[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1

[MHxGH-ServiceAccount]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Inefficient Algorithmic Complexity SNYK-JS-MINIMATCH-15353389	170

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

Note

Medium Risk
Dependency upgrade of lerna across multiple major versions may introduce breaking changes in release/publish workflows, even though the code diff is minimal.

Overview
Upgrades the lerna dependency in package.json from ^3.0.0-rc.0 to ^6.4.1 to address a reported vulnerability in the dependency tree.

No other scripts or configuration were changed; reviewers should validate lerna publish/release workflows still behave as expected under the new major version.

^{Written by Cursor Bugbot for commit a782413. This will update automatically on new commits. Configure here.}

[MHxGH-ServiceAccount]

The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected.

Key Breaking Changes:

• Removal of lerna bootstrap: The iconic lerna bootstrap, lerna add, and lerna link commands have been removed in favor of using your package manager's native workspaces (npm, yarn, or pnpm). All dependency installation and linking is now expected to be handled by your package manager's install command.
• Nx Task Runner by Default: Lerna v6 uses the Nx task runner by default (useNx: true). This changes the behavior of lerna run and enables powerful caching capabilities, but it also makes several flags like --sort, --parallel, and --include-dependencies obsolete as Nx manages the task graph.
• New Configuration: A new nx.json file is required to configure task caching and pipelines. A helper command, lerna repair, is available to help migrate your lerna.json file.
• Node.js Version Support: Support for older Node.js versions has been dropped. Lerna v5 dropped support for Node 10 and 12, and subsequent versions have continued to drop end-of-life (EOL) versions.

Recommendation:

This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.

1. Migrate to Package Manager Workspaces: Update your root package.json to define workspaces and remove all calls to lerna bootstrap from your scripts, replacing them with npm install, yarn install, or pnpm install.
2. Configure Nx: Run npx lerna add-caching to generate a nx.json file and configure task caching.
3. Update lerna.json: Run lerna repair to update your configuration and remove obsolete properties.
4. Review lerna run commands: Check your scripts for obsolete flags that are now ignored by the Nx task runner.

Source: Lerna GitHub Releases, Lerna Documentation

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[MHxGH-ServiceAccount]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Lerna 6 upgrade breaks release-canary script CLI flags

High Severity

Upgrading lerna to ^6.4.1 breaks the release-canary script, which uses --cd-version=prerelease and --npm-tag=canary. The --cd-version flag was removed in Lerna 3 stable (replaced by a positional argument like lerna publish prerelease), and --npm-tag was renamed to --dist-tag. These flags worked with 3.0.0-rc.0 but will fail silently or error out with Lerna 6.