chore(deps): resolve safe Dependabot advisories via overrides + triage doc

[mmcky]

Summary

Reviews the open Dependabot security alerts and resolves the ones that can be fixed without a breaking/major bump, then documents the rest. Scope was deliberately kept conservative to preserve the hard-won Remix v1.17 stability (#61–#65).

Key context

• npm audit fix is a no-op on this tree — every remaining advisory needs either a --force major bump or a manual overrides entry.
• The repo is intentionally pinned to Remix v1.17 (.npmrc + fix: pin @remix-run/* to ~1.17.0 to stop the hydration reload loop #63). Most Remix advisories are patched only in v2, which re-introduces the hydration reload loop. Those are deferred, not fixed.

What this PR changes

Three backward-compatible transitive deps pulled forward via overrides in package.json:

Package	→	Advisory
uuid	^11.1.1	GHSA-w5hq-g745-h8pq
ajv	^8.18.0	GHSA-2g4f-4pwh-qvx6
cookie	^0.7.0	GHSA-pxg6-pf52-xh8x (used by Remix's cookie session storage)

Net effect: npm audit 48 → 39. The package-lock.json change is +12/−88 — almost entirely deduplication onto the overridden versions.

Plus a new SECURITY.md documenting the dependency posture and triaging every remaining alert.

Triage of the deferred alerts (in SECURITY.md)

• Remix v1 (critical/high) — patched only in v2; deferred with the deliberate pin. The critical @remix-run/node alert (GHSA-9583, path traversal in file session storage) is not applicable — the theme uses createCookieSessionStorage, not file sessions.
• ip (high) — unmaintained, no patched release exists; dev/transitive only.
• Major bumps in the MyST/Thebe build chain (markdown-it 13→14, nanoid 4→5, ws 7→8, tar 6→7, vite 5→6, esbuild, estree-util-value-to-estree, yaml) — high regression risk for low real exposure (dev/build-time or bundled static assets); deferred to upstream.

Testing

• npm install — clean (with the repo's legacy-peer-deps)
• npm run compile (tsc) — passes
• npm run prod:build — builds clean
• uuid/ajv/cookie confirmed deduped to the patched versions across the tree and no longer flagged by npm audit

⚠️ Reviewer note: cookie 0.4→0.7 sits under Remix v1's cookie session signing. The build passes and usage is a simple theme-preference cookie, but a quick check that light/dark theme persistence still round-trips on the deployed app is worth doing before merge.

A changeset (patch) is included.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR reduces actionable Dependabot/npm-audit security alerts without migrating off the intentionally pinned Remix v1.17 line by adding npm overrides for selected transitive dependencies, and documents the remaining deferred alerts/decisions in a new SECURITY.md.

Changes:

• Add npm overrides for uuid, ajv, and cookie to pull in patched transitive versions without major bumps.
• Update package-lock.json to reflect deduplication/resolution onto the overridden versions.
• Add SECURITY.md capturing the dependency security posture and triage of remaining alerts, plus a changeset entry.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
SECURITY.md	New security policy/posture & alert triage documentation (including rationale for deferred advisories).
package.json	Adds overrides entries for uuid, ajv, and cookie.
package-lock.json	Lockfile update reflecting dependency resolution/deduplication under the new overrides.
.changeset/security-deps-overrides.md	Release note describing the security override changes and new documentation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.