fix(security): CodeQL findings and zx 8.8.5 resolution

[sraphaz]

Goal

Clear remaining CodeQL and Dependabot (zx) findings on this fork, using the same conventions as upstream (likec4/likec4): focused scope, conventional commits, and copy-paste-ready review notes so a later PR to the base repo stays straightforward.

Changes

• Dependabot / zx (GHSA-w87r-vg9q-crqm): @likec4/vscode now depends on zx via the workspace catalog (full 8.8.5) instead of lite (8.8.5-lite), which did not match the patched release line. Root pnpm.overrides pins zx to 8.8.5; pnpm-lock.yaml no longer references zx@8.8.5-lite.
• CodeQL (js/incomplete-multi-character-sanitization): packages/core/.../to-html.spec.ts uses a small stripHtmlTags helper that reapplies tag removal until stable (avoids single-pass regex pitfalls in tests).
• CodeQL (prototype pollution): packages/language-server/src/module.ts — Langium-style _merge skips __proto__, prototype, and constructor before assigning into the target module object.
• CodeQL (js/bad-code-sanitization): packages/vite-plugin/.../icons.ts — inline codeql[js/bad-code-sanitization] justification for generated import(...) specifiers (allowlisted project ids + JSON.stringify + hardenJsonStringLiteralForEmbeddedScript).

Notes

• elliptic (CVE-2025-14505): No patched elliptic release on npm at this time; dependency is transitive (e.g. via browserify-sign). If Dependabot still reports it, dismiss or document accepted risk until upstream ships a fix.

Verification

• vitest run — to-html.spec.ts, hardenJsonStringLiteralForEmbeddedScript.spec.ts
• turbo run typecheck — @likec4/core, @likec4/language-server, @likec4/vite-plugin
• Fork CI green after push
• Re-run Code scanning / Dependabot after merge (or Actions → codeql → Run workflow on this fork)

Summary by CodeRabbit

• Chores

  • Updated zx package version pinning and dependency resolution strategy across all projects for improved consistency

• Bug Fixes

  • Fixed critical security vulnerability in module property merging

• Refactor

  • Improved icon registry generation performance with optimized single-pass processing

• Tests

  • Enhanced test utilities and coverage for markdown HTML rendering validation

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dade7ac9-8ac8-479b-8229-0cd346b859dc

📥 Commits

Reviewing files that changed from the base of the PR and between a52773c and 8a4d467.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• package.json
• packages/core/src/utils/markdown/to-html.spec.ts
• packages/language-server/src/module.ts
• packages/vite-plugin/src/virtuals/icons.ts
• packages/vscode/package.json

---

📝 Walkthrough

Walkthrough

Updates dependency constraints for zx across packages, adds prototype pollution safeguards to the module merge function, refactors icon registry generation to reduce intermediate objects, and enhances test utilities for HTML tag stripping.

Changes

Cohort / File(s)	Summary
Dependency Management package.json, packages/vscode/package.json	Added zx override pinned to 8.8.5 in root pnpm config; updated VSCode package to use catalog reference for zx dependency.
Security Enhancement packages/language-server/src/module.ts	Introduced MERGE_FORBIDDEN_KEYS set (__proto__, prototype, constructor) to prevent prototype pollution during object merging.
Test Utilities packages/core/src/utils/markdown/to-html.spec.ts	Added stripHtmlTags() helper function using iterative regex matching to reliably remove nested HTML tags in test assertions.
Code Generation Refactor packages/vite-plugin/src/virtuals/icons.ts	Simplified icon registry generation by combining object mapping and string building into a single chained operation, eliminating intermediate object creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With whiskers twitched and nose held high,
We locked down zx, no more awry,
Prototype shields now guard our code,
Refactored paths on safer roads,
A test helper hops through tags with glee! 🏃‍♂️✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: addressing CodeQL security findings and resolving the zx dependency to version 8.8.5, which are the primary concerns of this PR.
Description check	✅ Passed	The description includes most required template sections: author attests to following contribution guidelines, rebasing, and conventional commits through the title and content. Verification of tests is checked; however, the description does not follow the exact checklist template format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-codeql-deps-summary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}