[STUD-4406] Bump fsevents from 1.2.4 to 1.2.13

[dependabot]

Summary

• Bumps the fork's locked fsevents development dependency from 1.2.4 to 1.2.13 via package-lock.json.
• Keeps the package on the fsevents 1.x line because the current build toolchain resolves it through chokidar@1.7.0, which declares fsevents:^1.0.0.
• Removes the old node-pre-gyp subtree that was pulled by fsevents@1.2.4; fsevents@1.2.13 uses bindings + nan instead.

Why not fsevents 2.x here?

fsevents@2.3.3 is the npm latest release, but it is not a drop-in lockfile bump for this fork. The dependency path is:

webpack@1.15.0 -> watchpack@0.2.9 -> chokidar@1.7.0 -> fsevents:^1.0.0

Moving to fsevents@2.x cleanly would require updating the fork's legacy build/watch stack, especially webpack@1 / watchpack@0 / chokidar@1. That is a larger modernization than this security patch and carries more build risk.

Analysis: migrating off this fork

The consuming repo, Workiva/oc-builder, currently imports a fork-only named export:

import { MouseBackend } from 'react-dnd-mouse-backend'

The original npm package exposes a default backend factory instead:

import MouseBackend from 'react-dnd-mouse-backend'

So replacing the fork with upstream react-dnd-mouse-backend@1.0.0-rc.2 would require at least an import change in packages/onecloud-io/src/containers/DragDropProvider/DragDropProvider.js.

However, the fork is not only an export-shape change. It also carries behavior changes that may be relevant to Chain Builder drag/drop parity:

• nested drag source and nested drop target fixes
• native drag handling fixes
• accidental drag threshold handling
• right-click handling
• escape-key drag cancellation
• click propagation behavior, including Workiva's Remove call to stop propagation change
• built lib/ output committed for the GitHub dependency path

Because of that, removing the fork should be treated as a follow-up migration rather than part of this dependency patch. A safe migration path would be:

1. Add focused regression coverage in oc-builder around Chain Builder drag/drop behavior: drag start threshold, nested drop targets, escape cancel, right-click ignore, native/file-like drag handling if still supported, and click propagation around nodes/menus.
2. Try swapping DragDropProvider to the upstream default export and run the regression suite plus manual Chain Builder smoke tests.
3. If upstream behavior differs, prefer a small local adapter/backend wrapper in oc-builder over continuing to publish a separate fork. That would preserve behavioral parity where needed while making the dependency graph explicit in the consuming app.
4. If the raw backend class remains required by react-dnd-multi-backend, evaluate whether the adapter can wrap the upstream default factory or whether updating the DnD stack is the better long-term path.

Validation

• npm ci succeeds on this branch.
• npm run build succeeds and rebuilds lib/ / UMD output without diffs.
• npm run lint still fails on pre-existing style issues, mostly semi errors in source files and a few existing warnings. This branch only changes package-lock.json, so those lint failures are not introduced by this dependency bump.

Follow-up

After this PR merges, update oc-builder's pnpm-lock.yaml to point github:Workiva/react-dnd-mouse-backend at the merged fork commit.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[aviary3-wk]

Security Insights

No security relevant content was detected by automated scans.

Action Items

• Review PR for security impact; comment "security review required" if needed or unsure
• Verify aviary.yaml coverage of security relevant code

---

Questions or Comments? Reach out on Slack: #support-infosec.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[kevinbrock-wk]

Added notes on fork remediation and version bump to latest patch instead of 2.x. We likely still need this fork, but should at least move to fsevents v2. Putting it on a list of repos to better maintain.