[Snyk] Security upgrade rimraf from 3.0.2 to 6.1.1

[madisonmay]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438	828

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

---

Note

Medium Risk
Dependency upgrade only, but rimraf@6 changes its dependency tree and declares a much newer Node engine, which could break installs or CI on older Node versions.

Overview
Upgrades the rimraf dependency from ^3.0.2 to ^6.1.1 in package.json.

Updates package-lock.json accordingly, introducing rimraf@6's new transitive dependencies (including glob@12/minimatch@10 and related packages) and adjusting nested rimraf@3 copies used by other dev dependencies.

^{Written by Cursor Bugbot for commit bbdbed4. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

rimraf v6 API breaks promisify-based production code

High Severity

Upgrading rimraf from v3 to v6 is a major breaking change. The v3 API was callback-based (rimraf(path, callback)), but v6 returns Promises and has no default export. In src/common/utils/utils.ts, promisify(rimraf) wraps a callback-style function — but rimraf v6 is no longer callback-style, so rimrafAsync will not work correctly. This breaks production code in LokiBlobMetadataStore, FSExtentStore, and LokiExtentMetadataStore that all call await rimrafAsync(...). Similarly, tests/testutils.ts calls rimraf(path, (err) => {...}) with a callback that will never be invoked, causing the Promise to hang.

Additional Locations (1)

• package-lock.json#L8778-L8795

 

[cursor]

rimraf v6 requires Node 20+, CI tests 16/18

High Severity

rimraf v6.1.1 declares "node": "20 || >=22" in its engine requirements, but package.json declares "node": ">=10.0.0" and the CI matrix in .github/workflows/PrValidation.yml runs tests on Node 16 and 18. This means npm ci or npm install will fail (or the package won't function) on those Node versions, breaking CI and any users on Node 16 or 18.

 

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bbdbed4815

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Downgrade rimraf to a Node-18-compatible release

rimraf was bumped to 6.1.1, but this lock entry now declares "node": "20 || >=22", which conflicts with the repository’s active Node 16/18 CI matrix (for example .github/workflows/PrValidation.yml runs npm ci and tests on both 16 and 18). That means this change makes supported environments depend on an unsupported runtime package, and those jobs/users can fail once rimraf code paths execute (cleanup scripts and persistence deletion paths use rimraf).

Useful? React with 👍 / 👎.