fix(deps): reduce security audit exposure

[one-ea]

Summary

• update security-focused npm overrides for DOMPurify, Babel, esbuild, shell-quote, brace-expansion, and ws
• bump server Wrangler dependency to the latest 4.101.x line via ^4.100.0
• refresh package-lock.json from npm

Verification

• npm ci
• npm run lint
• npm run check
• npm run build
• npm audit --audit-level=critical

Notes

• Critical findings are cleared locally.
• npm audit still reports 4 high findings from the latest wrangler/miniflare dependency chain: wrangler@4.101.0 pins esbuild@0.27.3 and miniflare@4.20260616.0 pins ws@8.20.1. The npm suggested fix is a breaking downgrade to wrangler@3.6.0, so this PR keeps the current major line and leaves those as upstream pending.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: de088e56-1b1a-4937-82c2-0f7918a9f830

📥 Commits

Reviewing files that changed from the base of the PR and between 9928cab and 7f2e971.

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: ESLint 安全扫描
• GitHub Check: Typecheck
• GitHub Check: Build
• GitHub Check: Lint
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)

---

📝 Walkthrough

Summary by CodeRabbit

• Chores（维护）
  • 更新根项目依赖项版本：提升 dompurify、esbuild 与 serialize-javascript 的版本，并新增/调整若干覆盖项以增强兼容性与安全性
  • 更新服务器开发工具 wrangler 版本，获取最新功能与修复
  • 优化依赖覆盖配置，保持既有覆盖项不变

Walkthrough

根 package.json 的 overrides 区块新增 @babel/core、brace-expansion、shell-quote、ws 四项覆盖条目；dompurify、esbuild、serialize-javascript 升级；server/package.json 中 wrangler devDependency 升级至 ^4.100.0。

Changes

依赖版本更新

Layer / File(s)	Summary
Overrides 覆盖条目及 wrangler 版本更新 package.json, server/package.json	overrides 新增 @babel/core、brace-expansion、shell-quote、ws 四项；dompurify 从 3.4.3 → 3.4.10，esbuild 从 ^0.25.0 → ^0.28.1，serialize-javascript 从 ^7.0.5 → 7.0.5；wrangler devDependency 从 ^4.85.0 → ^4.100.0。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• one-ea/Monolith#31：该 PR 建立了根 package.json 中 overrides 版本锁定的基础框架，本次 PR 在该基础上新增及升级多个依赖覆盖条目。

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 标题完全符合 Conventional Commits 格式，采用 'fix(deps): reduce security audit exposure' 的正确格式。
Description check	✅ Passed	PR 描述清晰关联了变更内容：更新安全相关的依赖覆盖项、升级 Wrangler 版本、刷新 lock 文件，并详细说明验证步骤和已知限制。
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-alerts

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 39-46: The dependencies esbuild and serialize-javascript are
currently using range versions (with the ^ prefix) instead of exact versions. To
ensure reproducibility and stability in CI/CD pipelines, update esbuild from
^0.28.1 to 0.28.1 and serialize-javascript from ^7.0.5 to 7.0.5 by removing the
caret (^) prefix from both entries. The ws dependency is already correctly
pinned to an exact version and requires no changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b198f9ea-953e-4ed2-b555-5efc3ddc41c2

📥 Commits

Reviewing files that changed from the base of the PR and between b0eb3da and 9928cab.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• server/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

🔇 Additional comments (1)

server/package.json (1)

34-34: 补充 wrangler 版本升级后的命令级冒烟测试。

Line 34 升级 wrangler 版本后，scripts/deploy-cloudflare.mjs 中对 CLI 输出的依赖需要验证：

• shouldCreatePagesProject() 依赖错误输出匹配 "not found"、"does not exist"、"404"（toLowerCase 后），版本变更可能改变 pages project create 不存在项目时的错误文本
• wrangler d1 migrations apply 通过 stdin 输入 "y\n" 自动确认交互，需确认新版本的提示文案未变更
• wrangler secret put 的执行流程及输出格式也应纳入测试范围

建议实际部署一次完整流程或在测试环境执行上述命令，确认输出格式和交互细节仍符合脚本预期。