npm audit CI change, and minor version bumps

[dehall]

This PR addresses the npm audit failures noted in previous PRs, eg:

NOTE: The CI that runs npm audit currently fails, but the reported audit issues are currently not resolvable, so there's not much we can do.

There are 3 parts to this:

1. Changes the CI workflow to run npm audit --omit=dev to ignore issues reported in devDependencies. Libraries used in devDependencies are only involved in the dev/build/test process but not included downstream, so software that depends on cql-execution will not be affected by issues in our devDependencies.
2. Bumps a few versions based on running npm audit fix once
3. Bumps a few additional versions in package.json by running npm-check-updates . Only patch and minor version updates were included here, not major versions. (For example typescript 6.0.0 is now available, but that upgrade is not included here)

cql4browsers changed as a result of the version bumps so is included here.

Pull requests into cql-execution require the following.
Submitter and reviewer should ✔ when done.
For items that are not-applicable, mark "N/A" and ✔.

Submitter:

• This pull request describes why these changes were made
• Code diff has been done and been reviewed (it does not contain: additional white space, not applicable code changes, debug statements, etc.)
• [N/A] Tests are included and test edge cases
• Tests have been run locally and pass
• [N/A] Code coverage has not gone down and all code touched or added is covered.
• [N/A] Code passes lint and prettier (hint: use npm run test:plus to run tests, lint, and prettier)
• All dependent libraries are appropriately updated or have a corresponding PR related to this change
• cql4browsers.js built with npm run build:browserify if source changed.

Reviewer:

Name:

• Code is maintainable and reusable, reuses existing code and infrastructure where appropriate, and accomplishes the task’s purpose
• The tests appropriately test the new code, including edge cases
• You have tried to break the code

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.69%. Comparing base (1991335) to head (9ff5f15).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #368   +/-   ##
=======================================
  Coverage   87.69%   87.69%           
=======================================
  Files          52       52           
  Lines        4624     4624           
  Branches     1307     1307           
=======================================
  Hits         4055     4055           
  Misses        354      354           
  Partials      215      215           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cmoesel]

This looks good. Maybe some things have been updated since you ran npm-check-updates, but when I run npm outdated, I'm still seeing a few dev dependencies that have minor updates available:

Package                           Current   Wanted  Latest  Location                                       Depended by
@types/node                       24.12.0  24.13.2  26.0.0  node_modules/@types/node                       dep-bump-and-npm-audit
@typescript-eslint/eslint-plugin   8.61.1   8.62.0  8.62.0  node_modules/@typescript-eslint/eslint-plugin  dep-bump-and-npm-audit
@typescript-eslint/parser          8.61.1   8.62.0  8.62.0  node_modules/@typescript-eslint/parser         dep-bump-and-npm-audit
globals                            17.6.0   17.7.0  17.7.0  node_modules/globals                           dep-bump-and-npm-audit
sinon                              21.0.3   21.1.2  22.0.0  node_modules/sinon                             dep-bump-and-npm-audit
typescript                          5.9.3    5.9.3   6.0.3  node_modules/typescript                        dep-bump-and-npm-audit

[dehall]

Oh good catch. Some of those are things moving fast - globals 17.7.0 was released an hour ago and the 2x @typescript-eslint 8.62.0 were 20 minutes ago. But for @types/node and sinon, those I ignored the major version bump which also ignored any potential minor version bumps. I'll try again.

[dehall]

Updated with the latest. Unfortunately there didn't seem to be any way to use npm-check-updates to only update within a given major version. npm outdated should now show only the 3 deps with major updates available, but they should be on the latest minor version:

Package      Current   Wanted  Latest  Location                  Depended by
@types/node  24.13.2  24.13.2  26.0.0  node_modules/@types/node  cql-execution
sinon         21.1.2   21.1.2  22.0.0  node_modules/sinon        cql-execution
typescript     5.9.3    5.9.3   6.0.3  node_modules/typescript   cql-execution

[cmoesel]

Looks good and I will be glad not to tell people to ignore the CI failures anymore. Thanks, @dehall!

Given this is mainly just a dependency bump PR, I think one approval is sufficient -- so I will merge.