security: remediate 31 CVE findings via dependency upgrades

[gabehamilton]

Security: dependency remediation (Vuln Ops Grade F)

This PR remediates CVE findings surfaced by the Vuln Ops pipeline's live Trivy scan of difflabai/protocols@main (scan 2026-06-26, run 919d9a1f).

31 findings addressed by upgrading the affected (mostly transitive) dependencies to their fixed releases: 1 critical, 13 high, 16 medium, 1 low.

Severity	Package	Installed	Fixed	Advisory
critical	shell-quote	1.8.3	1.8.4	CVE-2026-9277
high	@babel/plugin-transform-modules-systemjs	7.29.0	7.29.4	CVE-2026-44728
high	fast-uri	3.1.0	3.1.1	CVE-2026-6321
high	fast-uri	3.1.0	3.1.2	CVE-2026-6322
high	lodash	4.17.23	4.18.0	CVE-2026-4800
high	minimatch	3.1.2	3.1.3	CVE-2026-26996
high	minimatch	3.1.2	3.1.3	CVE-2026-27903
high	minimatch	3.1.2	3.1.4	CVE-2026-27904
high	path-to-regexp	0.1.12	0.1.13	CVE-2026-4867
high	picomatch	2.3.1	2.3.2	CVE-2026-33671
high	serialize-javascript	6.0.2	7.0.3	GHSA-5c6j-r48x-rmvq
high	svgo	3.3.2	3.3.3	CVE-2026-29074
high	ws	7.5.10	7.5.11	CVE-2026-48779
high	ws	8.19.0	8.21.0	CVE-2026-48779
medium	brace-expansion	1.1.12	1.1.13	CVE-2026-33750
medium	follow-redirects	1.15.11	1.16.0	GHSA-r4q5-vmmm-2653
medium	http-proxy-middleware	2.0.9	2.0.10	CVE-2026-55602
medium	joi	17.13.3	17.13.4	CVE-2026-48038
medium	js-yaml	3.14.2	4.2.0	CVE-2026-53550
medium	js-yaml	4.1.1	4.2.0	CVE-2026-53550
medium	launch-editor	2.13.0	2.14.1	CVE-2026-53632
medium	lodash	4.17.23	4.18.0	CVE-2026-2950
medium	picomatch	2.3.1	2.3.2	CVE-2026-33672
medium	postcss	8.5.6	8.5.10	CVE-2026-41305
medium	qs	6.14.2	6.15.2	CVE-2026-8723
medium	serialize-javascript	6.0.2	7.0.5	CVE-2026-34043
medium	uuid	8.3.2	13.0.1	CVE-2026-41907
medium	webpack-dev-server	5.2.3	5.2.4	CVE-2026-6402
medium	webpack-dev-server	5.2.3	5.2.5	CVE-2026-9595
medium	ws	8.19.0	8.20.1	CVE-2026-45736
low	@babel/core	7.29.0	7.29.6	CVE-2026-49356

How

Dependencies were bumped to the scan's fixed versions using the ecosystem's native resolver (lockfile regeneration), scoped to the flagged advisories. No application source was changed.

Mechanism details for this repo (Docusaurus 3.9.2 site, single root package-lock.json):

• npm audit fix --package-lock-only (no --force) bumped the transitive deps that had in-range fixes — covering 27 of 31 findings.
• 4 findings across 3 packages needed a major-version bump that audit fix will not perform automatically (they sit behind caret ranges in parent packages). These were forced via minimal overrides in package.json, then npm install --package-lock-only:
  • serialize-javascript 6.0.2 → 7.0.5 (pulled by copy-webpack-plugin / css-minimizer-webpack-plugin)
  • uuid 8.3.2 → 13.0.1 (pulled by sockjs under webpack-dev-server)
  • js-yaml 3.14.2 → 4.2.0 (pulled by gray-matter)

npm audit --package-lock-only now reports 0 vulnerabilities. Only package.json (a 5-line overrides block) and package-lock.json were changed; no application source and no node_modules/.

Not remediated

None — all 31 findings reached their fixed versions in the lockfile.

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request introduces global dependency overrides in package.json for serialize-javascript, uuid, and js-yaml, resulting in numerous package updates in package-lock.json. The feedback points out that applying global overrides for major version upgrades (such as js-yaml and uuid) is highly risky because breaking changes can cause runtime crashes in transitive dependencies. It is recommended to scope these overrides to specific parent packages to ensure stability.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Applying global overrides for major version upgrades (such as js-yaml v3 to v4, and uuid v8 to v13) is highly risky. Major version bumps often introduce breaking changes (for example, js-yaml v4 completely removed safeLoad(), which is heavily used by packages expecting v3 like older versions of gray-matter). Forcing these upgrades globally can cause unexpected runtime crashes in other transitive dependencies that also use these libraries.

To minimize the blast radius and ensure runtime stability, it is highly recommended to scope the overrides to the specific parent packages that require them.

  "overrides": {
    "copy-webpack-plugin": {
      "serialize-javascript": "7.0.5"
    },
    "css-minimizer-webpack-plugin": {
      "serialize-javascript": "7.0.5"
    },
    "gray-matter": {
      "js-yaml": "4.2.0"
    },
    "sockjs": {
      "uuid": "13.0.1"
    }
  },