chore: prebuild-install@7.1.3 deprecated transitive dependency via better-sqlite3

[sonukapoor]

Summary

prebuild-install@7.1.3 is flagged as deprecated on npm:

No longer maintained. Please contact the author of the relevant native addon; alternatives are available.

This package is a transitive dependency — it is not a direct dependency of CVE Lite CLI. It is pulled in by better-sqlite3, which CVE Lite CLI uses for the local offline advisory database.

Why we are not fixing this now

The deprecation is in better-sqlite3, not in CVE Lite CLI. As of better-sqlite3@12.10.0 (the latest release), the package still depends on prebuild-install@^7.1.1. Upgrading our pin has no effect.

The alternatives require meaningful tradeoffs:

• node:sqlite (Node.js built-in) — only available in Node 22.5+; our engine requirement is >=18, so this would be a breaking change for Node 18/20 users.
• @sqlite.org/sqlite-wasm — async-only API; our local advisory DB layer uses synchronous calls and would require a rewrite.

The deprecation produces a warning during npm install but has no runtime impact and is not a security issue.

When this should be revisited

• If better-sqlite3 releases a version that drops prebuild-install
• If CVE Lite CLI bumps its minimum Node.js requirement to 22.5+, making node:sqlite viable
• If prebuild-install introduces a security vulnerability