fix: [Snyk] Upgrade @snyk/dep-graph from 2.9.1 to 2.10.0

[denis-snyk]

Snyk has created this PR to upgrade @snyk/dep-graph from 2.9.1 to 2.10.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 1 version ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: @snyk/dep-graph

• 2.10.0 - 2025-11-12
  

  2.10.0 (2025-11-12)

  Features

  • optimize countPathsToRoot using Set (4a53d2e)
• 2.9.1 - 2025-11-11
  

  2.9.1 (2025-11-11)

  Bug Fixes

  • upgrade packageurl-js dependency (c1953dc)

from @snyk/dep-graph GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing Lockfile Update The diff shows a version bump for @snyk/dep-graph in package.json, but the corresponding update to package-lock.json is not present in the provided diff. Ensure package-lock.json is updated and committed to keep the dependency tree consistent and reproducible. "@snyk/dep-graph": "^2.10.0", Regression Testing The upgraded version 2.10.0 of @snyk/dep-graph includes optimizations to countPathsToRoot. Since this is a core dependency for dependency graph operations, verify that this change does not introduce regressions or incorrect graph traversals in the plugin's logic. "@snyk/dep-graph": "^2.10.0",

📚 Repository Context Analyzed This review considered 14 relevant code sections from 4 files (average relevance: 0.77) package.json (relevance: 0.96, lines 1-87) package-lock.json (relevance: 0.79, 11 segments, lines 2001-2100) jest.config.js (relevance: 0.75, lines 1-30) appveyor.yml (relevance: 0.74, lines 1-35)

[ividalATSnyk]

All tests passing in CircleCI.

Ran relevant test for safety and everything seems to be working as expected.

 PASS  test/system/plugin.spec.ts (113 MB heap size)
  plugin
    ✓ image pulled by tag has version set (1260 ms)
    ✓ static scan for Identifier type image (nginx:1.19.0) (1317 ms)
    image is scanned when no image type is specified
      ✓ docker image.tar is scanned successfully when image type is not specified (40 ms)
      ✓ kaniko image.tar is scanned successfully when image type is not specified (3 ms)
      ✓ oci image.tar is scanned successfully when image type is not specified (19 ms)
      ✓ fails to extract the archive when the archive type is not supported (8 ms)
    docker-archive image type throws on bad files
      ✓ throws when a file does not exists
      ✓ throws when the provided path is a directory (1 ms)
    when scanning a locally loaded image
      ✓ should successfully scan a local image loaded from a tar archive (1292 ms)

Test Suites: 1 passed, 1 total
Tests:       9 passed, 9 total
Snapshots:   0 total
Time:        4.654 s, estimated 36 s

Ran via cli as well and everything worked as expected.

This looks good to me!

[ividalATSnyk]

Update is sound. Passed all CircleCI tests, and standard behavior is maintained. Change is present on both package.json and package-lock.json.

For more info see dep-graph 2.10.0 diff here.

[snyksec]

🎉 This PR is included in version 8.14.2 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀