fix(deps): bump ws to 8.21.0 to resolve GHSA-58qx-3vcg-4xpx

[kanywst]

Summary

• Bump transitive dep ws from 8.20.0 to 8.21.0 (pulled in via happy-dom) to resolve GHSA-58qx-3vcg-4xpx — moderate, uninitialized memory disclosure.
• Lockfile-only change. No package.json updates.

Why

CI's npm run audit step (npm audit --audit-level=moderate) is currently failing on main and on every open Dependabot PR (#16, #17, #18, #19) because of this advisory. Those PRs are blocked despite touching unrelated dependencies. Fixing on main unblocks all of them on the next rebase.

Test plan

• npm run lint — passes (only the pre-existing biome schema-version info)
• npm run typecheck — 0 errors
• npm run test — 4/4 passed
• npm run audit — 0 vulnerabilities
• npm run build — completes

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d5d36957-462e-4d17-8b83-65de5af5f08d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/audit-ws-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the ws dependency to version 8.21.0 in package-lock.json. The review feedback suggests managing this transitive dependency via the overrides section in package.json to ensure the security fix remains persistent and consistent with existing project practices.

[gemini-code-assist]

Consider adding ws to the overrides section in package.json to make this security fix persistent and consistent with how other transitive dependencies (like yaml and vite on lines 45-48) are managed in this project. Relying solely on a lockfile update for a transitive dependency can be fragile, as the fix might be lost if the lockfile is regenerated or if the parent package's requirements change.