-processinfo 2→3, test-exclude 6→8) consistent with the upstream release notes about modernizing old transitive dependencies.
• Scope: nyc is a devDependency only — it is not included in any production build or runtime artifact, limiting supply-chain blast radius to dev/CI environments.

No medium, high, or critical security findings.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No vulnerabilities detected

This PR bumps the nyc dev dependency from ^17.0.0 to ^18.0.0 (code coverage tooling) along with the regenerated lockfile. Findings from the review:

• Scope: Only web/package.json (1 line) and web/package-lock.json are changed. nyc is a devDependency — not included in production builds.
• Registry integrity: All resolved URLs point to registry.npmjs.org. No non-standard registries detected.
• Install scripts: The set of packages with install scripts is unchanged from the base branch (core-js, fsevents, nodent-runtime, yorkie). No new install scripts introduced.
• Dependency delta: 4 packages updated (nyc 17→18, test-exclude 6→8, spawn-wrap 2→3, istanbul-lib-processinfo 2→3). 31 nested sub-dependencies added (well-known packages: glob, minimatch, rimraf, minipass, etc.). 0 packages removed.
• Lockfile version: Remains at lockfileVersion: 2 — no downgrade or unexpected format change.

No supply-chain, injection, or other security concerns identified.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No Issues Found

This PR updates the nyc dev dependency from ^17.0.0 to ^18.0.0. The change is limited to web/package.json (1 line) and the regenerated web/package-lock.json.

Checklist:

• nyc is a devDependency (code coverage tool) — not included in production builds
• All 31 new transitive dependencies resolve to registry.npmjs.org with integrity hashes verified
• No new packages declare install scripts
• No packages were removed; all additions are well-known Node.js ecosystem libraries (glob, minimatch, rimraf, lru-cache, etc.)
• No non-registry (git, tarball, or suspicious) resolved URLs detected
• Lockfile version unchanged (v2)

No security concerns with this dependency update.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Stale comment

Security Review: No Issues Found

This PR bumps nyc (code coverage tool) from v17 to v18 — a dev-only dependency that does not ship to production.

Checks performed:

• All package resolutions point to registry.npmjs.org — no suspicious or third-party registries
• No new hasInstallScript entries introduced in the lockfile
• New transitive dependencies (glob@13, rimraf@6, minimatch@10, minipass@7, lru-cache@11, path-scurry@2) are well-known packages from the istanbuljs / isaacs ecosystem
• No changes to application source code, build configuration, or runtime dependencies

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Security Review: No issues found

This PR bumps nyc from ^17.0.0 to ^18.0.0 — a devDependency-only code coverage tool. Reviewed the following:

• Supply chain: All resolved URLs in package-lock.json point to https://registry.npmjs.org/. Integrity hashes are present. No unexpected registries or packages introduced.
• Dependency changes: The transitive dependency updates (glob 7→13, rimraf 3→6, spawn-wrap 2→3, test-exclude 6→8, istanbul-lib-processinfo 2→3) are all well-known packages from the Istanbul ecosystem.
• Attack surface: nyc is listed under devDependencies and is not shipped to production. No runtime code paths are affected.
• Lockfile integrity: lockfileVersion remains at 2; no structural changes beyond the dependency tree updates.

No security findings.

  

_{Sent by Cursor Automation: Find vulnerabilities}