## Summary

Resolves 11 of 12 open Dependabot alerts. The 12th (uuid) was dismissed
separately as tolerable risk.

### Lockfile-only fixes (`npm audit fix`)
| Package | Before → After | Alert |
|---|---|---|
| `dompurify` | 3.3.3 → 3.4.1 | #200, #202, #203, #204 |
| `fast-xml-parser` | 5.5.11 → 5.7.2 | #206 |
| `follow-redirects` | 1.15.11 → 1.16.0 | #199 |
| `protobufjs` | 7.5.4 → 7.5.6 | #201 (critical) |

### Direct dep bump
- `styled-components`: `6.3.12` → `^6.4.1` (minor bump; 6.4.x dropped
its `postcss` dep entirely)

### Transitive overrides (added to existing `overrides` block)
- `"postcss": "^8.5.10"` — needed because `@redocly/cli` still pins
`styled-components@6.3.9` which carries old postcss. Resolves #207.
- `"yaml@1": "^1.10.3"` — scoped to v1 only (leaves yaml@2 alone).
Covers `cosmiconfig@7`, `openapi-to-postmanv2`, and `swagger2openapi`.
Resolves #176.
- `"lodash": "^4.18.0"` — covers nested 4.17.x copies in
`openapi-to-postmanv2` and `postman-collection`. Resolves #197, #198.

All overrides are patch/minor-level within the same major and pose
minimal compatibility risk.

### Dismissed (separately, in Dependabot UI)
- **#205 uuid** (GHSA-w5hq-g745-h8pq) — vulnerable code path is
`uuid.v3/v5/v6` with the `buf` parameter. Our consumers (sockjs,
postman-collection, mermaid) only call `uuid.v4` without `buf`, so the
path is not exercised. The patch (`uuid@14`) is ESM-only and would break
the affected CJS consumers; no backport exists.

## Test plan
- [x] `npm install` succeeds
- [x] `npm run lint:code` passes
- [x] `npm run openapi:bundle` passes
- [x] `npm run openapi:lint` passes (exercises spectral, which uses
overridden lodash)
- [x] `npm audit` shows zero root vulnerabilities
- [ ] `npm run build` (let CI run this)
- [ ] Verify Dependabot auto-closes the 11 alerts after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>