fix: bump global-agent to 4.1.3 to drop deprecated boolean dep

[danskmt]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Bumps global-agent from 2.2.0/3.0.0 to 4.1.3 in both the root CLI and the ts-binary-wrapper, removing the deprecated boolean transitive dependency that triggered npm WARN deprecated boolean@3.2.0: Package no longer supported on npm i -g snyk. boolean (and roarr) were only fully dropped starting at global-agent@4.1.x, and 4.1.3 is the only 4.1.x with a working published dist.

Changes:

• package.json: global-agent ^2.1.12 -> ^4.1.3, add @types/global-agent devDependency (v4.1.3's typings field points to a non-existent path).
• ts-binary-wrapper/package.json: global-agent ^3.0.0 -> ^4.1.3, add @types/global-agent devDependency.
• ts-binary-wrapper/src/common.ts: v4 removed the global-agent/bootstrap subpath, so swap import 'global-agent/bootstrap' for import { bootstrap } from 'global-agent' + an explicit bootstrap() call (proxy env vars are still set first).
• Delete patches/global-agent+2.2.0.patch: the socketPath bypass it added is now upstream in 4.1.3 (keeping it fails patch-package due to the version mismatch).
• Regenerate both package-lock.json files.

The process-wide proxy injection in src/lib/request and src/lib/plugins/sast is unchanged — same bootstrap({ environmentVariableNamespace: '' }) behavior, just on a boolean-free version.

Why bump instead of removing global-agent?

Removing global-agent entirely (the CLI-859 axios approach) was deliberately kept out of scope because of its impact:

• global-agent.bootstrap() monkey-patches Node's global http/https, giving process-wide proxy coverage. Many components rely on this indirectly — needle API calls, @snyk/code-client (a third-party lib you cannot pass an agent to), Sentry, analytics, etc.
• Replacing it per-call-site risks silently dropping proxy support for some of those paths, and a correct removal means swapping in another global mechanism plus full proxy regression testing (HTTP, HTTPS CONNECT tunneling, auth-in-URL, NO_PROXY, ignoreUnknownCA, Snyk Code, broker/LCE).
• The original CLI-859 blocker (axios raising the min Node to 12.17.0) is now moot since the CLI requires Node ^22 || ^24, but the proxy-architecture risk above remains.

Bumping to 4.1.3 clears the deprecation warning with zero proxy-behavior change, and full removal can be tackled separately under CLI-859 with dedicated proxy testing.

Where should the reviewer start?

• ts-binary-wrapper/src/common.ts - the v4 bootstrap import change
• package.json / ts-binary-wrapper/package.json - version bumps + @types/global-agent
• Deletion of patches/global-agent+2.2.0.patch (socketPath fix now upstream)

How should this be manually tested?

1. Build and pack the npm artifact, then npm i -g ./snyk.tgz and confirm there is no boolean@3.x deprecation warning.
2. npm ls boolean returns nothing in both the root and ts-binary-wrapper.
3. Run the CLI behind an HTTP/HTTPS proxy (HTTPS_PROXY / NO_PROXY) and confirm requests + Snyk Code still route through the proxy.

Automated coverage (existing): test/tap/proxy.test.js (10/10 pass) exercises the request.ts global-agent path, and ts-binary-wrapper/test/unit/common.spec.ts (26/26 pass) covers the binary-download path after bootstrap().

What's the product update that needs to be communicated to CLI users?

None directly user-facing beyond removing the deprecation warning shown during npm i -g snyk.

Risk assessment (Low | Medium | High)?

Low. Dependency bump with an unchanged public proxy API; the custom socketPath patch is now upstream. Proxy and binary-download behavior verified by existing test suites.

Any background context you want to provide?

global-agent@3.0.0 still depends on boolean directly and via roarr; 4.0.0 still pulls boolean via roarr@7; 4.1.0-4.1.2 are broken publishes shipping no dist. 4.1.3 is the first installable release without boolean. Fully removing global-agent from the main CLI (CLI-859, axios-based) remains separate, larger follow-up work that needs full proxy regression testing.

What are the relevant tickets?

CLI-1417

Screenshots (if appropriate)

N/A

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones. A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax. Files found: ts-binary-wrapper/src/common.ts

Generated by 🚫 dangerJS against c843efb