security: remove elliptic package (CVE mitigation)

[wtfiwtz]

Summary

Remove unused elliptic package to mitigate CVE-2025-14505 as no patched release is available.

Changes

• package.json: Remove elliptic ^6.6.0 from dependencies
• Regenerate pnpm-lock.yaml

CVEs Addressed

• CVE-2025-14505: elliptic package vulnerability (mitigation via removal)

The elliptic package contains a vulnerability (CVE-2025-14505) with no patched release available. Analysis confirmed that the package was not directly used by the application codebase - it was likely a transitive dependency that is no longer required. Removal is the recommended mitigation strategy.

Verification

Confirmed that removal does not break the application:

• No direct imports of elliptic in the codebase
• All tests pass after removal
• No runtime errors or missing dependency warnings

Test Results

• ✅ Frontend tests: All 15 test suites passed (90 tests)
• ✅ TypeScript compilation: Type checking passed successfully
• ✅ No import errors or missing dependencies

Related PRs

Part of the frontend security upgrade series split from #7720:

• security: upgrade axios to 1.16.0 #7736: axios 1.16.0
• security: upgrade dompurify to 3.4.0 for XSS protection #7737: dompurify 3.4.0
• security: migrate from markdown to marked (ReDoS fix) #7735: marked migration
• security: upgrade lodash to 4.18.0 #7738: lodash 4.18.0
• security: upgrade build toolchain dependencies #7739: build toolchain security updates
• security: migrate cypress.js from request to axios #7740: cypress.js migration (request → axios)
• security: remove elliptic package (CVE mitigation) #7741 (this PR): remove elliptic (CVE mitigation)
• Next PR will address transitive vulnerability overrides

Made with Cursor