fix: remediate Dependabot security alerts (2026-06-03)

[typeagent-bot]

Automated Dependabot Alert Remediation

This PR was generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and verified against npm ci, npm run build, and npm test before inclusion.

Summary

• **Applied (1):**minimatch
• Applied via root overrides: (none)
• Rolled back (0): (none)
• **Unfixable via lockfile bump / overrides (3):**qs @tootallnate/once tar
• Skipped (recent rollback cooldown, 0): (none)

Packages marked Unfixable require a parent-package upgrade — the advisory's safe version is outside every direct parent's declared semver range, and a root overrides entry was either silently ignored by npm or would force an incompatible version. Triage manually.

Packages added under overrides are tracked technical debt — npm will hold them at the pinned version until the entry is removed, which may mask future upstream regressions. Remove the override once a parent has shipped a compatible release.

How this works

1. Reads open Dependabot alerts via the REST API.
2. For each alert, attempts in order: npm update <pkg> --package-lock-only, then root overrides entry.
3. Verifies every resolved instance in package-lock.json is ≥ the advisory's first_patched_version.
4. Runs npm ci, npm run build, and npm test; rolls back on failure and records a 7-day cooldown.
5. Only fixes that pass all phases land in this PR.

Review checklist

• Verify no unrelated lockfile churn
• Investigate any newly-rolled-back packages separately
• If overrides were added, confirm the pinned version is acceptable policy