chore: resolve Dependabot security alerts

[karlwaldman]

Resolves all 10 open Dependabot alerts (1 critical, 4 high, 5 moderate) in the Node SDK.

Summary

Every vulnerable package is a development or transitive dependency. The only production dependency, ws, is unaffected. All fixes were applied via npm audit fix (non---force) and land entirely in package-lock.json — package.json is unchanged, so there is zero risk of a breaking change to the published SDK API.

Alerts addressed

Package	Severity	Scope	Vulnerable range	Patched	GHSA	Action
vitest	critical	dev (direct)	>=4.0.0 <4.1.0	4.1.0	GHSA-5xrq-8626-4rwp	Bumped (lockfile → 4.1.9)
vite	high	dev (transitive)	>=7.0.0 <=7.3.4	7.3.5	GHSA-fx2h-pf6j-xcff	Bumped (lockfile → 8.0.16)
vite	high	dev (transitive)	>=7.1.0 <=7.3.1	7.3.2	GHSA-v2wj-q39q-566r	Bumped (lockfile → 8.0.16)
vite	high	dev (transitive)	>=7.0.0 <=7.3.1	7.3.2	GHSA-p9ff-h696-f583	Bumped (lockfile → 8.0.16)
rollup	high	dev (transitive)	>=4.0.0 <4.59.0	4.59.0	GHSA-mw96-cpmx-2vgc	Bumped (lockfile)
vite (launch-editor)	moderate	dev (transitive)	>=7.0.0 <=7.3.4	7.3.5	GHSA-v6wh-96g9-6wx3	Bumped (lockfile → 8.0.16)
js-yaml	moderate	dev (transitive)	<=4.1.1	4.2.0	GHSA-h67p-54hq-rp68	Bumped (lockfile → 4.2.0)
postcss	moderate	dev (transitive)	<8.5.10	8.5.10	GHSA-qx2v-qp2m-jg93	Bumped (lockfile → 8.5.15)
vite	moderate	dev (transitive)	>=7.0.0 <=7.3.1	7.3.2	GHSA-4w7w-66w2-5vf9	Bumped (lockfile → 8.0.16)
picomatch	moderate	dev (transitive)	>=4.0.0 <4.0.4	4.0.4	GHSA-3v7f-55p6-f55p	Bumped (lockfile → 4.0.4)

(picomatch also carried a second ReDoS advisory, GHSA-c2c7-rcm5-vvqj, resolved by the same 4.0.4 bump. brace-expansion was bumped to 5.0.6 as part of the transitive update.)

Deferred for human review: none. No major-version bump of a direct dependency was required — vitest ^4.0.16 already permitted the patched 4.1.x line, and all other bumps were transitive.

Verification gate (all green)

• npx tsc --noEmit — clean
• npm test — 400 passed, 1 skipped (26 files)
• npm run build — clean (ESM + CJS)
• npm run lint — 0 errors (12 pre-existing no-explicit-any warnings, unrelated)

Final npm audit

found 0 vulnerabilities

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de804f0b-10a3-480f-ad79-c7cf4933aa02

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/security-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}