Multiple security vulnerabilities in transitive dependencies

[charlieforward9]

Summary

@vis.gl/dev-tools@1.0.1 has multiple high and critical severity vulnerabilities in its transitive dependency tree. These affect all downstream consumers (including deck.gl-community).

Vulnerabilities

Package	Severity	Advisory	Via
form-data < 2.5.4	critical	GHSA-fjxv-7rqg-78g4	coveralls -> request
axios <= 1.13.4	high	GHSA-43fc-jf86-j433	lerna -> nx
tar <= 7.5.2 (3 CVEs)	high	GHSA-4r9x-wfcq-p4qr, GHSA-9pj4-f7r4-9m3v, GHSA-jppv-jxq6-24cw	lerna
qs < 6.14.1	high	GHSA-hx3m-959f-v3r5	coveralls -> request
trim < 0.0.3	high	GHSA-w5p7-h5w8-2hfq	tap-spec -> tap-out
glob 10.x/11.x (2 CVEs)	high	GHSA-rsm9-g255-8vv4	lerna -> @npmcli
cross-spawn < 6.0.6	high	GHSA-3xgq-45jj-v275	various
esbuild <= 0.24.2	moderate	GHSA-67mh-4wv8-2f99	direct dep (^0.16.7)
eslint 8.x	moderate	deprecated	direct dep

Root cause dependencies in dev-tools

These are the direct dependencies that pull in the vulnerable packages:

• coveralls: ^3.0.3 -- pulls in request which pulls in form-data, qs, etc.
• lerna: ^8.1.0 -- pulls in nx (axios), tar, glob
• tap-spec: ^5.0.0 -- pulls in tap-out -> trim
• esbuild: ^0.16.7 -- outdated, current is 0.25.x
• eslint: ^8.52.0 -- deprecated, current is 9.x
• vite: ^4.5.0 -- outdated, current is 7.x

Suggested fixes

1. Drop coveralls -- it depends on the abandoned request package. Modern alternatives: codecov or GitHub Actions coverage reporting
2. Bump lerna to latest or consider replacing with turbo/nx directly
3. Drop tap-spec -- replace with vitest or another modern test reporter
4. Bump esbuild to ^0.25.0
5. Bump eslint to 9.x with flat config
6. Bump vite to ^7.3.1

Context

Found during a security audit of visgl/deck.gl-community. The 1.0.0-alpha.21 and 1.0.1 releases have identical dependency trees, so bumping dev-tools alone does not resolve these.