From 5bfd13153860c1eaa7ac8a87ed91dfe04ad50270 Mon Sep 17 00:00:00 2001
From: Gerard <gerard@script.nl>
Date: Thu, 21 May 2026 12:13:08 +0200
Subject: [PATCH] =?UTF-8?q?chore:=20npm=20audit=20fix=20=E2=80=94=20bump?=
 =?UTF-8?q?=20brace-expansion=20+=20ws=20transitive=20devDeps?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two moderate-severity advisories landed in the GitHub Advisory Database
between 2026-05-18 and 2026-05-20, breaking `npm audit` on every PR
that ran CI in that window (#87, #90, #91, #92, #94 plus dependabot).
Diagnosis: CI failures show on PRs with trivial diffs (e.g. #94 is a
1-line .gitignore) → failure is in the baseline, not the PR diffs.

- brace-expansion 5.0.5 → 5.0.6 — DoS in numeric range (GHSA-jxxr-4gwj-5jf2)
- ws 8.20.0 → 8.20.1 — uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx)

Both are dev-only transitive deps. Patch-level bumps, no public-API
ripple. `npm audit fix` produces the minimal lockfile delta.

Verified locally:
- npm audit: 0 vulnerabilities
- format:check, lint, build, typecheck, test:coverage all green
- lint:pkg still fails on publint sideEffects suggestion — distinct
  baseline issue addressed by PR #88 (queue #70)

Closes the npm-audit half of envelope #23.
---
 package-lock.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c8b83f4..19560f0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -4694,9 +4694,9 @@
             }
         },
         "node_modules/brace-expansion": {
-            "version": "5.0.5",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-            "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+            "version": "5.0.6",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+            "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -10092,9 +10092,9 @@
             }
         },
         "node_modules/ws": {
-            "version": "8.20.0",
-            "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-            "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+            "version": "8.20.1",
+            "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+            "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
             "dev": true,
             "license": "MIT",
             "engines": {