fix(deps): resolve 8 Dependabot security alerts via overrides

[one-ea]

Summary

• Added overrides in root package.json to force safe versions across all transitive dependencies
• Fixed 8 open Dependabot alerts:
  • dompurify → ^3.4.0 (5 medium alerts: feat(v1.2): 流量统计、后台重构、Pages Functions 代理、Bug 修复、文档更新 #4, feat(seo): SEO 全面增强 — 爬虫预渲染 + JSON-LD + 面包屑 + 404 页面 #6, feat(v2.0): 完整版本更新、批量处理、版本历史与各类安全修复 #7, chore(ci): bump github/codeql-action from 3 to 4 #8, chore(ci): bump actions/setup-node from 4 to 6 #9)
  • serialize-javascript → ^7.0.5 (1 high fix(ui): dashboard mobile layout v2 #3 + 1 medium docs+chore: README 更新 + CodeRabbit AI 审查配置 #5)
  • esbuild → ^0.25.0 (1 medium fix(ui): mobile responsive layout #2)
• npm audit now reports 0 vulnerabilities
• Build passes successfully

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 21c7c926-814d-4d28-a9ec-7eaaa3b72f1f

📥 Commits

Reviewing files that changed from the base of the PR and between 8de9b00 and abc3bda.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (1)

• package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: ESLint 安全扫描
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: ESLint 安全扫描

🔇 Additional comments (2)

package.json (2)

24-24: 此处改动无实际风险。

仅是结构性改动，对行为无影响。

---

25-28: 根工作区 overrides 策略有效，三个依赖版本解析正确。

验证确认：

• dompurify ^3.4.0 → 解析为 3.4.0 ✓
• serialize-javascript ^7.0.5 → 解析为 7.0.5 ✓
• esbuild ^0.25.0 → 解析为 0.25.12 ✓

所有覆盖版本在 lockfile 中已正确生效，包括直接依赖（dompurify）和传递依赖（另两个）。工作区内无残留旧版本，安全修复目标已达成。

---

📝 Walkthrough

Summary by CodeRabbit

发布说明

• 维护
  • 更新了依赖版本配置以确保使用特定版本的关键库，增强了应用的稳定性和安全性。

走查

在 package.json 中添加 npm overrides 配置，强制指定 dompurify、serialize-javascript 和 esbuild 的特定版本，未修改其他脚本或配置项。

更改

内聚集合 / 文件	摘要
依赖版本锁定 package.json	添加 overrides 字段，强制指定三个关键依赖的版本：dompurify (^3.4.0)、serialize-javascript (^7.0.5)、esbuild (^0.25.0)，以确保依赖版本一致性和安全性。

估算代码审查工作量

🎯 1 (Trivial) | ⏱️ ~2 minutes

建议标签

bug

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR标题完全遵循Conventional Commits格式(type(scope): description)，type为fix，scope为deps，描述清晰准确地反映了核心改动：通过overrides解决8个Dependabot安全告警。
Description check	✅ Passed	PR描述与改动集完全相关，详细列举了8个安全告警的具体修复内容（dompurify、serialize-javascript、esbuild的版本升级），并验证了修复结果（npm audit 0漏洞、构建通过）。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}