Build(deps): Bump commander from 14.0.2 to 14.0.3 in the npm-production group

[dependabot]

Bumps the npm-production group with 1 update: commander.

Updates commander from 14.0.2 to 14.0.3

Release notes

Sourced from commander's releases.

v14.0.3

Added

• Release Policy document (#2462)

Changes

• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date (#2462)
• clarify typing for deprecated callback parameter to .outputHelp() (#2427)
• simple readability improvements to README (#2465)

Changelog

Sourced from commander's changelog.

[14.0.3] (2026-01-31)

Added

• Release Policy document (#2462)

Changes

• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date (#2462)
• clarify typing for deprecated callback parameter to .outputHelp() (#2427)
• simple readability improvements to README (#2465)

Commits

• 8247364 14.0.3
• e281fe3 Update docs for 14.0.3 (#2474)
• 7357dda Separate out a more detailed release policy document (#2462)
• b6e2e3a Bump eslint from 9.39.1 to 9.39.2 (#2470)
• d6f63a7 Bump ts-jest from 29.4.5 to 29.4.6 (#2467)
• 2a9768a Bump prettier from 3.6.2 to 3.7.4 (#2466)
• 9211918 docs(README): Tweak formatting, punctuation for clarity (#2465)
• 4208a96 Bump typescript-eslint from 8.46.2 to 8.48.0 (#2458)
• 03308ce Bump eslint-plugin-jest from 29.0.1 to 29.2.1 (#2457)
• 4d2db1f Bump globals from 16.4.0 to 16.5.0 (#2456)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.22s
✅ JAVASCRIPT	prettier	19		0	0	1.61s
✅ JSON	npm-package-json-lint	yes		no	no	1.1s
✅ JSON	prettier	29		0	0	4.34s
✅ MARKDOWN	markdownlint	10		0	0	1.07s
✅ REPOSITORY	checkov	yes		no	no	28.64s
✅ REPOSITORY	gitleaks	yes		no	no	2.2s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	grype	yes		1	no	52.64s
✅ REPOSITORY	secretlint	yes		no	no	1.37s
✅ REPOSITORY	syft	yes		no	no	6.72s
❌ REPOSITORY	trivy	yes		1	no	14.62s
✅ REPOSITORY	trivy-sbom	yes		no	no	5.33s
✅ REPOSITORY	trufflehog	yes		no	no	33.22s
✅ TYPESCRIPT	prettier	109		0	0	4.59s
✅ YAML	prettier	25		0	0	0.69s
✅ YAML	yamllint	25		0	0	0.45s

Detailed Issues

❌ REPOSITORY / grype - 1 error

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME             INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
fast-xml-parser  5.3.3      5.3.4     npm   GHSA-37qj-frw5-hhjh  High      < 0.1% (22nd)  < 0.1
[0052] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

2026-02-01T11:46:07Z	INFO	[vulndb] Need to update DB
2026-02-01T11:46:07Z	INFO	[vulndb] Downloading vulnerability DB...
2026-02-01T11:46:07Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
30.42 MiB / 83.76 MiB [---------------------->______________________________________] 36.32% ? p/s ?61.66 MiB / 83.76 MiB [-------------------------------------------->________________] 73.61% ? p/s ?83.76 MiB / 83.76 MiB [----------------------------------------------------------->] 100.00% ? p/s ?83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 88.69 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 88.69 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 88.69 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 82.97 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 82.97 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 82.97 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 72.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 72.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 72.61 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 67.92 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 67.92 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 67.92 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 63.54 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 63.54 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 63.54 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 59.44 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 59.44 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 59.44 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 55.60 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 55.60 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [---------------------------------------------->] 100.00% 55.60 MiB p/s ETA 0s83.76 MiB / 83.76 MiB [-------------------------------------------------] 100.00% 16.08 MiB p/s 5.4s2026-02-01T11:46:13Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-02-01T11:46:13Z	INFO	[vuln] Vulnerability scanning is enabled
2026-02-01T11:46:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-02-01T11:46:13Z	INFO	[misconfig] Need to update the checks bundle
2026-02-01T11:46:13Z	INFO	[misconfig] Downloading the checks bundle...
165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-02-01T11:46:20Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-02-01T11:46:20Z	INFO	Number of language-specific files	num=1
2026-02-01T11:46:20Z	INFO	[npm] Detecting vulnerabilities...
2026-02-01T11:46:20Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │        1        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.68/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ fast-xml-parser │ CVE-2026-25128 │ HIGH     │ fixed  │ 5.3.3             │ 5.3.4         │ fast-xml-parser: fast-xml-parser has RangeError DoS Numeric │
│                 │                │          │        │                   │               │ Entities Bug                                                │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-25128                  │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.69.0 of Trivy is now available, current version is 0.68.2

To suppress version checks, run Trivy scans with the --skip-version-check flag

See detailed reports in MegaLinter artifacts

[dependabot]

Looks like commander is updatable in another way, so this is no longer needed.