chore(deps): patch 30 high-severity Dependabot CVEs

[sdreyer]

Summary

Closes 30 open Dependabot alerts across 15 packages via pnpm.overrides (and one direct devDep bump for @anthropic-ai/sdk). pnpm build is clean and all 601 Vitest tests pass.

Patched packages

Package	Now resolved to	Cleared alerts
@xmldom/xmldom	0.9.10	115, 137, 138, 139, 140
lodash-es	4.18.1	74, 116, 117
vite	7.3.3	122, 123, 124
picomatch	2.3.2 + 4.0.4	113, 114
immutable	3.8.3	97
rollup	4.60.4 (already patched in-tree)	89
axios	1.16.1	188
protobufjs	7.6.2	187
uuid	11.1.1	186
qs	6.15.2	185
brace-expansion	5.0.6	184
mermaid	11.15.0	146, 147, 148, 149
@anthropic-ai/sdk	0.91.1 (direct devDep bump)	143, 144
postcss	8.5.10 (unified; vulnerable 8.4.31 transitive removed)	142
follow-redirects	1.16.0	129

Notes for reviewers

• Why vite is now a direct devDependency, not just an override. It comes in as an auto-installed peer of vitest, and pnpm overrides don't reach that resolution path cleanly. Pinning it explicitly fixes the resolution.
• Targeted @major overrides. picomatch@2 and brace-expansion@5 use major-scoped overrides so the patch only applies to the vulnerable line and leaves the parallel non-vulnerable majors untouched (picomatch@4.0.4 is already patched and stays put).
• protobufjs. Existing override was a hard pin at 7.5.6; bumped to a range >=7.5.8 <8 (resolved to 7.6.2) to clear CVE-2026-45740 while staying on the 7.x line.

Not fixed in this PR — 14 next alerts

126, 127, 150–175. Every patched version is in the Next.js 16.2.x line, which currently breaks Nextra 4.6.1's build with "attempting to export metadata from a component marked with use client" on every MDX page. Tracked upstream at shuding/nextra#5003 — no released Nextra version supports 16.2.x yet. Practical risk on this static docs site is low (no Server Actions; the DoS and similar Next 16.2 fixes target App Router server endpoints we don't use). Recommend dismissing those alerts as "No fix available" until Nextra ships 16.2 support, then revisiting.

Test plan

• pnpm install — clean, lockfile updated, all overrides honored
• pnpm build — production build succeeds
• pnpm test — 51/51 files, 601/601 tests pass
• CI green
• Manual spot-check that math rendering still works (touches @xmldom/xmldom via speech-rule-engine) and Mermaid diagrams render (touches mermaid)

🤖 Generated with Claude Code

---

Note

Medium Risk
Large transitive dependency churn (Mermaid, XML, HTTP clients) can affect docs rendering and tests; no application logic changes, but manual checks on Mermaid and math/XML paths are warranted.

Overview
This PR addresses 30 high-severity Dependabot alerts by tightening the dependency graph in package.json and refreshing pnpm-lock.yaml.

pnpm.overrides now force patched minimum versions for transitive packages including @xmldom/xmldom, lodash-es, axios, protobufjs (range >=7.5.8 <8 instead of a hard pin), immutable, uuid, qs, mermaid, postcss, follow-redirects, and major-scoped fixes for picomatch@2 and brace-expansion@5. @anthropic-ai/sdk is bumped directly to 0.91.1.

vite@7.3.3 is added as an explicit devDependency so Vitest’s peer resolution picks up the patched build toolchain (overrides alone were insufficient). The lockfile reflects cascading upgrades (e.g. esbuild, rollup, mermaid parser stack, removal of vulnerable postcss@8.4.31 from Next’s tree).

Next.js CVEs called out in the PR description are intentionally not upgraded here (blocked on Nextra 4.6.1 vs Next 16.2.x).

^{Reviewed by Cursor Bugbot for commit 3bafc50. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 30, 2026 11:12pm

[sdserranog]

LGTM!