fix(security): resolve Dependabot alerts via npm overrides and lockfile refresh

[ZappoMan]

Summary

Addresses reported Dependabot / npm audit findings with minimal surface area: root overrides in the npm workspaces monorepo plus a regenerated package-lock.json so nested resolutions honor those overrides—no Expo SDK, React Native, or other major dependency upgrades.

Changes

• package.json overrides (security-patched transitive versions):
  • @babel/plugin-transform-modules-systemjs → 7.29.4 (GHSA-fv7c-fp4j-7gwp)
  • fast-uri → ^3.1.2 (GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc)
  • fast-xml-builder → ^1.1.7 (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc)
  • postcss → ^8.5.10 (GHSA-qx2v-qp2m-jg93; includes the copy pulled under @expo/metro-config)
• package-lock.json regenerated from the repo root so the lockfile matches the override graph (avoids stale nested pins that ignored overrides).

Verification

• npm audit → 0 vulnerabilities at the monorepo root
• npm run test:unit:shared
• npm run test:unit:mobile

Type of change

• Feature
• Bug fix (supply-chain / security)
• Documentation
• Refactoring
• Other

Merge strategy reminder

⚠️ This PR targets develop: use Squash and merge.

Squash merging to main can cause conflicts when merging develop → main later.

Checklist

• Code follows the project's style guidelines
• Self-review completed
• Comments added for complex code (not needed—dependency pins only)
• Documentation updated (not needed)
• No new warnings generated (targeted dep resolution)
• Tests added/updated (not needed—existing suites cover regressions)
• Tests pass locally (test:unit:shared, test:unit:mobile)

[github-actions]

🌐 Web preview: https://deploy.beakerstack.com/pr-41/
📱 Mobile preview: Channel pr-41

📱 Mobile Preview (OTA Updates)

No native code changes detected - using OTA updates only.

⚠️ Note: This app requires a Development Build (Expo Go will not work due to native Google OAuth).

Step 1: Install Development Build (one-time setup)

1. Build: npm run mobile:build:dev:ios (or mobile:build:dev:android)
2. Download from Expo dashboard
3. Install: EAS_BUILD_PATH=~/Downloads/BeakerStack.ipa npm run mobile:install:dev:ios (iOS) or EAS_BUILD_PATH=~/Downloads/BeakerStack.apk npm run mobile:install:dev:android (Android)

Step 2: Load PR Preview Update

1. Open the development build on your device/simulator
2. Shake device (or Cmd+D on iOS / Cmd+M on Android) → "Enter URL manually"
3. Paste the update URL: https://u.expo.dev/23c5e522-5341-4342-85f5-f2e46dd6087f?channel-name=pr-41
4. The app will reload with the JavaScript bundle from channel pr-41

Note: You must use the full URL format - just entering the channel name (pr-41) will not work.

Alternative: For local development, use: cd apps/mobile && npx expo start --dev-client, then press 'i' for iOS simulator.

📖 See Mobile Build Testing Guide for detailed instructions.

---

Updated at: May 9, 2026 at 6:05 PM PDT

[Copilot]

Pull request overview

Updates the repository’s root npm overrides to address Dependabot-reported dependency issues by forcing patched versions across the workspace install graph.

Changes:

• Added an override for @babel/plugin-transform-modules-systemjs to ensure a fixed version is used.
• Added/updated overrides for postcss, fast-uri, and fast-xml-builder to enforce newer, presumably non-vulnerable versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

CI Coverage & Test Summary

Metric	Coverage	Covered / Total
Statements	96.81%	10487 / 10832
Branches	81.08%	1804 / 2225
Functions	89.74%	315 / 351
Lines	86.59%	9379 / 10832

Suites: 37 passed, 0 failed (37 total) · Tests: 407 passed, 0 failed (425 total)

✅ All reported test suites passed.

Coverage artifacts: coverage-summary, coverage-packages.

---

Updated at: May 9, 2026 at 6:08 PM PDT