chore(SEC-10670): upgrade basic-ftp to 5.3.1

[phantom-autopilot]

Summary

Upgrades the transitive basic-ftp dependency to 5.3.1 to address GHSA-rpmf-866q-6p89 / CVE-2026-44240.

basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering. The fix is in 5.3.1.

Implementation

• basic-ftp is pulled in transitively by get-uri@^6.0.1 (via the proxy / Cypress dependency chain) with range ^5.0.2. 5.3.1 satisfies that range.
• Pinned via resolutions (yarn — used by CI) and overrides (pnpm — used by some local scripts) so any downgrade to a vulnerable version is blocked.
• yarn.lock regenerated so installs resolve to the safe version.
• pnpm-lock.yaml not regenerated to avoid a large unrelated diff caused by a newer pnpm rewriting the file format. The overrides entry in package.json ensures any future pnpm install resolves to 5.3.1.

Verification

• yarn why basic-ftp → basic-ftp@npm:5.3.1 (via npm:5.3.1)
• yarn install succeeds.
• Existing prettier/eslint failures (in helpers.js, plugins/index.js, support/index.js) pre-date this change and are out of scope per the ticket.

Linear

SEC-10670

Test plan

• Yarn install resolves basic-ftp to 5.3.1
• CI passes (no new failures introduced by this change)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated dependency resolution configurations to enhance project stability and compatibility across environments.

[phantom-autopilot]

PR opened by agent

#40

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 945700f8-d34c-409b-9389-bf6392120ce4

📥 Commits

Reviewing files that changed from the base of the PR and between ff82e55 and e6cdbb9.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

This PR adds a new dependency resolution for basic-ftp (version 5.3.1) to both the resolutions and overrides sections of package.json, ensuring a consistent version is used across the project's dependency tree.

Changes

Dependency Resolution Configuration

Layer / File(s)	Summary
Dependency Resolution package.json	Added "basic-ftp" version "5.3.1" to both the resolutions and overrides blocks. This enforces the specified version across the dependency tree (4 lines added, 2 removed).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: upgrading basic-ftp to version 5.3.1 to address a security vulnerability (SEC-10670).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-10670_high-upgrade-basic-ftp-in-github-com-phantom-synpress-to-5-3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}