chore: address 36 open Dependabot security alerts

[pomfrida]

Summary

We have 36 open Dependabot alerts. Most are transitive dev/build dependencies and do not affect published packages. This issue documents the analysis and a plan forward.

Analysis

Fixable with pnpm.overrides (13 alerts, all dev-dependencies)

These are safe patch/minor bumps where the direct parent hasn't updated yet:

Package	Installed	Patched	Severity	Source	Alerts
flatted	3.3.3	3.4.2	high	eslint 8 → flat-cache	#386
undici	7.22.0	7.24.0	high/med	cheerio (docusaurus-search-local), @figma/code-connect	#364–#369
yaml 2.x	2.8.1	2.8.3	medium	vite (peer dep)	#393
picomatch	2.3.1	2.3.2	medium	jest → micromatch	#388
brace-expansion 2.x	2.0.2	2.0.3	medium	eslint → minimatch	#405
@isaacs/brace-expansion	5.0.0	5.0.1	high	vite-plugin-dts → api-extractor	#341
diff	4.0.2	4.0.4	low	ts-node (jest peer)	#340
js-yaml	4.1.0	4.1.1	medium	eslint 8	#296

Blocked by upstream (19 alerts) — Docusaurus 3

All from apps/design-system-docs (private, not published):

Package	Severity	Blocked by	Alerts
node-forge ×4	high	Docusaurus → webpack-dev-server → selfsigned	#400–#403
path-to-regexp	high	Docusaurus → react-router v5	#408
serialize-javascript ×2	high/med	Docusaurus → webpack → terser-webpack-plugin	#360, #404
qs ×2	med/low	Docusaurus → express 4	#319, #345
webpack ×2	low	Docusaurus uses webpack 5.101–5.103	#342, #343
yaml 1.x	medium	Transitive yaml v1, no safe upgrade path	#387

Resolution: Upgrade to Docusaurus 4 when available (uses Rspack, drops webpack/express).

Blocked by upstream — eslint 8 (4 alerts)

Package	Severity	Alerts
ajv (6.x → 8.x)	medium	#348
minimatch ×3	high	#355, #352, various

Resolution: Upgrade to eslint 9 + flat config. This also removes the need for flatted, js-yaml, and brace-expansion overrides.

Unfixable (3 alerts)

Package	Severity	Reason	Alerts
lodash ×3	high/med	Patched version 4.18.0 does not exist on npm	#328, #410, #411

Action plan

• Add pnpm.overrides for the 8 safe overrides (13 alerts)
• Upgrade eslint 8 → 9 (removes ~10 alerts including some overrides)
• Upgrade Docusaurus when v4 is available (removes ~11 alerts)
• Dismiss lodash alerts as false positive (patch version not published)

[pomfrida]

Status update

• Add pnpm.overrides for 8 safe overrides (13 alerts) — done in chore: add pnpm.overrides for 13 Dependabot alerts #4809
• Upgrade eslint 8 → 9 (~10 alerts) — tracked in Migrate to ESLint 9+ flat config #4161
• Upgrade Docusaurus when v4 is available (~11 alerts) — blocked upstream, v4 not out yet, have to wait
• Dismiss lodash alerts as false positive (patched version doesn't exist on npm)

[pomfrida]

Docusaurus 4 upgrade now tracked in #4811.

[pomfrida]

lodash 4.18.0 is now published on npm — added override in #4809 instead of dismissing. This resolves alerts #410 and #411.

Updated status:

• pnpm.overrides for safe overrides — 15 alerts total (13 original + 2 lodash) — done in chore: add pnpm.overrides for 13 Dependabot alerts #4809
• Upgrade eslint 8 → 9 (~10 alerts) — tracked in Migrate to ESLint 9+ flat config #4161
• Upgrade Docusaurus to v4 (~11 alerts) — tracked in chore: upgrade Docusaurus to v4 #4811