fix(deps): override vulnerable transitive dependencies

[davydkov]

Summary

• Add pnpm overrides for all open Dependabot security alerts (flatted, h3, undici, devalue, svgo, express-rate-limit, rollup, minimatch)
• Uses scoped overrides for minimatch to stay within respective major versions (3.x, 5.x, 9.x)
• Build verified locally — 25/25 tasks pass

Test plan

• pnpm install resolves without errors
• pnpm build passes (25/25 tasks)
• CI passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated and pinned multiple package dependency versions to improve overall project stability and ensure consistent compatibility across the dependency tree.

[changeset-bot]

⚠️ No Changeset found

Latest commit: baab87d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Added explicit version constraints to pnpm.overrides for transitive dependencies including flatted, h3, undici, devalue, svgo, express-rate-limit, and rollup, plus scoped minimatch overrides across @microsoft/api-extractor, vscode-languageclient, @ts-morph/common, and @vue/language-core.

Changes

Cohort / File(s)	Summary
Dependency version overrides package.json	Added 7 new transitive dependency overrides and 4 scoped minimatch overrides to pnpm.overrides to enforce specific versions and prevent version conflicts. Existing mnemonist override retained.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Hops through the packages with care,
Pinning down versions here and there,
No more floating, no more doubt,
Dependencies locked—hop, hop, about!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a clear summary of the changes and test verification, but does not follow the required template with the checklist items.	Consider using the provided template by including the checklist section to ensure consistency with repository contribution guidelines.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding pnpm overrides for vulnerable transitive dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-security-overrides

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

87-93: Use caret ranges (^) instead of unbounded >= for security overrides.

Using >= allows future major versions during re-resolution, increasing break risk. Major-bounded ranges like ^7.24.0 are the recommended pattern per official pnpm audit documentation and limit to the current major version while allowing patches and minor updates.

Suggested change

-      "flatted": ">=3.4.2",
-      "h3": ">=1.15.6",
-      "undici": ">=7.24.0",
-      "devalue": ">=5.6.4",
-      "svgo": ">=4.0.1",
-      "express-rate-limit": ">=8.2.2",
-      "rollup": ">=4.59.0",
+      "flatted": "^3.4.2",
+      "h3": "^1.15.6",
+      "undici": "^7.24.0",
+      "devalue": "^5.6.4",
+      "svgo": "^4.0.1",
+      "express-rate-limit": "^8.2.2",
+      "rollup": "^4.59.0",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 87 - 93, The dependency ranges in package.json use
unbounded ">=" (e.g., entries for "flatted", "h3", "undici", "devalue", "svgo",
"express-rate-limit", "rollup"), which allows automatic upgrades to future major
versions; change each of those entries to caret ranges (e.g., "^3.4.2",
"^1.15.6", "^7.24.0", "^5.6.4", "^4.0.1", "^8.2.2", "^4.59.0") so updates remain
bounded to the current major while still allowing minor/patch updates per pnpm
guidance.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 87-93: The dependency ranges in package.json use unbounded ">="
(e.g., entries for "flatted", "h3", "undici", "devalue", "svgo",
"express-rate-limit", "rollup"), which allows automatic upgrades to future major
versions; change each of those entries to caret ranges (e.g., "^3.4.2",
"^1.15.6", "^7.24.0", "^5.6.4", "^4.0.1", "^8.2.2", "^4.59.0") so updates remain
bounded to the current major while still allowing minor/patch updates per pnpm
guidance.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d1143f1f-a97b-474a-9946-0f99641819d3

📥 Commits

Reviewing files that changed from the base of the PR and between 16386c5 and baab87d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json