lsh-framework 3.2.5 → 3.5.1

package/dist/lib/secrets-manager.js

@@ -3,6 +3,7 @@
  * Sync .env files across machines using encrypted Supabase storage
  */
 import * as fs from 'fs';
+import * as os from 'os';
 import * as path from 'path';
 import * as crypto from 'crypto';
 import { createLogger, LogLevel } from './logger.js';
@@ -10,7 +11,53 @@ import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils
 import { IPFSSyncLogger } from './ipfs-sync-logger.js';
 import { IPFSSecretsStorage } from './ipfs-secrets-storage.js';
 import { ENV_VARS } from '../constants/index.js';
+import { extractErrorMessage } from './lsh-error.js';
+import { SyncKeyStore } from './sync-key-store.js';
 const logger = createLogger('SecretsManager');
+/**
+ * Read LSH_SECRETS_KEY from a .env file without loading the entire file into process.env
+ */
+function readKeyFromEnvFile(envPath) {
+    try {
+        if (fs.existsSync(envPath)) {
+            const content = fs.readFileSync(envPath, 'utf8');
+            const match = content.match(/^LSH_SECRETS_KEY=['"]?([^'"\n]+)['"]?/m);
+            if (match)
+                return match[1];
+        }
+    }
+    catch {
+        // Ignore read errors
+    }
+    return null;
+}
+/**
+ * Find LSH_SECRETS_KEY from environment, local .env, global ~/.env,
+ * or the persistent SyncKeyStore at $LSH_HOME/sync_key.json.
+ * Returns null if no explicit key is found (does not generate a fallback).
+ */
+export function findEncryptionKey() {
+    // 1. Check environment variable
+    const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
+    if (envKey)
+        return envKey;
+    // 2. Check local .env
+    const localKey = readKeyFromEnvFile(path.join(process.cwd(), '.env'));
+    if (localKey)
+        return localKey;
+    // 3. Check global ~/.env
+    const home = process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '';
+    if (home) {
+        const globalKey = readKeyFromEnvFile(path.join(home, '.env'));
+        if (globalKey)
+            return globalKey;
+    }
+    // 4. Check persistent sync key store ($LSH_HOME/sync_key.json)
+    const stored = new SyncKeyStore().get();
+    if (stored)
+        return stored;
+    return null;
+}
 export class SecretsManager {
     storage;
     encryptionKey;
@@ -73,57 +120,85 @@ export class SecretsManager {
      * Get default encryption key from environment or machine
      */
     getDefaultEncryptionKey() {
-        // Check for explicit key
-        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
-        if (envKey) {
-            return envKey;
-        }
-        // Generate from machine ID and user
-        const machineId = process.env[ENV_VARS.HOSTNAME] || 'localhost';
-        const user = process.env[ENV_VARS.USER] || 'unknown';
-        const seed = `${machineId}-${user}-lsh-secrets`;
+        // Check environment, local .env, and global ~/.env
+        const explicitKey = findEncryptionKey();
+        if (explicitKey)
+            return explicitKey;
+        logger.warn('No explicit LSH_SECRETS_KEY found. Generating machine-derived fallback key.');
+        logger.warn('Set LSH_SECRETS_KEY in your environment for portable, secure encryption.');
+        // Generate from multiple machine-specific entropy sources
+        const hostname = os.hostname();
+        const uid = String(os.userInfo().uid);
+        const homedir = os.homedir();
+        // Try to read /etc/machine-id (Linux) for additional entropy
+        let machineSpecific;
+        try {
+            machineSpecific = fs.readFileSync('/etc/machine-id', 'utf8').trim();
+        }
+        catch {
+            // Fallback to CPU model on macOS / systems without machine-id
+            machineSpecific = os.cpus()[0]?.model || 'no-cpu-info';
+        }
+        const seed = `${hostname}-${uid}-${homedir}-${machineSpecific}-lsh-secrets`;
         // Create deterministic key
         return crypto.createHash('sha256').update(seed).digest('hex');
     }
     /**
-     * Encrypt a value
+     * Encrypt a value using AES-256-GCM with authentication tag
      */
     encrypt(text) {
-        const iv = crypto.randomBytes(16);
+        const iv = crypto.randomBytes(12); // 96-bit IV recommended for GCM
         const key = Buffer.from(this.encryptionKey, 'hex');
-        const cipher = crypto.createCipheriv('aes-256-cbc', key.slice(0, 32), iv);
+        const cipher = crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv);
         let encrypted = cipher.update(text, 'utf8', 'hex');
         encrypted += cipher.final('hex');
-        return iv.toString('hex') + ':' + encrypted;
+        const authTag = cipher.getAuthTag();
+        // Format: iv:authTag:encrypted (3-part GCM format)
+        return iv.toString('hex') + ':' + authTag.toString('hex') + ':' + encrypted;
     }
     /**
-     * Decrypt a value
+     * Decrypt a value (supports both AES-256-GCM and legacy AES-256-CBC)
      */
     decrypt(text) {
         try {
             const parts = text.split(':');
-            if (parts.length !== 2) {
+            const key = Buffer.from(this.encryptionKey, 'hex');
+            if (parts.length === 3) {
+                // AES-256-GCM format: iv:authTag:encrypted
+                const iv = Buffer.from(parts[0], 'hex');
+                const authTag = Buffer.from(parts[1], 'hex');
+                const encryptedText = parts[2];
+                const decipher = crypto.createDecipheriv('aes-256-gcm', key.slice(0, 32), iv);
+                decipher.setAuthTag(authTag);
+                let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
+                decrypted += decipher.final('utf8');
+                return decrypted;
+            }
+            else if (parts.length === 2) {
+                // Legacy AES-256-CBC format: iv:encrypted
+                const iv = Buffer.from(parts[0], 'hex');
+                const encryptedText = parts[1];
+                const decipher = crypto.createDecipheriv('aes-256-cbc', key.slice(0, 32), iv);
+                let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
+                decrypted += decipher.final('utf8');
+                return decrypted;
+            }
+            else {
                 throw new Error('Invalid encrypted format');
             }
-            const iv = Buffer.from(parts[0], 'hex');
-            const encryptedText = parts[1];
-            const key = Buffer.from(this.encryptionKey, 'hex');
-            const decipher = crypto.createDecipheriv('aes-256-cbc', key.slice(0, 32), iv);
-            let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
-            decrypted += decipher.final('utf8');
-            return decrypted;
         }
         catch (error) {
-            const err = error;
-            if (err.message.includes('bad decrypt') || err.message.includes('wrong final block length')) {
+            const msg = extractErrorMessage(error);
+            if (msg.includes('bad decrypt') || msg.includes('wrong final block length') ||
+                msg.includes('Unsupported state') || msg.includes('unable to authenticate')) {
                 throw new Error('Decryption failed. This usually means:\n' +
                     '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
                     '  2. The key must match the one used during encryption\n' +
                     '  3. Generate a shared key with: lsh secrets key\n' +
                     '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
-                    '\nOriginal error: ' + err.message);
+                    '\nOriginal error: ' + msg, { cause: error });
             }
-            throw err;
+            throw error;
         }
     }
     /**
@@ -243,8 +318,8 @@ export class SecretsManager {
         }
         // Get the effective environment name (repo-aware)
         const effectiveEnv = this.getRepoAwareEnvironment(environment);
-        // Warn if using default key
-        if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+        // Warn if using machine-derived fallback key (no explicit key found anywhere)
+        if (!findEncryptionKey()) {
             logger.warn('⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-specific key.');
             logger.warn('   To share secrets across machines, generate a key with: lsh key');
             logger.warn('   Then add LSH_SECRETS_KEY=<key> to your .env on all machines');
@@ -277,10 +352,9 @@ export class SecretsManager {
                 }
             }
             catch (error) {
-                const err = error;
                 // Re-throw destructive change errors
-                if (err.message.includes('Destructive change')) {
-                    throw err;
+                if (extractErrorMessage(error).includes('Destructive change')) {
+                    throw error;
                 }
                 // Ignore other errors (like missing secrets) and proceed
             }
@@ -357,8 +431,8 @@ export class SecretsManager {
         const finalEnv = { ...pulledEnv, ...localLshKeys };
         // Convert to .env format
         const envContent = this.formatEnvFile(finalEnv);
-        // Write new .env
-        fs.writeFileSync(envFilePath, envContent, 'utf8');
+        // Write new .env with restrictive permissions (owner read/write only)
+        fs.writeFileSync(envFilePath, envContent, { encoding: 'utf8', mode: 0o600 });
         logger.info(`✅ Pulled ${secrets.length} secrets from IPFS`);
         // Get metadata for CID display
         const metadata = this.storage.getMetadata(environment, this.gitInfo?.repoName);
@@ -430,7 +504,7 @@ export class SecretsManager {
             cloudExists: false,
             cloudKeys: 0,
             cloudModified: undefined,
-            keySet: !!process.env[ENV_VARS.LSH_SECRETS_KEY],
+            keySet: !!findEncryptionKey(),
             keyMatches: undefined,
             suggestions: [],
         };
@@ -518,7 +592,7 @@ export class SecretsManager {
      * Generate encryption key if not set
      */
     async ensureEncryptionKey() {
-        if (process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+        if (findEncryptionKey()) {
             return true; // Key already set
         }
         logger.warn('⚠️  No encryption key found. Generating a new key...');
@@ -540,7 +614,7 @@ export class SecretsManager {
             else {
                 content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
             }
-            fs.writeFileSync(envPath, content, 'utf8');
+            fs.writeFileSync(envPath, content, { encoding: 'utf8', mode: 0o600 });
             // Set in current process
             process.env[ENV_VARS.LSH_SECRETS_KEY] = key;
             this.encryptionKey = key;
@@ -549,8 +623,7 @@ export class SecretsManager {
             return true;
         }
         catch (error) {
-            const _err = error;
-            logger.error(`Failed to save encryption key: ${_err.message}`);
+            logger.error(`Failed to save encryption key: ${extractErrorMessage(error)}`);
             logger.info('Please set it manually:');
             logger.info(`export LSH_SECRETS_KEY=${key}`);
             return false;
@@ -581,13 +654,12 @@ LSH_SECRETS_KEY=${this.encryptionKey}
 # Add your environment variables below
 `;
             try {
-                fs.writeFileSync(envFilePath, template, 'utf8');
+                fs.writeFileSync(envFilePath, template, { encoding: 'utf8', mode: 0o600 });
                 logger.info(`✅ Created ${envFilePath} from template`);
                 return true;
             }
             catch (error) {
-                const _err = error;
-                logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
+                logger.error(`Failed to create ${envFilePath}: ${extractErrorMessage(error)}`);
                 return false;
             }
         }
@@ -599,13 +671,12 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             if (!content.includes('LSH_SECRETS_KEY')) {
                 newContent += `\n# LSH Secrets Encryption Key (auto-generated)\nLSH_SECRETS_KEY=${this.encryptionKey}\n`;
             }
-            fs.writeFileSync(envFilePath, newContent, 'utf8');
+            fs.writeFileSync(envFilePath, newContent, { encoding: 'utf8', mode: 0o600 });
             logger.info(`✅ Created ${envFilePath} from ${path.basename(examplePath)}`);
             return true;
         }
         catch (error) {
-            const _err = error;
-            logger.error(`Failed to create ${envFilePath}: ${_err.message}`);
+            logger.error(`Failed to create ${envFilePath}: ${extractErrorMessage(error)}`);
             return false;
         }
     }
@@ -679,7 +750,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out();
             }
             // Step 1: Ensure encryption key exists
-            if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
+            if (!findEncryptionKey()) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();
@@ -982,8 +1053,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
         }
         catch (error) {
             // Don't fail operation if IPFS logging fails
-            const err = error;
-            logger.warn(`⚠️  Could not log to IPFS: ${err.message}`);
+            logger.warn(`⚠️  Could not log to IPFS: ${extractErrorMessage(error)}`);
         }
     }
 }

package/dist/lib/sync-key-store.js

@@ -0,0 +1,87 @@
+/**
+ * Persistent storage for the LSH sync secret.
+ *
+ * Mirrors the design of mcli's `mcli sync key` store: a single 64-char
+ * hex value kept in ``$LSH_HOME/sync_key.json`` (default
+ * ``~/.config/lsh/sync_key.json``) with mode 0600. The
+ * ``LSH_SECRETS_KEY`` environment variable still wins when set; the
+ * store is only consulted as a fallback so users do not have to re-paste
+ * their secret on every shell.
+ */
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+export const HEX64_REGEX = /^[0-9a-fA-F]{64}$/;
+const FILENAME = 'sync_key.json';
+/** Resolve the directory where lsh stores its config (`$LSH_HOME` or `~/.config/lsh`). */
+export function getLshHome() {
+    const overridden = process.env.LSH_HOME;
+    if (overridden && overridden.trim().length > 0)
+        return overridden;
+    return path.join(os.homedir(), '.config', 'lsh');
+}
+/** Return a freshly-generated 64-char hex secret without persisting it. */
+export function generateKey() {
+    return crypto.randomBytes(32).toString('hex');
+}
+/**
+ * Persistent on-disk store for the LSH sync secret.
+ */
+export class SyncKeyStore {
+    /** Absolute path to the on-disk key file. */
+    get path() {
+        return path.join(getLshHome(), FILENAME);
+    }
+    /** Read the persisted key, or `null` if none is configured / file is malformed. */
+    get() {
+        const file = this.path;
+        if (!fs.existsSync(file))
+            return null;
+        try {
+            const raw = fs.readFileSync(file, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (typeof parsed.key === 'string' && HEX64_REGEX.test(parsed.key)) {
+                return parsed.key;
+            }
+        }
+        catch {
+            // fall through to null
+        }
+        return null;
+    }
+    /** Validate and persist a key. Throws on invalid input. */
+    set(key) {
+        if (typeof key !== 'string' || !HEX64_REGEX.test(key)) {
+            throw new Error('sync key must be a 64-char hex string');
+        }
+        this.write(key);
+    }
+    /** Generate a new key and persist it. Refuses to overwrite unless `force=true`. */
+    generate(force = false) {
+        if (fs.existsSync(this.path) && !force) {
+            throw new Error(`sync key already exists at ${this.path}; use force=true to overwrite`);
+        }
+        const key = generateKey();
+        this.write(key);
+        return key;
+    }
+    /** Delete the persisted key, if any. No-op when the file is absent. */
+    clear() {
+        try {
+            fs.unlinkSync(this.path);
+        }
+        catch (err) {
+            const e = err;
+            if (e.code !== 'ENOENT')
+                throw err;
+        }
+    }
+    write(key) {
+        const dir = path.dirname(this.path);
+        fs.mkdirSync(dir, { recursive: true });
+        // Write first, then chmod, so the secret is never world-readable.
+        fs.writeFileSync(this.path, JSON.stringify({ key }));
+        fs.chmodSync(this.path, 0o600);
+    }
+}

package/dist/services/secrets/secrets.js

@@ -2,53 +2,25 @@
  * Secrets Management Commands
  * Sync .env files across development environments
  */
-import SecretsManager from '../../lib/secrets-manager.js';
+import SecretsManager, { findEncryptionKey } from '../../lib/secrets-manager.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as readline from 'readline';
 import { getGitRepoInfo } from '../../lib/git-utils.js';
 import { ENV_VARS } from '../../constants/index.js';
 import { IPFSClientManager } from '../../lib/ipfs-client-manager.js';
+import { SyncKeyStore } from '../../lib/sync-key-store.js';
+function maskKey(key) {
+    if (key.length <= 12)
+        return '*'.repeat(key.length);
+    return `${key.slice(0, 4)}...${key.slice(-4)}`;
+}
 /**
  * Type guard to check if a string is a valid OutputFormat.
  */
 function isOutputFormat(value) {
     return ['env', 'json', 'yaml', 'toml', 'export'].includes(value);
 }
-/**
- * Find existing LSH_SECRETS_KEY from environment, local .env, or global ~/.env
- */
-function findExistingKey() {
-    // 1. Check environment variable
-    const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
-    if (envKey)
-        return envKey;
-    // 2. Check local .env
-    const localEnvPath = path.join(process.cwd(), '.env');
-    const localKey = readKeyFromEnvFile(localEnvPath);
-    if (localKey)
-        return localKey;
-    // 3. Check global ~/.env
-    const globalEnvPath = path.join(process.env.HOME || '~', '.env');
-    const globalKey = readKeyFromEnvFile(globalEnvPath);
-    if (globalKey)
-        return globalKey;
-    return null;
-}
-function readKeyFromEnvFile(envPath) {
-    try {
-        if (fs.existsSync(envPath)) {
-            const content = fs.readFileSync(envPath, 'utf-8');
-            const match = content.match(/^LSH_SECRETS_KEY=['"]?([^'"\n]+)['"]?/m);
-            if (match)
-                return match[1];
-        }
-    }
-    catch {
-        // Ignore read errors
-    }
-    return null;
-}
 export async function init_secrets(program) {
     // Push secrets to cloud
     program
@@ -305,7 +277,7 @@ export async function init_secrets(program) {
     // Default action: show existing key or prompt to generate
     keyCmd
         .action(async () => {
-        const existingKey = findExistingKey();
+        const existingKey = findEncryptionKey();
         if (existingKey) {
             const masked = existingKey.slice(0, 8) + '...' + existingKey.slice(-4);
             console.log(`\n🔑 LSH_SECRETS_KEY=${masked}\n`);
@@ -326,7 +298,7 @@ export async function init_secrets(program) {
         .option('--no-mask', 'Show the full key (default: masked)')
         .option('--export', 'Output in export format for shell evaluation')
         .action(async (options) => {
-        const existingKey = findExistingKey();
+        const existingKey = findEncryptionKey();
         if (!existingKey) {
             console.error('❌ No encryption key found. Run: lsh key generate');
             process.exit(1);
@@ -350,7 +322,7 @@ export async function init_secrets(program) {
         .option('--force', 'Overwrite existing key')
         .option('--export', 'Output in export format for shell evaluation')
         .action(async (options) => {
-        const existingKey = findExistingKey();
+        const existingKey = findEncryptionKey();
         if (existingKey && !options.force) {
             console.error('❌ An encryption key already exists. Use --force to overwrite.');
             console.error('⚠️  Warning: existing secrets will NOT be decryptable with a new key.\n');
@@ -400,7 +372,7 @@ export async function init_secrets(program) {
             process.exit(1);
         }
         // Check for existing key
-        const existingKey = findExistingKey();
+        const existingKey = findEncryptionKey();
         if (existingKey) {
             if (existingKey === keyValue) {
                 console.log('\n✅ This key is already configured.\n');
@@ -447,6 +419,72 @@ export async function init_secrets(program) {
             process.exit(1);
         }
     });
+    // lsh key gen — generate + persist to ~/.config/lsh/sync_key.json
+    keyCmd
+        .command('gen')
+        .description('Generate a new key and persist it to the LSH sync key store')
+        .option('-f, --force', 'Overwrite an existing stored key')
+        .option('--show', 'Print the full key (default masks it)')
+        .action((options) => {
+        const store = new SyncKeyStore();
+        let key;
+        try {
+            key = store.generate(options.force === true);
+        }
+        catch (err) {
+            const e = err;
+            console.error(`❌ ${e.message}`);
+            console.error("💡 Use --force to overwrite, or run 'lsh key show' to view the existing key.");
+            process.exit(1);
+            return; // for the type-checker
+        }
+        console.log(`✅ Generated sync key at ${store.path}`);
+        if (options.show) {
+            console.log(`🔑 ${key}`);
+        }
+        else {
+            console.log(`🔑 ${maskKey(key)}  (use --show to print full)`);
+        }
+        console.log("💡 Share this key with teammates / your other hosts. Then run `lsh key set <key>` on each peer.");
+    });
+    // lsh key set — paste a 64-char hex key from another host into the store
+    keyCmd
+        .command('set <key>')
+        .description('Persist an existing 64-char hex key to the LSH sync key store')
+        .action((keyValue) => {
+        const store = new SyncKeyStore();
+        try {
+            store.set(keyValue.trim());
+        }
+        catch (err) {
+            const e = err;
+            console.error(`❌ ${e.message}`);
+            process.exit(1);
+        }
+        console.log('✅ Sync key stored.');
+    });
+    // lsh key clear — delete the persisted key (env var, if set, is untouched)
+    keyCmd
+        .command('clear')
+        .description('Delete the persisted LSH sync key (env var is untouched)')
+        .option('-y, --yes', 'Skip confirmation prompt')
+        .action(async (options) => {
+        if (!options.yes) {
+            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+            const answer = await new Promise((resolve) => {
+                rl.question('Remove the stored sync key? [y/N] ', (ans) => {
+                    rl.close();
+                    resolve(ans.trim().toLowerCase());
+                });
+            });
+            if (answer !== 'y' && answer !== 'yes') {
+                console.log('Aborted.');
+                return;
+            }
+        }
+        new SyncKeyStore().clear();
+        console.log('✅ Stored sync key removed.');
+    });
     // Create .env file
     program
         .command('create')

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "lsh-framework",
-  "version": "3.2.5",
+  "version": "3.5.1",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
-  "main": "dist/app.js",
+  "main": "dist/cli.js",
   "bin": {
     "lsh": "./dist/cli.js"
   },
@@ -64,39 +64,39 @@
   ],
   "dependencies": {
     "@supabase/supabase-js": "^2.57.4",
-    "@types/proper-lockfile": "^4.1.4",
     "bcrypt": "^6.0.0",
     "chalk": "^5.3.0",
     "chokidar": "^5.0.0",
-    "commander": "^14.0.2",
+    "commander": "^15.0.0",
     "cors": "^2.8.5",
     "dotenv": "^17.2.3",
-    "express": "^4.22.1",
+    "express": "^5.2.1",
     "express-rate-limit": "^8.2.1",
     "glob": "^13.0.0",
-    "inquirer": "^9.2.12",
+    "inquirer": "^14.0.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
     "node-cron": "^4.2.1",
     "ora": "^9.0.0",
     "pg": "^8.16.3",
     "proper-lockfile": "^4.1.2",
-    "smol-toml": "^1.3.1",
-    "uuid": "^13.0.0"
+    "smol-toml": "^1.3.1"
   },
   "devDependencies": {
-    "@types/bcrypt": "^5.0.2",
+    "@eslint/js": "^10.0.1",
+    "@types/bcrypt": "^6.0.0",
     "@types/cors": "^2.8.17",
-    "@types/express": "^4.17.21",
+    "@types/express": "^5.0.6",
     "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",
     "@types/jsonwebtoken": "^9.0.5",
-    "@types/node": "^20.19.27",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
-    "@typescript-eslint/parser": "^8.44.1",
-    "eslint": "^9.36.0",
-    "jest": "^29.7.0",
+    "@types/node": "^25.9.1",
+    "@types/proper-lockfile": "^4.1.4",
+    "@typescript-eslint/eslint-plugin": "^8.60.0",
+    "@typescript-eslint/parser": "^8.60.0",
+    "eslint": "^10.4.1",
+    "jest": "^30.4.2",
     "ts-jest": "^29.2.5",
-    "typescript": "^5.4.5"
+    "typescript": "^6.0.3"
   }
 }