fix(deps): resolve open critical/high Dependabot alerts

[rutvikchandla3]

Summary

Resolves all open critical and high severity Dependabot alerts on this repo — 2 critical + 8 high as Dependabot counts them (one alert record per manifest / per vulnerable version range). All affected packages are dev-scope only; the dependencies shipped with the published extension are unchanged.

The only directly-declared dependency flagged was vitest; everything else is transitive and was cleared by refreshing the lockfile (npm audit fix, non-breaking) plus one overrides pin.

Note on counts: "2 critical, 8 high" is Dependabot's per-record count. Grouped by package it's 1 critical advisory (vitest) + 6 high packages — vitest is flagged in 2 manifests (→ 2 critical records) and minimatch has 3 separate vulnerable version ranges (→ 3 of the 8 high records). They reconcile exactly.

Changes

package.json

• vitest 3.0.8 → 3.2.6 and @vitest/browser 3.0.8 → 3.2.6 (stays within the 3.x major — no breaking jump)
• Added overrides: { "serialize-javascript": "7.0.5" } — mocha/@vscode/test-cli pin it to a vulnerable range, so npm audit reports "no fix available" without forcing it

package-lock.json — transitive dev deps refreshed to patched versions.

Alerts addressed (all 10 records: 2 critical + 8 high)

#	Severity	Package	Manifest	Vulnerable range	Now	Advisory
38	Critical	vitest	package.json	< 3.2.6	3.2.6	GHSA-5xrq-8626-4rwp
39	Critical	vitest	package-lock.json	< 3.2.6	3.2.6	GHSA-5xrq-8626-4rwp
27	High	vite	package-lock.json	6.0.0 – 6.4.1	7.3.5	GHSA-p9ff-h696-f583
14	High	rollup	package-lock.json	< 4.59.0	4.61.1	GHSA-mw96-cpmx-2vgc
30	High	lodash	package-lock.json	≤ 4.17.23	4.18.1	GHSA-r5fr-rjxr-66jc
20	High	minimatch	package-lock.json	< 3.1.3	3.1.5	GHSA-7r86-cg39-jmmj
15	High	minimatch	package-lock.json	5.0.0 – 5.1.7	5.1.9	GHSA-7r86-cg39-jmmj
18	High	minimatch	package-lock.json	9.0.0 – 9.0.6	9.0.9	GHSA-7r86-cg39-jmmj
4	High	glob	package-lock.json	10.2.0 – 10.4.x	10.5.0	GHSA-5j98-mcp5-4vw2
21	High	serialize-javascript	package-lock.json	≤ 7.0.2	7.0.5 (override)	GHSA-5c6j-r48x-rmvq

Every copy of each package in the tree was checked (e.g. minimatch resolves to 3.1.5 / 5.1.9 / 9.0.9 across three majors — all above their respective patch lines; the remaining glob@7.1.6/glob@8.1.0 are outside the vulnerable 10.x range).

Verification

• npm run compile (TypeScript build) passes.
• npm audit afterwards: 0 critical, 0 high — only 3 low-severity advisories remain (the jsdom@16 → http-proxy-agent → @tootallnate/once chain), which require a breaking jsdom@29 bump and are out of scope for this critical/high fix.
• npm run testFe could not be exercised in this environment due to a pre-existing esbuild sandbox issue (fails identically on the unmodified base branch), so it is not a regression from this change.

🤖 Generated with Claude Code

[rutvikchandla3]

Why an overrides pin instead of just bumping mocha?

serialize-javascript is a transitive dep, reached only through mocha:

@vscode/test-cli@0.0.10 → mocha@10.8.2 → serialize-javascript
mocha@11.0.1            → serialize-javascript

Upgrading mocha does not fix it — every mocha release, including the latest (11.7.6), pins serialize-javascript@^6.0.2:

mocha@10.8.2  -> ^6.0.2
mocha@11.0.1  -> ^6.0.2
mocha@11.7.6  -> ^6.0.2   (latest)

But the advisories (GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v) are patched only in 7.x (7.0.3 / 7.0.5) — there is no fixed 6.x. mocha's ^6.0.2 range excludes that major, so normal semver resolution has nothing safe to pick. That's exactly why npm audit fix reports "No fix available" and Dependabot can't auto-resolve it.

overrides is npm's escape hatch for this case: it force-pins serialize-javascript to 7.0.5 everywhere in the tree, overriding mocha's ^6.

Trade-off / risk: this is a forced cross-major (6→7) bump on a dep mocha declared as ^6. It's acceptable here because (a) it's dev/test-scope only, (b) the serialize(obj, options) API is unchanged between 6 and 7 (the major was mostly dropping old Node support), and mocha only uses it to serialize data for parallel test workers. Caveat: the pin is sticky — if mocha later moves its range to ^7 natively, remove this entry so it doesn't silently mask a future advisory.