CODEBASE: Update node-forge & js-yaml packages due to vulnerabilities

[mctylr-gh]

of the node-forge and js-yaml packages.

npm ci
npm warn deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm warn deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm warn deprecated @material-ui/styles@4.11.5: Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
npm warn deprecated @material-ui/core@4.12.4: Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.

> bitburner@3.0.0 preinstall
> node ./tools/engines-check/engines-check.js


added 1425 packages, and audited 1426 packages in 10s

3 vulnerabilities (2 moderate, 1 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

node-forge was vulnerable to

• https://github.com/digitalbazaar/forge

• CVE-2025-66031 - node-forge ASN.1 Unbounded Recursion (High severity)

• CVE-2025-12816 - node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization (High severity)

• CVE-2025-66030 - node-forge is vulnerable to ASN.1 OID Integer Truncation (Moderate severity)

node-forge (or Forge) is "A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps" and is a dependency of webpack-dev-server in BitBurner.

ASN.1 is a horribly complex interface description language, and has been a rich source of cryptography related security bugs for decades.

js-yaml was vulnerable to

• CVE-2025-64718 - js-yaml has prototype pollution in merge (<<) (Moderate severity)
• https://github.com/nodeca/js-yaml

js-yaml is used by Jest, Babel, ESLint, and api-documenter.

Ran npm test, npm run build:dev, npm run electron, npm run format:report and npm run lint:report.

My system has been updated to npm 11.6.4, which seems to have changed it behaviour about peer dependencies, so several automatically added peer dependency has been removed from package-lock.json. This behaviour may not been seen if you use a different npm version.

[d0sboots]

Note to self/future: npm/cli#8671 (the release notes for npm 11.6.3) contains the following:

Considering v11.6.2 changes every lock file out there by shuffling around bunch of "peer": true, and this release includes npm/cli#8645, which reverts that behavior, shouldn't this be released with more haste?

This tells me that we shouldn't commit any new changes with 11.6.2, but only either earlier or (preferably) later versions.

[d0sboots]

Also of note: This updates api-documenter. But, if no changes are seen by the doc check, that should be fine.