fix: upgrade shelljs to 0.9.0 and tmp to 0.2.3 to fix vulnerabilities

[xufulin1994]

• Upgrade shelljs from ^0.8.5 to ^0.9.0
• Upgrade tmp from ^0.1.0 to ^0.2.3
• Update Node.js requirement from >=12.1.0 to >=18.0.0
• Update .nvmrc from v12.1.0 to v18
• Update Dockerfile base image from mhart/alpine-node:16 to node:18-alpine

Summary by CodeRabbit

• Chores
  • Raised minimum Node.js runtime to 18.0.0.
  • Updated container base to Node.js 18-alpine and configured the container to run as a non-root user.
  • Upgraded dependencies and related type packages (notably shelljs, tmp, and their type definitions).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 65c3157 and 8edcfe0.

📒 Files selected for processing (1)

• Dockerfile

---

Walkthrough

Updated Node runtime target to Node 18 across config and container; Dockerfile now uses node:18-alpine and runs as a non‑root user; package.json engine and several dependency versions were bumped to align with Node 18.

Changes

Cohort / File(s)	Summary
Node runtime & container /.nvmrc, Dockerfile	.nvmrc node version changed from v12.1.0 → v18. Dockerfile base changed from mhart/alpine-node:16 → node:18-alpine; adds non‑root group/user creation, adjusts ownership (chown) and switches to USER appuser; installs deps under correct ownership.
Package manifest & deps package.json	engines.node updated from >=12.1.0 → >=18.0.0. Bumped dependencies: shelljs ^0.8.5 → ^0.9.0, tmp ^0.1.0 → ^0.2.3; bumped dev/type packages (e.g., @types/shelljs, @types/tmp).

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the PR: fixing vulnerabilities by upgrading shelljs and tmp. However, it omits other significant changes like Node.js version bump and Dockerfile base image update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile (1)

1-10: ⚠️ Potential issue | 🟠 Major

Container runs as root — add a non-root USER directive.

No USER instruction is present, so the process inside the container runs as root. This is a security risk confirmed by Trivy (DS-0002): if the container is ever compromised, the attacker has full root access to the container's filesystem.

🔒 Proposed fix

 RUN yarn install --frozen-lockfile --non-interactive
+
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+USER appuser

 ENTRYPOINT ["./reslang"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 1 - 10, The container currently runs as root because
there is no USER directive; create a non-root user and group (e.g., appuser) and
set ownership of the WORKDIR and application files before switching to that
user, then add USER appuser (or the chosen name) so ENTRYPOINT ["./reslang"]
runs unprivileged; update Dockerfile around WORKDIR /app/reslang, COPY, and RUN
yarn install to chown the files and switch to the new user after installation
and file ownership are set.

package.json (1)

16-16: ⚠️ Potential issue | 🟠 Major

Update @types/tmp and @types/shelljs to match upgraded runtime packages — TypeScript compilation will fail otherwise.

• @types/tmp at ^0.1.0 is incompatible with tmp upgraded to ^0.2.3. Version 0.2.2+ introduced API changes with incompatible type shapes. Update to ^0.2.6.
• @types/shelljs at ^0.8.5 is incompatible with shelljs at ^0.9.0. Update to ^0.10.0.

Proposed fix

-        "@types/shelljs": "^0.8.5",
+        "@types/shelljs": "^0.10.0",

-        "@types/tmp": "^0.1.0",
+        "@types/tmp": "^0.2.6",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 16, The devDependency type packages are out of sync
with upgraded runtime packages causing TypeScript compile errors; update
package.json so `@types/tmp` is bumped to ^0.2.6 (to match tmp ^0.2.3) and
`@types/shelljs` is bumped to ^0.10.0 (to match shelljs ^0.9.0), then reinstall
(npm/yarn) and commit the updated lockfile so TS compilation uses the correct
type shapes for tmp and shelljs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@Dockerfile`:
- Around line 1-10: The container currently runs as root because there is no
USER directive; create a non-root user and group (e.g., appuser) and set
ownership of the WORKDIR and application files before switching to that user,
then add USER appuser (or the chosen name) so ENTRYPOINT ["./reslang"] runs
unprivileged; update Dockerfile around WORKDIR /app/reslang, COPY, and RUN yarn
install to chown the files and switch to the new user after installation and
file ownership are set.

In `@package.json`:
- Line 16: The devDependency type packages are out of sync with upgraded runtime
packages causing TypeScript compile errors; update package.json so `@types/tmp` is
bumped to ^0.2.6 (to match tmp ^0.2.3) and `@types/shelljs` is bumped to ^0.10.0
(to match shelljs ^0.9.0), then reinstall (npm/yarn) and commit the updated
lockfile so TS compilation uses the correct type shapes for tmp and shelljs.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1eb89a1 and 041d819.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• .nvmrc
• Dockerfile
• package.json