fix(security): supply-chain hygiene — mocha to devDeps, pin Semgrep image, add files allowlist [APS-19017]

INF-005: remove mocha from dependencies (kept in devDependencies); CLI loads mocha from user project via requireModule(), prod copy unnecessary. npm ls mocha --omit=dev now empty.

INF-007: pin Semgrep CI image returntocorp/semgrep -> @sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b (latest as of 2026-06-15).

INF-008: add package.json files allowlist [bin/, README.md, LICENSE.md] so npm pack no longer ships .github/, CODEOWNERS, .nycrc.yml, test/. Verified via npm pack --dry-run.

NOT applied: CSL-003 md5->sha256 (constants.js) — behavioral change to upload-dedup hash; needs human sign-off.

Resolves: APS-19017

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: Rohan Nagariya

.github/workflows/Semgrep.yml

@@ -27,7 +27,9 @@ jobs:
 
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned to a digest for supply-chain integrity (APS-19017 / INF-007).
+      # returntocorp/semgrep:latest as of 2026-06-15.
+      image: returntocorp/semgrep@sha256:f4791a54c891eabe1188248135574e6e03dfc31dfd3f3b747c7bec7079bfed1b
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')

package.json

@@ -3,6 +3,11 @@
   "version": "1.36.9",
   "description": "BrowserStack Cypress CLI for Cypress integration with BrowserStack's remote devices.",
   "main": "index.js",
+  "files": [
+    "bin/",
+    "README.md",
+    "LICENSE.md"
+  ],
   "scripts": {
     "test": "nyc mocha 'test/**/*.js' --recursive --timeout 60000 --exit"
   },
@@ -30,7 +35,6 @@
     "glob": "^7.2.0",
     "https-proxy-agent": "^5.0.1",
     "mkdirp": "1.0.4",
-    "mocha": "^10.2.0",
     "node-ipc": "9.1.1",
     "table": "5.4.6",
     "tsc-alias": "^1.8.16",