fix(deps): resolve 4 moderate npm-audit GHSAs (TIM-14)

[timoa]

Summary

Resolves the 4 moderate advisories listed in the audit issue (TIM-14) by tightening two existing pnpm overrides and adding two new top-level ones. No source-code changes.

GHSA	Package	Old	New	Mechanism
GHSA-jxxr-4gwj-5jf2	brace-expansion	5.0.5	5.0.6	bump minimatch>brace-expansion to >=5.0.6
GHSA-q8mj-m7cp-5q26	qs	6.15.0	6.15.2	bump qs to >=6.15.2
GHSA-qx2v-qp2m-jg93	postcss	8.5.9	8.5.15	new postcss override >=8.5.10
GHSA-w5hq-g745-h8pq	uuid	8.3.2	14.0.0	new uuid override >=11.1.1

Why pnpm overrides

All four advisories are in transitive dependencies (vsce>glob>minimatch>brace-expansion, vsce>typed-rest-client>qs, @tailwindcss/postcss>postcss, vsce>@azure/identity>@azure/msal-node>uuid), so the only safe path is to force the patched range from the workspace. Direct version bumps in the lockfile are reverted by pnpm install.

uuid@>=11.1.1 is the only major-version jump. The consumer is @azure/msal-node, a transitive of @vscode/vsce (build/publish tool only, not bundled in the extension runtime). msal uses uuid v4; v4's public API is unchanged between uuid 8 and 14, and v14 is dual CJS/ESM, so the upgrade is API-compatible.

Verification

• pnpm audit: the four target GHSAs are gone. Total advisories 11 -> 7. The remaining 7 (vite, esbuild, js-yaml, @babel/core, form-data, etc.) are not in scope for this issue.
• pnpm test: 201/201 pass (15 files, fast-check property-based fuzz included).
• pnpm lint: clean.
• pnpm run compile: tsc clean.
• pnpm run webpack: production bundle builds successfully.

Out of scope (7 remaining advisories)

vite (high, GHSA-fx2h-pf6j-xcff; moderate, GHSA-v6wh-96g9-6wx3), esbuild (low, GHSA-g7r4-m6w7-qqqr; high, GHSA-gv7w-rqvm-qjhr), js-yaml (moderate, GHSA-h67p-54hq-rp68), @babel/core (low, GHSA-4x5r-pxfx-6jf8), form-data (high, GHSA-hmw2-7cc7-3qxx). Each needs a separate audit/issue — they involve direct dep bumps (e.g. vite ^7.3.2 -> ^7.3.5) and were not in the scope of TIM-14.

Closes TIM-14.

Summary by CodeRabbit

• Chores
  • Updated dependency version pins for several packages including qs, minimatch, postcss, and uuid to ensure compatibility and stability.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a6372785-1558-46aa-b0a7-466db6464332

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Four package version floors in pnpm-workspace.yaml overrides are bumped: qs to >=6.15.2, minimatch>brace-expansion to >=5.0.6, postcss to >=8.5.10, and uuid to >=11.1.1.

Changes

Dependency Override Bumps

Layer / File(s)	Summary
Version constraint updates pnpm-workspace.yaml	Raises minimum version floors for qs (6.14.2→6.15.2), minimatch>brace-expansion (5.0.5→5.0.6), postcss (8.5.0→8.5.10), and uuid (→11.1.1) in the overrides section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• timoa/workflow-editor#144: Both PRs modify pnpm-workspace.yaml pnpm.overrides version pinning, including the minimatch/brace-expansion override.

Suggested labels

released

Poem

🐰 A hop, a skip, a version bump,
Four packages cleared the dependency hump!
qs and postcss got a little raise,
uuid and brace-expansion join the craze.
The lockfile's tidy, the rabbit's pleased —
Fresher pins keep the warren at ease! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: resolving npm-audit GHSAs through dependency updates, with a specific issue reference (TIM-14).
Description check	✅ Passed	The description provides comprehensive context including a summary table, detailed rationale for using pnpm overrides, verification results, and scope clarification, exceeding template requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-audit-4-ghsa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No React Doctor issues found. 🎉

_{Reviewed by React Doctor for commit 1a06e1b.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.13%. Comparing base (f585982) to head (1a06e1b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #150   +/-   ##
=======================================
  Coverage   94.13%   94.13%           
=======================================
  Files          10       10           
  Lines         290      290           
  Branches      105      105           
=======================================
  Hits          273      273           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timoa-bot]

🎉 This PR is included in version 1.2.46 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀