chore(deps): bump vulnerable transitive dependencies

[brendan-kellam]

Summary

• Add yarn resolution for path-to-regexp to ^8.4.0 (resolved to 8.4.2)
• Add yarn resolution for picomatch@^4 to ^4.0.4 (scoped to v4 consumers only, v2 consumers unaffected)
• Bump @aws-sdk/credential-providers from ^3.1000.0 to ^3.1023.0, which pulls in a patched fast-xml-parser@5.5.8 via the natural dependency chain

Test plan

• Verify yarn install succeeds
• Verify application builds and starts correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated and resolved package dependencies to enhance build stability, compatibility, and security; added additional dependency resolutions to ensure consistent installs across environments.
  • Bumped an AWS SDK dependency used by the web package to a newer patch release to incorporate reliability and compatibility fixes.

[github-actions]

@brendan-kellam your pull request is missing a changelog!

[coderabbitai]

Walkthrough

Updated dependency constraints: added Yarn resolutions entries for path-to-regexp and picomatch in the root package.json, and bumped @aws-sdk/credential-providers in packages/web/package.json from ^3.1000.0 to ^3.1023.0.

Changes

Cohort / File(s)	Summary
Root package.json (resolutions) package.json	Added Yarn resolutions entries: path-to-regexp@^8.4.0 and picomatch@^4.0.4; existing @opentelemetry/resources@2.5.1 remains unchanged.
Web package dependency packages/web/package.json	Bumped @aws-sdk/credential-providers from ^3.1000.0 to ^3.1023.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): bump glob to ^10.5.0 via scoped resolutions #962 — Also modifies the root package.json Yarn resolutions map by adding override entries.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main purpose of the PR—bumping vulnerable transitive dependencies through yarn resolutions and SDK upgrades.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/bump-vulnerable-transitive-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 41-43: Replace the caret ranges in the resolutions entry with
exact pinned versions to ensure deterministic builds: remove the leading ^ from
the version strings for "path-to-regexp", "picomatch@^4" and "fast-xml-parser"
so they read as exact versions (e.g., 8.4.0, 4.x.y, 5.5.6 matching the resolved
versions in the PR), updating the values in package.json's resolutions block
accordingly.
- Line 41: The resolutions entry forcing "path-to-regexp": "^8.4.0" conflicts
with express@4.21.2 (which requires path-to-regexp@0.1.12) and will break
routing; fix by removing or changing that resolution in package.json (the
"path-to-regexp": "^8.4.0" line) or alternatively upgrade express to a version
that officially supports path-to-regexp v8+, then run install and test routes to
ensure no runtime failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 47346901-c359-4dc9-853d-6e076373ff28

📥 Commits

Reviewing files that changed from the base of the PR and between 14143e2 and c488280.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2122
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	27

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.3.1	(MPL-2.0 OR Apache-2.0)

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (MIT License confirmed via GitHub API)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (MIT License confirmed via GitHub API)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (MIT License confirmed via GitHub API)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/codemirror-lang-elixir (Apache-2.0 confirmed via GitHub API)
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source (MIT License confirmed via GitHub API)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/lezer-elixir (Apache-2.0 confirmed via GitHub API)
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo dominictarr/map-stream (MIT License confirmed via GitHub API)
memorystream	0.3.1	UNKNOWN	MIT	npm registry — licenses array contains {"type":"MIT","url":"http://github.com/JSBizon/node-memorystream/raw/master/LICENSE"}; extracted type field
pause-stream	0.0.11	["MIT","Apache2"]	MIT AND Apache-2.0	npm registry — license field is an array ["MIT","Apache2"]; dual-licensed under both permissive licenses
posthog-js	1.345.5	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js — LICENSE file confirms Apache License 2.0
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url — LICENSE file confirms MIT license