[Dependencies] Override glob version to fix dev dependency vulnerability

[joseharriaga]

The vulnerability in the test-exclude package (which was pulling in the old glob version) has been resolved by updating c8 to the latest version and applying package overrides to ensure glob 11.1.0 is used throughout the dependency tree.

1. Updated codegen/package.json:

• Updated c8 from ^9.1.0 to ^10.1.3 (latest version)

• Updated other dependencies too.

2. Updated package.json:

• Added an overrides section to force glob to version ^11.1.0

Verification:
✅ npm audit now reports 0 vulnerabilities
✅ glob has been updated from 7.2.3 (vulnerable) to 11.1.0 (secure)
✅ All transitive dependencies have been properly updated

[Copilot]

Pull Request Overview

This PR addresses a security vulnerability by updating the glob package from version 7.2.3 to 11.1.0 through package overrides. The update involves major version bumps to multiple dev dependencies including c8 (9.1.0 → 10.1.3), vitest (1.4.0 → 4.0.10), and vite (5.4.21 → 7.2.2).

Key Changes

• Added npm overrides to force glob to version ^11.1.0 throughout the dependency tree
• Updated multiple dev dependencies to their latest major versions to support the glob override
• Removed copyfiles dependency from codegen package

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
package.json	Added overrides section to force glob 11.1.0 across all dependencies
codegen/package.json	Updated c8, vitest, rimraf, and removed copyfiles; reordered dependencies alphabetically
package-lock.json	Reflects all dependency updates with glob now at 11.1.0 and major version bumps for vitest (1→4), vite (5→7), c8 (9→10), and rimraf (5→6)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@joseharriaga I've opened a new pull request, #842, to work on those changes. Once the pull request is ready, I'll request review from you.

[jsquire]

LGTM, but I'd appreciate a look from @JoshLove-msft, as the authoritative voice.

[JoshLove-msft]

Seems okay to me but just curious if npm audit fix wouldn't be sufficient here.

[joseharriaga]

Seems okay to me but just curious if npm audit fix wouldn't be sufficient here.

@JoshLove-msft : The problem was that c8 was pulling in test-exclude which was pulling in the problematic version of glob. The latest version of test-exclude still depends on a vulnerable version of glob, which is why npm audit fix wasn't able to fix it and why the manual override was needed.