refactor(deps): replace mkdirp, uuid, tmp with node builtins

[parker-snyk]

• Ready for review
• Follows CONTRIBUTING rules
• Reviewed by Snyk internal team

What does this PR do?

Removes mkdirp, uuid, and tmp from dependencies and uses native Node built-ins (fs, crypto, os) instead. Since the minimum supported Node version is 20.19, we can safely use features like fs.mkdirSync(..., { recursive: true }) and crypto.randomUUID().

Where should the reviewer start?

lib/analyzer/image-inspector.ts and lib/image-save-path.ts have the main functional changes. test/system/docker.spec.ts has a minor test fix to clean up temporary mock tarballs properly.

How should this be manually tested?

npm run test:system and npm run test:unit.

Any background context you want to provide?

This was prompted by a desire to trim down the dependency tree. Moving off of tmp also forced us to be explicit about test cleanup, avoiding silent file leaks in /tmp during the test suite.

What are the relevant tickets?

CN-1003

Screenshots

N/A

Additional questions

None

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review ReferenceError in tests 🟠 [major] The variable crypto is used at line 175 to generate a random UUID, but it has not been imported into the file. Unlike process, the crypto module is not a global in Node.js and requires an explicit import * as crypto from 'crypto' or import { randomUUID } from 'crypto'. This will cause the test suite to crash with a ReferenceError: crypto is not defined. `snyk-docker-plugin-test-${crypto.randomUUID()}.tar`, Resource Leak in Tests 🟠 [major] In the tests starting at line 154 and 186, customPath is created as a temporary directory using fs.mkdtempSync, but the cleanup via fs.rmSync is placed at the end of the it block. If any expect() assertion fails earlier in the test, the cleanup line will be skipped, leading to persistent temporary directories left on the host system. This contradicts the PR goal of avoiding silent file leaks. These paths should be cleaned up in a try...finally block or handled via the afterEach hook. fs.rmSync(customPath, { recursive: true, force: true });

📚 Repository Context Analyzed This review considered 15 relevant code sections from 8 files (average relevance: 0.69) package-lock.json (7 segments, lines 13561-13762) lib/analyzer/static-analyzer.ts (lines 1-89) lib/docker.ts (lines 1-186) lib/analyzer/image-inspector.ts (2 segments, lines 1-283) lib/analyzer/applications/node-modules-utils.ts (lines 1-248) lib/image-save-path.ts (lines 1-13) package.json (lines 1-98) ... and 1 more file(s)