[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1

[MHxGH-ServiceAccount]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	170

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

Note

Dependency upgrade

• Bumps lerna in package.json from ^3.0.0-rc.0 to ^6.4.1

^{Written by Cursor Bugbot for commit dbf93e9. This will update automatically on new commits. Configure here.}

[MHxGH-ServiceAccount]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[MHxGH-ServiceAccount]

This is a significant major version upgrade that introduces fundamental changes to Lerna's core workflow and task execution engine.

Breaking Changes:

• Legacy Commands Removed: The lerna bootstrap, lerna add, and lerna link commands have been removed. You must now use your package manager's native workspaces (e.g., npm install, yarn, pnpm install) for dependency management. [1, 16]
• Nx Task Runner by Default: Lerna v6 uses Nx as the default task runner, which makes lerna run flags like --parallel and --sort obsolete. Task pipelines and caching are now configured in a nx.json file. [7, 9, 12]

Source: Lerna Changelog
Recommendation: Before merging, developers must replace lerna bootstrap with their package manager's install command and configure caching via a new nx.json file. The lerna repair command can help migrate existing lerna.json configurations. [3, 7]

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[cursor]

Major version upgrade breaks existing release scripts

Upgrading lerna from 3.x to 6.x introduces breaking changes that will cause the release-canary script to fail. The script uses --cd-version=prerelease and --npm-tag=canary options which were deprecated in lerna 4.x. In lerna 6.x, --cd-version is replaced with a positional bump argument (e.g., lerna publish prerelease) and --npm-tag was renamed to --dist-tag. The release workflow will break when someone attempts to publish canary releases.