[Snyk] Security upgrade @pulumi/pulumi from 3.77.1 to 3.113.0

[rubenfiszel]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• benchmarks/pulumi/package.json
• benchmarks/pulumi/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-DIFF-14917201	708

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	bc3ddf3
Status:	✅  Deploy successful!
Preview URL:	https://b3417be7.windmill.pages.dev
Branch Preview URL:	https://snyk-fix-d54a48a6f10844bc3cc.windmill.pages.dev

View logs

[claude]

Claude finished @rubenfiszel's task in 1m 43s —— View job

---

Reviewing PR #7696

• Analyze PR changes and context
• Review security upgrade changes
• Check for any potential issues
• Provide comprehensive feedback

---

Review Summary

This PR is an automated security fix from Snyk that upgrades @pulumi/pulumi from version 3.77.1 (locked from ^3.0.0) to version 3.113.0 in the benchmarks/pulumi directory.

Vulnerability Fixed: SNYK-JS-DIFF-14917201 - Regular Expression Denial of Service (ReDoS) in the diff package

Observations

Positive Aspects:

1. Isolated Scope: The changes are confined to the benchmarks/pulumi directory, which is used for benchmarking and not part of the main application code
2. Standard Upgrade Path: The version bump from ^3.0.0 to ^3.113.0 in package.json is straightforward
3. Lock File Updated: The package-lock.json is properly regenerated with updated dependencies

Notable Changes:

1. Dependency Tree: The vulnerable diff@3.5.0 package is now marked as "optional": true, "peer": true through ts-node@7.0.1, reducing its installation footprint
2. Package Count: The lock file shows significant changes (+2596/-88 lines), typical for a major version upgrade with updated transitive dependencies

Considerations:

1. No Runtime Impact: This is a benchmark directory, so even if there were breaking changes in Pulumi, it wouldn't affect production
2. Bun Lockfile: There's also a bun.lockb file in the directory that was not updated - this could cause inconsistencies if someone uses Bun instead of npm to run the benchmarks

Recommendation

Approve - This is a low-risk security upgrade affecting only benchmarking code. The PR correctly addresses the ReDoS vulnerability.

---

Testing Instructions

This PR affects the benchmarks/pulumi directory which contains infrastructure benchmarking code using Pulumi. To verify:

Navigate to the benchmarks section (if exposed in the app) or manually inspect that the Pulumi benchmark scripts still execute correctly after the dependency upgrade. Since this is benchmarking code not exposed in the main application UI, no in-app testing is required. The changes can be verified by running npm install in the benchmarks/pulumi directory and confirming the dependencies resolve without errors.