fix: upgrade sqlite3 to v6.0.1

[TheLastCicada]

Summary

• Upgrade sqlite3 from ^5.1.7 to ^6.0.1 to reduce high-severity transitive risk in the sqlite3/node-gyp chain.
• Regenerate package-lock.json for the new sqlite3 dependency graph.
• Verify sqlite3 native binary path compatibility with existing pkg asset/prepare scripts (node_modules/sqlite3/build/Release/node_sqlite3.node still present).

Test plan

• npm run build
• npm run test:v2 (1364 passing, 1 pending)
• npm run test:v1 (known flaky simulator assertions observed on this branch and on baseline v2-rc2; no sqlite3-specific regression isolated)

---

Note

Medium Risk
Upgrading a native dependency (sqlite3) changes the node-gyp/prebuild toolchain and Node engine requirements, which can break installs or CI across environments. No application logic changes, but build/runtime compatibility for the native addon is the main risk.

Overview
Upgrades sqlite3 from ^5.1.7 to ^6.0.1 and regenerates package-lock.json, pulling in newer build/tooling dependencies (notably updated node-gyp and related fetch/cache packages).

Updates the GitHub Actions tests workflow to set npm_config_build_from_source=sqlite3, forcing source builds of the sqlite3 addon during CI installs.

^{Written by Cursor Bugbot for commit 2862d67. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	sqlite3@​5.1.7 ⏵ 6.0.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm cacache is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/sqlite3@6.0.1 → npm/cacache@20.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@20.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly Notes: The Glob utilities implement a conventional and well-structured filesystem glob-walking mechanism with robust control flow (abort signals, backpressure) and safe output semantics. There is no evidence of malicious behavior, backdoors, or data exfiltration within this fragment. Risks mainly relate to how downstream consumers may handle emitted paths, not to the library itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/sqlite3@6.0.1 → npm/glob@13.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@13.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm minipass-fetch is 100.0% likely to have a medium risk anomaly Notes: No evidence of malicious behavior or supply-chain sabotage within this code fragment. The code adheres to standard fetch-like behavior with conventional TLS/config handling. Potential security considerations include the ability to disable TLS verification via an environment variable (a known risk if misused) but this is typical for Node.js TLS configurations and not a deliberate backdoor. Overall risk is moderate due to TLS verification control but not due to malicious intent in this module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/sqlite3@6.0.1 → npm/minipass-fetch@5.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@5.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm node-gyp is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate Windows registry query and filesystem readability utility, with no inherent malware or backdoors. Primary security concerns are data exposure through verbose logging and the potential misuse of reg.exe with untrusted inputs. Mitigations include restricting input sources, redacting sensitive outputs in logs, and ensuring callers handle registry data securely. Overall security risk is moderate due to sensitive operations and logging exposure, but no active malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/sqlite3@6.0.1 → npm/node-gyp@12.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@12.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report