bump npmcli arborist to 9.1.7

[adamenveil]

licensee is currently using a very old version of @npmcli/arborist, which pulls in a vulnerable version of glob.

GHSA-5j98-mcp5-4vw2

Bumping arborist to the latest version, 9.1.7

[ericcornelissen]

To provide an update on this: GHSA-5j98-mcp5-4vw2 has been resolved for @npmcli/arborist with the release of glob@10.5.0 for some time now.

However, GHSA-8qq5-rm4j-mr97 re-introduces the need for this upgrade due to the transitive dependency on tar@6.2.1. It's unclear to me whether licensee is actually affected by the vulnerability though.

`-- licensee@11.1.1
  `-- @npmcli/arborist@7.5.4
    +-- @npmcli/run-script@8.1.0
    | `-- node-gyp@10.3.1
    |   `-- tar@6.2.1
    +-- cacache@18.0.4
    | `-- tar@6.2.1
    `-- pacote@18.0.6
      `-- tar@6.2.1

For the purposes of GHSA-8qq5-rm4j-mr97, @npmcli/arborist only has to be bumped to 9.1.5 or higher. Nevertheless, that needs "node": "^20.17.0 || >=22.9.0" whereas licensee has "node": "^18.12 || ^20.9 || >= 22.7", thus requiring a major version bump to resolve.

@kemitchell @ljharb it's unclear to me what justified bumping the supported engines last time (in #96) but I'd ask you to consider¹ bumping it again in order to upgrade @npmcli/arborist.

If not, that's fine by me and I'd just be happy to have the decision recorded publicly 🙂

Footnotes

1. with admittedly low expectations. ↩