fix(deps): reduce npm vulnerabilities via overrides

[TimeToBuildBob]

Summary

• Add npm overrides to resolve transitive dependency vulnerabilities
• Reduces total vulnerabilities from 37 to 32 (14% reduction)
• All remaining vulnerabilities are rooted in the Vue 2 ecosystem and cannot be fixed without a Vue 3 migration

Changes

Added npm overrides for:

• minimatch (editorconfig): 9.0.1 → ^9.0.7 — fixes ReDoS (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)
• minimatch (filelist): 5.x → ^5.1.8 — fixes ReDoS
• webpack-dev-server: 4.x → ^5.2.1 — fixes source code theft vulnerabilities (GHSA-9jgg-88mc-972h, GHSA-4v9v-hfq4-rm2v)

Remaining vulnerabilities (Vue 2 ecosystem)

These 32 vulnerabilities all trace back to Vue 2 (EOL) and its ecosystem:

• vue@2.7.16 — ReDoS in parseHTML
• vue-template-compiler — XSS vulnerability
• postcss — via @vue/component-compiler-utils
• d3-color — via vue-d3-sunburst (no fix available)
• cross-spawn — via yorkie (unmaintained git hook manager)
• html-minifier — via html-loader@0.5.5

These can only be resolved as part of a Vue 3 migration.

Follows up on #762 which fixed qs and babel vulnerabilities.

Refs: #581

Test plan

• npm run build — passes
• npm test — 34 tests pass, 9 suites
• npm audit — 32 vulnerabilities (down from 37)

---

Important

Add npm overrides in package.json to reduce vulnerabilities from 37 to 32, with remaining issues tied to Vue 2 ecosystem.

• Dependencies:
  • Add npm overrides in package.json for minimatch in editorconfig and filelist, and webpack-dev-server.
  • Reduces vulnerabilities from 37 to 32 (14% reduction).
• Remaining Vulnerabilities:
  • 32 vulnerabilities remain, tied to Vue 2 ecosystem, requiring Vue 3 migration.
• Misc:
  • Follows up on fix: resolve npm security vulnerabilities (qs, babel) #762 addressing qs and babel vulnerabilities.

^{This description was created by for 0eb70c6. You can customize this summary. It will automatically update as commits are pushed.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 0eb70c6 in 7 seconds. Click for details.

• Reviewed 19 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_PPOyVmH8BEjdccrX

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.71%. Comparing base (1c7802b) to head (0eb70c6).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #771   +/-   ##
=======================================
  Coverage   25.71%   25.71%           
=======================================
  Files          30       30           
  Lines        1750     1750           
  Branches      320      307   -13     
=======================================
  Hits          450      450           
- Misses       1234     1278   +44     
+ Partials       66       22   -44     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Summary

This PR adds npm dependency overrides to address security vulnerabilities in transitive dependencies, reducing the total count from 37 to 32 (a 14% reduction).

Changes made:

• Overrides minimatch to ^9.0.7 for editorconfig - fixes ReDoS vulnerabilities
• Overrides minimatch to ^5.1.8 for filelist - fixes ReDoS vulnerabilities
• Overrides webpack-dev-server to ^5.2.1 - fixes source code theft vulnerabilities

Key points:

• webpack-dev-server upgrade from 4.x to 5.x is a major version change, but the existing devServer configuration in vue.config.js is compatible
• CI uses Node.js 20, which meets webpack-dev-server 5.x's requirement of >= 18.12.0
• Tests and build pass according to the PR description
• Remaining 32 vulnerabilities are tied to the Vue 2 ecosystem and cannot be resolved without migrating to Vue 3

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are straightforward dependency overrides to fix known vulnerabilities. The webpack-dev-server configuration is compatible with version 5.x, CI uses a compatible Node.js version (20), and tests pass. No code logic changes.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Adds npm overrides for minimatch (via editorconfig and filelist) and webpack-dev-server to fix security vulnerabilities
package-lock.json	Updates dependency tree to reflect the npm overrides, resolving transitive dependencies to patched versions

_{Last reviewed commit: 0eb70c6}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}