fix: resolve security alerts via consolidated dependency update

[stid]

What

Consolidated dependency update that clears the open Dependabot security alerts (1 critical / 10 high / 4 medium) in a single branch, rather than merging 12 separate Dependabot PRs that would serialize-rebase against each other under the tests strict-status ruleset.

Security alerts → fixed here

Severity	Package	Resolved to
🔴 critical	happy-dom	20.9.0
🟠 high	vite	7.3.2/7.3.3
🟠 high	fast-uri	3.1.2
🟠 high	flatted	3.4.2
🟠 high	svgo	4.0.1
🟠 high	rollup	4.60.4
🟠 high	minimatch	10.2.5 / 3.1.5
🟠 high	glob	no longer resolved
🟡 medium	postcss	8.5.15
🟡 medium	picomatch	2.3.2 / 4.0.4
🟡 med/low	vite (multi)	covered by 7.3.x

Plus the in-range caret dev-tooling minors (eslint 9.39, typescript-eslint 8.59, typescript 5.9, prettier 3.8, terser, autoprefixer, cssnano, …).

Supersedes

Dependabot PRs #140–#148 — Dependabot will auto-close them once this merges.

Residuals (intentionally out of scope)

• js-yaml 4.1.0 (medium) — pinned by markdownlint-cli2, a dev-only Markdown linter with no untrusted-input path. Clears when markdownlint-cli2 is bumped (separate major 0.18→0.22).
• wee_alloc (critical, Rust) — no patched version exists; the fix is dropping the custom #[global_allocator] in wasm-cpu. That's a code change, handled on its own branch.

Verification

• yarn test:ci: 685 passed / 18 skipped, lint + type-check clean
• No Rust changes → WASM build unaffected
• Notable majors validated by the suite: happy-dom 18→20, svgo 3→4

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated development dependencies for build tools

• Version

  • Application version updated to 4.42.3

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b49f663a-5fd3-474d-b68d-6744744a0944

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9df20 and 442da27.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• package.json
• src/version.ts

---

📝 Walkthrough

Walkthrough

This patch release bumps the application version to 4.42.3 and updates two development dependencies: happy-dom to ^20.9.0 and vite to 7.3.2. No source code logic is modified.

Changes

Dependency and Version Updates

Layer / File(s)	Summary
Dev dependency and app version updates package.json, src/version.ts	Development dependencies happy-dom and vite are updated to newer versions; the exported APP_VERSION constant is incremented to 4.42.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A version bump hops into view,
With happy-dom and vite shiny and new,
Four-four-two now becomes forty-three,
Patch by patch, we update merrily! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately reflects the main change: a consolidated security dependency update that resolves Dependabot alerts. It clearly summarizes the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-and-dep-updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}