chore(deps): update dependency through2 to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
through2	^4.0.2 → ^5.0.0

---

Release Notes

rvagg/through2 (through2)

v5.0.1

Compare Source

Bug Fixes

• add CJS support for Node.js 22.12+ (#​120) (eef0aa0)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• ESM rewrite, named exports, async + async-generator transforms, /web subpath (#​118)

Features

• ESM rewrite, named exports, async + async-generator transforms, /web subpath (#​118) (dd40259)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cursor]

Stale comment

Security review — no findings

Scope: through2 ^4.0.2 → ^5.0.0 (5.0.1 resolved) in web/package.json / web/package-lock.json only.

Assessment: No medium, high, or critical vulnerabilities identified in this change.

Reviewed attack surface:

• through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream for i18n translation). It is not part of the production runtime bundle.
• Inputs to the transform are local source files and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
• No known CVEs reported for through2@5.0.1 or its new transitive dependency readable-stream@4.7.0.
• npm audit reports no issues involving through2 or readable-stream.
• Package integrity hashes are present for the resolved tarball.

Prior threads: No earlier automation security-review threads on this PR.

Note (non-security): through2 v5 is ESM-first; existing require('through2') call sites may need .default on older Node versions. That is a build-compatibility concern, not an exploitable security issue.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[cursor]

Security review — no findings

Scope: through2 ^4.0.2 → ^5.0.0 (5.0.1 resolved) in web/package.json / web/package-lock.json only.

Assessment: No medium, high, or critical vulnerabilities identified in this change.

Reviewed attack surface:

• through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
• Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
• No known CVEs reported for through2@5.0.1 or its new transitive dependency readable-stream@4.7.0.
• npm audit reports no issues involving through2 or readable-stream.
• Package integrity hashes are present for the resolved tarball.

Prior threads: No unresolved automation security-review threads on this PR.

Note (non-security): through2 v5 is ESM-first; existing require('through2') call sites may need .default on older Node versions. That is a build-compatibility concern, not an exploitable security issue.

  

_{Sent by Cursor Automation: Find vulnerabilities}