Dependency security: a pinned viem transitive ws@8.20.1 (below the ≥8.21.0 patch) was flagging the whole ws → viem → @x402/evm → @blockrun/clawrouter → @blockrun/llm chain (5 high). An overrides entry forces viem's ws to 8.21.0 — clearing all of them (npm audit 15 → 11). The override ships in package.json, so every npx install gets the patched ws.
Remaining advisories are out of this repo's control: the Solana web3.js-v1 tree (no upstream fix for bigint-buffer; npm's only "fix" is a breaking downgrade), the intentional rpc-websockets@9.3.0 pin (bumping re-introduces the Node <20.19 ESM break), and a dev-only esbuild.
Also fixed at the source in @blockrun/llm@3.5.1 (pnpm overrides for ws+form-data, dev-tool bump — 0 critical, runtime highs cleared). No source changes; 84 tests + build + live wallet smoke green.