chore: resolve open dependabot security alerts

[jonathannorris]

Summary

• Resolved all 32 open Dependabot security alerts by bumping vulnerable dependencies to patched versions.
• All affected packages are dev/build/test tooling (transitive). No published SDK production dependency was affected (published packages declare only tslib).
• Fixes applied via direct devDependency bumps where the patched version was in range, and scoped/top-level overrides only where a vulnerable version was exact-pinned by an upstream package (@angular/build, @angular/compiler-cli, @nestjs/platform-express, @istanbuljs/load-nyc-config) with no fixed upstream release available.

Dependabot Alerts Resolved

Alert	Package	Severity	Fix
#190 #192 #197	@angular/core	high/medium	Bumped angular devDeps to ^21.2.17
#191 #193 #198	@angular/common	high	Bumped angular devDeps to ^21.2.17
#194 #195	@angular/compiler	medium	Bumped angular devDeps to ^21.2.17
#200	@babel/core	low	Added @babel/core@^7.29.7 devDep + scoped overrides for @angular/build and @angular/compiler-cli
#187	esbuild	low	overrides to ^0.28.1
#205	form-data	high	Lockfile bump to 4.0.6 (in range)
#206-#210	hono	high/medium	Lockfile bump to 4.12.26 (in range)
#201	js-yaml	medium	Lockfile bump (eslint copy) + scoped override on @istanbuljs/load-nyc-config to ^4.2.0
#211	multer	medium	overrides to ^2.2.0
#213	piscina	high	overrides to ^5.2.0
#204	tar	medium	Lockfile bump to 7.5.16 (in range)
#214-#218 #221-#224	undici	high/medium/low	overrides to ^7.28.0 (6.x copy also resolved)
#179	uuid	medium	Scoped overrides on @cucumber/messages and jest-cucumber to ^11.1.1
#202 #203	vite	high/medium	overrides to ^7.3.5

Notes

• Added react-dom@^18.2.0 as an explicit root devDependency. It was previously an auto-installed peer dependency; pinning it keeps the lockfile resolvable with plain npm ci (as CI uses) after the full lockfile regeneration required to apply the overrides.
• Overrides were necessary (not optional) because the patched versions fall outside every existing semver range and the pinning parents (@angular/build@21.2.16, @nestjs/platform-express) have no upstream release that bumps them. Scoped overrides were used where the affected version is local to one consumer.
• Verified: npm run build, npm test (590 jest tests + 45 angular tests pass), and npm ci all succeed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 197a362d-e070-4eda-9651-8f672562b4b9

📥 Commits

Reviewing files that changed from the base of the PR and between 3c01041 and 5deeebc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• packages/angular/package.json

---

📝 Walkthrough

Walkthrough

The root package.json gains an overrides block forcing specific versions of transitive dependencies (esbuild, vite, undici, piscina, multer, UUID, Babel, js-yaml) and adds react-dom ^18.2.0 to devDependencies. The packages/angular/package.json bumps nine Angular framework packages from ^21.0.4 to ^21.2.17.

Changes

Dependency Configuration Updates

Layer / File(s)	Summary
Root package.json overrides and react-dom addition package.json	Adds a top-level overrides block pinning transitive dependency versions for esbuild, vite, undici, piscina, multer, and scoped overrides for @cucumber/messages/jest-cucumber UUID, Angular packages' @babel/core, and @istanbuljs/load-nyc-config's js-yaml; also adds react-dom ^18.2.0 to devDependencies.
Angular framework version bump packages/angular/package.json	Upgrades @angular/animations, @angular/common, @angular/compiler, @angular/compiler-cli, @angular/core, @angular/forms, @angular/platform-browser, @angular/platform-browser-dynamic, and @angular/router from ^21.0.4 to ^21.2.17; @angular/build and @angular/cli remain at ^21.0.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• open-feature/js-sdk#1408: Touches dependency versions in package.json and Angular-related package files, including an esbuild bump that this PR now pins via overrides.

Suggested reviewers

• beeme1mr
• askpt
• toddbaert

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: resolving Dependabot security alerts by updating dependencies to patched versions.
Description check	✅ Passed	The description provides comprehensive details about the security alerts resolved, the affected packages, the fix strategies used, and verification steps taken.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates dev/build/test tooling dependency versions to address Dependabot security alerts, primarily via targeted overrides at the monorepo root and a patch-level Angular devDependency bump in the Angular workspace.

Changes:

• Bumped Angular workspace devDependencies for core framework packages from ^21.0.4 to ^21.2.17.
• Added root-level overrides to force patched transitive versions (e.g., esbuild, vite, undici, multer, piscina, uuid, plus scoped overrides for @angular/* and @istanbuljs/* cases).
• Added explicit root devDependency react-dom@^18.2.0 and @babel/core@^7.29.7 to support the override/resolution strategy.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
packages/angular/package.json	Bumps Angular framework devDependencies to patched versions to address security alerts.
package.json	Adds root overrides for vulnerable transitive deps and pins additional devDependencies needed for stable resolution.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.