fix(deps): patch Dependabot security blockers

[TimeToBuildBob]

Summary

• bump dompurify to 3.4.2
• bump copy-webpack-plugin to 14 and update the Webpack plugin config syntax
• force patched postcss and serialize-javascript through npm overrides so Dependabot security jobs can resolve the legacy transitive ranges

Verification

• npm ci
• make build
• make build-vite
• make test
• npm audit --json | jq '.vulnerabilities | with_entries(select(.key | test("postcss|serialize-javascript|dompurify|copy-webpack-plugin")))' -> {}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 30.76%. Comparing base (444ed4f) to head (6b87a7f).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #812   +/-   ##
=======================================
  Coverage   30.76%   30.76%           
=======================================
  Files          33       33           
  Lines        1973     1973           
  Branches      364      368    +4     
=======================================
  Hits          607      607           
  Misses       1288     1288           
  Partials       78       78           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Summary

This PR patches three Dependabot security findings: bumps dompurify to 3.4.2, upgrades copy-webpack-plugin from v5 to v14 (with the required patterns API migration in vue.config.js), and pins postcss and serialize-javascript via npm overrides to eliminate legacy vulnerable transitive versions. The global postcss override replaces the formerly nested postcss 7.x install used by @vue/component-compiler-utils, which the author confirmed still builds correctly.

Confidence Score: 4/5

Safe to merge — changes are build-time only, API migration is correct, and author verified with npm ci + make build + npm audit.

No runtime logic changes; all modifications are dev-dependency upgrades and a one-line webpack plugin config migration. The global postcss override carries a minor risk of breaking tools that expected postcss 7 (like @vue/component-compiler-utils), but the author's build verification covers this. Score kept at 4 rather than 5 due to the large version jump in copy-webpack-plugin (v5→v14) and the broad-scope postcss override warranting extra attention.

package.json — the global postcss and serialize-javascript overrides affect the entire dependency tree; confirm no other tooling in CI relies on the old postcss 7 nested install.

Important Files Changed

Filename	Overview
vue.config.js	Updated CopyWebpackPlugin instantiation from v5 array syntax to v14 patterns object — correct migration, no logic change.
package.json	Bumps dompurify to 3.4.2, copy-webpack-plugin to ^14, and adds global npm overrides for postcss (^8.5.10) and serialize-javascript (^7.0.5); the global postcss override removes the postcss 7 nested install that @vue/component-compiler-utils previously relied on.
package-lock.json	Lock file regenerated: ~30 legacy packages removed (cacache v12 chain, mississippi stream stack, randombytes, webpack-log, etc.) as expected from copy-webpack-plugin v5→v14 and serialize-javascript 4→7 upgrade; postcss updated to 8.5.13 and safe-buffer correctly downgraded to dev-only.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm install] --> B{overrides applied}
    B -->|postcss| C[postcss 8.5.13\nreplaces all 7.x nested installs]
    B -->|serialize-javascript| D[serialize-javascript 7.0.5\nreplaces all 6.0.2 nested installs]
    B -->|webpack-dev-server| E[webpack-dev-server ^5.2.1\npre-existing override]

    F[copy-webpack-plugin v5.1.1] -->|removed| G[copy-webpack-plugin v14.0.0]
    G --> D
    G --> H[tinyglobby replaces globby v7]
    G --> I[schema-utils v4 replaces v1]

    J[dompurify 3.3.2] -->|security patch| K[dompurify 3.4.2]

    G --> L[vue.config.js\nold array syntax]
    L -->|migrated to| M[vue.config.js\npatterns object syntax]

    style J fill:#f99,stroke:#c00
    style K fill:#9f9,stroke:#0c0
    style F fill:#f99,stroke:#c00
    style G fill:#9f9,stroke:#0c0

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): patch Dependabot security blo..." | Re-trigger Greptile}