fix(build): pin uuid and postcss via overrides to resolve Dependabot alerts

[WilliamBerryiii]

Description

Resolves Dependabot vulnerability alerts by pinning transitive dependencies through npm overrides in both the root and docs/docusaurus workspaces:

• Pin uuid to 14.0.0 (root and docs/docusaurus) — replaces vulnerable uuid@8.3.2 reachable via dev tooling.
• Pin postcss to >=8.5.10 (docs/docusaurus) — replaces vulnerable postcss@8.5.6.
• Lockfiles regenerated; npm audit reports 0 vulnerabilities in both manifests.

No runtime code or AI artifacts were modified — the change is limited to dependency manifests and lockfiles.

Related Issue(s)

Resolves #1490

Addresses Dependabot alerts #75, #76, #77.

Type of Change

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)

Infrastructure & Configuration:

• Dependency update

Testing

• npm audit at repository root: 0 vulnerabilities (545 packages).
• npm audit in docs/docusaurus: 0 vulnerabilities (1723 packages).
• Lockfiles regenerated cleanly with no peer-dependency conflicts.

Checklist

Required Checks

• Documentation is updated (if applicable) — N/A
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable) — N/A

Required Automated Checks

The following validation commands are not impacted by this change (no markdown, frontmatter, skill, PowerShell, or plugin source modified):

• Markdown linting: npm run lint:md — N/A (no markdown changes)
• Spell checking: npm run spell-check — N/A
• Frontmatter validation: npm run lint:frontmatter — N/A
• Skill structure validation: npm run validate:skills — N/A
• Link validation: npm run lint:md-links — N/A
• PowerShell analysis: npm run lint:ps — N/A (no PowerShell changes)
• Plugin freshness: npm run plugin:generate — N/A (no collection changes)
• Docusaurus tests: npm run docs:test — dependency-only override; lockfile regenerated cleanly

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

Override approach was chosen instead of direct upgrades because the vulnerable versions are pulled in transitively by build/dev tooling. Pinning via overrides enforces the secure version across the entire dependency graph without requiring upstream releases.

🔒 - Generated by Copilot

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/uuid	14.0.0	🟢 6.1	Details Check Score Reason Code-Review ⚠️ 2 Found 8/28 approved changesets -- score normalized to 2 Maintained 🟢 10 9 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 3 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8
npm/postcss	8.5.12	🟢 6	Details Check Score Reason Code-Review ⚠️ 0 Found 2/30 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/uuid	14.0.0	🟢 6.1	Details Check Score Reason Code-Review ⚠️ 2 Found 8/28 approved changesets -- score normalized to 2 Maintained 🟢 10 9 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 3 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8

Scanned Files

• docs/docusaurus/package-lock.json
• package-lock.json

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.63%. Comparing base (2b6dca7) to head (b0b03cb).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1491      +/-   ##
==========================================
- Coverage   87.64%   87.63%   -0.01%     
==========================================
  Files          66       66              
  Lines       10240    10240              
==========================================
- Hits         8975     8974       -1     
- Misses       1265     1266       +1     

Flag	Coverage Δ
pester	85.05% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

---

Review Summary

✅ This PR meets all initial quality standards. No issues found.

---

Issue Alignment

• Linked issue: #1490 — all three Dependabot alerts (#75 uuid root, #76 uuid docs/docusaurus, #77 postcss docs/docusaurus) are addressed.
• The changes precisely match the approach described in the issue (npm overrides pinning, no direct dependency changes).
• No scope creep detected.

PR Template Compliance

• Description is clear and specific.
• Related issues properly linked (Resolves #1490, Dependabot alerts #75/#76/#77).
• Type of Change correctly reflects both Bug fix and Dependency update.
• Testing section documents npm audit results (0 vulnerabilities) for both workspaces.
• Automated checks all marked N/A with appropriate justification — no markdown, skill, plugin, or PowerShell changes.
• Security Considerations fully completed.

Coding Standards

• Changes are limited to package.json overrides sections and regenerated lockfiles — no instruction files apply.
• Override pin style is consistent with the existing pattern in each workspace:
  • Root package.json: exact version ("uuid": "14.0.0") — matches existing exact-pin pattern.
  • docs/docusaurus/package.json: range specifiers (>=8.5.10, >=14.0.0") — matches existing range pattern.

Code Quality and Security

• postcss 8.5.6 → 8.5.12 resolves GHSA-qx2v-qp2m-jg93 (XSS via unescaped < in CSS Stringify Output).
• uuid 8.3.2 → 14.0.0 resolves GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6). The major version jump is intentional and safe: uuid is a transitive dev/build dependency in both workspaces with no runtime surface in this repository.
• Lockfiles are regenerated and reflect the resolved versions.
• No secrets, sensitive data, or unsafe patterns introduced.

Generated by PR Review for issue #1491 · ● 684K