chore: bump @vllnt/ui postcss security range

[bntvllnt]

Summary

• Bump packages/ui PostCSS devDependency from ^8.5.6 to ^8.5.10.
• Bump the registry workspace's direct PostCSS floor from ^8.5 to ^8.5.10 so pnpm no longer keeps an older PostCSS peer slice in the shared lockfile.
• Add a root pnpm.overrides.postcss >=8.5.10 entry so transitive consumers, including next@16.2.6, resolve to the patched PostCSS release instead of vulnerable postcss@8.4.31.
• Update pnpm-lock.yaml so @vllnt/ui autoprefixer, Tailwind/PostCSS peer snapshots, tsup, shadcn, and Next resolve through postcss@8.5.10 without taking the broad Dependabot batch or unrelated shadcn canary drift.
• fix: upgrade registry Next.js for GHSA-c4j6-fc7j-m34r #356 / registry Next.js scope was already completed separately by fix(registry): upgrade Next.js to 16.2.6 #357.

Scope / dependency-security routing

• Closes chore: replace stale Next/PostCSS security bump PR from current main #355.
• This PR supersedes only the PostCSS part of broad Dependabot chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359.
• Leave the remaining chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 Dependabot batch and other audit findings for separate triage; this PR intentionally targets the PostCSS advisory only.

Dependency evidence

• Current PR head: 048ba54776a001d1e1be219319d2f2e3be1d42c5.
• Diff vs origin/main: 4 files changed, 44 insertions(+), 51 deletions(-): apps/registry/package.json, package.json, packages/ui/package.json, pnpm-lock.yaml.
• Pre-fix audit identified PostCSS advisory 1117015 (postcss <8.5.10) with installed postcss@8.4.31 coming through the next@16.2.6 lockfile snapshot.
• pnpm-lock.yaml has zero postcss@8.4.31 / postcss: 8.4.31 / version: 8.4.31 refs.
• pnpm-lock.yaml now resolves the Next snapshot and PostCSS peer snapshots through postcss@8.5.10.
• The previous broad lockfile drift was removed: no shadcn@4.2.0-canary.0, validate-npm-package-name@7.0.2, or wsl-utils@0.3.1 entries were added by this PR.

Test Plan

• pnpm install --frozen-lockfile --lockfile-only
• git diff --check
• grep -nE 'postcss@8\.4\.31|postcss: 8\.4\.31|version: 8\.4\.31' pnpm-lock.yaml || true (no matches)
• grep -nE '^ validate-npm-package-name@7\.0\.2:|^ wsl-utils@0\.3\.1:|^ shadcn@4\.2\.0-canary\.0:' pnpm-lock.yaml || true (no matches)
• pnpm -F @vllnt/ui lint
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json
• pnpm build
• pnpm test:once (216 files / 1215 tests passed)

CI status

Head: 048ba54776a001d1e1be219319d2f2e3be1d42c5

Current-head checks:

• Quality Gates
• Analyze (actions)
• Analyze (javascript-typescript)
• CodeQL
• Enforce issue-linked PRs
• Scan codebase health
• build · sign · scan · deploy — failed in deploy step because the vllnt deployer endpoint returned HTTP 000 / connection refused after three retries. Build/sign/scan reached the deploy action; failure appears infrastructure/deployer availability, not local validation.

[bntvllnt]

REQUEST_CHANGES-equivalent (authenticated account owns this PR, so GitHub may not allow a formal request-changes review).

Blocking:

• The PostCSS remediation is incomplete in the lockfile/package graph. PR chore: bump @vllnt/ui postcss security range #360 bumps packages/ui direct postcss to ^8.5.10, but pnpm-lock.yaml still retains postcss@8.5.6 and the @vllnt/ui autoprefixer@10.4.24(postcss@8.5.6) snapshot. In the PR worktree at head 4f10d5852bd480d4c6122176aa9d28e5f8b0fbc4, pnpm -F @vllnt/ui why postcss reports autoprefixer 10.4.24 -> postcss 8.5.6 peer, and resolving from the autoprefixer realpath points to .pnpm/postcss@8.5.6. That means the intended chore: replace stale Next/PostCSS security bump PR from current main #355 PostCSS slice is not fully replaced yet.

Verified clean:

• Scope is otherwise minimal: only packages/ui/package.json and pnpm-lock.yaml changed.
• PR body links Closes #355, states fix: upgrade registry Next.js for GHSA-c4j6-fc7j-m34r #356 was already completed by fix(registry): upgrade Next.js to 16.2.6 #357, and does not broaden into the Dependabot chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 batch.
• GitHub Actions quality/issue-link/react-doctor/CodeQL checks are green; Vercel – ui.vllnt.ai is still failed due dashboard cancellation, consistent with the PR body.

Follow-up created on the board: t_f34921ad to fix the incomplete PostCSS lockfile remediation before this is safe for review/merge.

[bntvllnt]

PostCSS remediation follow-up is ready for re-review at 4058b9f554ba0b48b32cf60b4f8323dcc68fef34.

Evidence refreshed:

• Lockfile now has zero postcss@8.5.6 / postcss: 8.5.6 / version: 8.5.6 refs.
• pnpm -F @vllnt/ui why postcss reports autoprefixer 10.4.24 -> postcss 8.5.10 peer.
• Package-level resolution from packages/ui resolves autoprefixer@10.4.24_postcss@8.5.10 and postcss@8.5.10.
• Scope remains narrow: apps/registry/package.json, packages/ui/package.json, pnpm-lock.yaml only; no unrelated chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 batch updates.
• Local gates passed: install frozen lockfile, lint, tsc, build, pnpm test:once (216 files / 1215 tests).
• GitHub checks are green at this head except the known external Vercel ui.vllnt.ai cancellation documented in the PR body.

[bntvllnt]

Review outcome for head 4058b9f554ba0b48b32cf60b4f8323dcc68fef34: manual approval recommended, with the existing external preview caveat.

BLOCKING

• None in the code/dependency diff.

WARN

• External preview gate remains non-green: Vercel – ui.vllnt.ai is still FAILURE with description Canceled from the Vercel Dashboard. I do not see this as caused by the dependency diff, but it still means the PR is not fully merge-green until the required preview/status policy is resolved or intentionally accepted.

VERIFIED CLEAN

• Reviewed every changed file: apps/registry/package.json, packages/ui/package.json, and pnpm-lock.yaml.
• The dependency-security remediation is now complete for this PR scope: pnpm-lock.yaml has no postcss@8.5.6, postcss: 8.5.6, or version: 8.5.6 references.
• The lockfile now resolves the relevant PostCSS peer slices through postcss@8.5.10, including autoprefixer@10.4.24(postcss@8.5.10), Tailwind/PostCSS helpers, tsup, and shadcn paths shown in the lockfile.
• Scope is appropriately narrow for chore: replace stale Next/PostCSS security bump PR from current main #355: only the registry/package PostCSS floors and lockfile changed. It does not pull in the unrelated broad chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 Dependabot batch.
• PR metadata is now in sync: the body closes chore: replace stale Next/PostCSS security bump PR from current main #355, correctly states fix: upgrade registry Next.js for GHSA-c4j6-fc7j-m34r #356 was already handled by merged PR fix(registry): upgrade Next.js to 16.2.6 #357, and accurately leaves the remaining chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 batch for separate triage.

VALIDATION

• Live PR metadata fetched with GitHub API at current head 4058b9f554ba0b48b32cf60b4f8323dcc68fef34.
• Read-only diff/context review completed for all 3 changed files.
• Ran grep -nE 'postcss@8\.5\.6|postcss: 8\.5\.6|version: 8\.5\.6' pnpm-lock.yaml; exit 1/no matches.
• Inspected lockfile PostCSS entries and current package manifests.
• Verified live check rollup: GitHub Actions quality/codebase/issue-link, CodeQL, Vercel Preview Comments, and Storybook are green; Vercel – ui.vllnt.ai remains canceled/failing externally.
• I did not rerun the full install/lint/typecheck/build/test suite in this review pass; I treated the parent remediation task's preserved successful gate evidence plus live CI as validation context.

Note: because the authenticated GitHub account is also the PR author, I am recording this as a PR comment rather than submitting an autonomous approval.

[bntvllnt]

External preview rerun attempted for the remaining non-code gate.

Action taken:

• Pushed empty non-code commit 172b32b0f178b5da608d16ffafcf4301fd3f1394 to retrigger GitHub/Vercel preview creation without changing the dependency remediation diff.
• GitHub Actions and storybook checks reached green again on the new head.
• Vercel created a fresh ui.vllnt.ai deployment attempt: https://vercel.com/vllnt/ui.vllnt.ai/DrnZ2FT3iC6vcwCpegdFcApZE2Vz

Result:

• Vercel – ui.vllnt.ai is still terminal failure with description Canceled from the Vercel Dashboard.
• This confirms the remaining blocker is external/non-code and not resolved by a GitHub retrigger.

Needed decision/action:

• Either rerun/uncancel the ui.vllnt.ai deployment from Vercel dashboard/authorized Vercel credentials, or explicitly accept this canceled preview status as non-blocking for PR chore: bump @vllnt/ui postcss security range #360.

[bntvllnt]

Review — PR #360 current head 172b32b

Verdict: manual approval ready for the scoped PostCSS remediation, with one explicit merge/release caveat.

I reviewed the current head 172b32b0f178b5da608d16ffafcf4301fd3f1394 against main for the three changed files:

• apps/registry/package.json
• packages/ui/package.json
• pnpm-lock.yaml

BLOCKING

None for the dependency/security diff itself.

WARN / CAVEAT

• Vercel – ui.vllnt.ai is still failing/canceled on the current head (Canceled from the Vercel Dashboard), so this is clean for review handoff only, not a merge/release clearance. Resolve/rerun that external preview gate or get explicit human acceptance before merge/release.

VERIFIED CLEAN

• Current head verified: 172b32b0f178b5da608d16ffafcf4301fd3f1394.
• PR is open, non-draft, base main, head branch chore/355-postcss-security.
• Scope stays dependency-only: two package manifests plus pnpm-lock.yaml; no source, generated registry metadata, dist/, policy, license, security-policy, or unrelated files changed.
• Issue linkage is present: PR closes chore: replace stale Next/PostCSS security bump PR from current main #355 and the issue-linked check is green.
• PR body matches the current scoped diff: PostCSS remediation only, with Next.js scope noted as separately completed and residual broad Dependabot work split into follow-up issue lanes.
• Supersession relationship is coherent: PR chore: bump @vllnt/ui postcss security range #360 supersedes only the PostCSS portion of broad Dependabot PR chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359; it does not claim to close the residual chore: remediate residual runtime dependency advisories from superseded #359 #361/chore: remediate residual utility parser advisories from superseded #359 #362/chore: remediate residual build-tool glob advisories from superseded #359 #363 lanes.
• apps/registry/package.json:45 raises the direct PostCSS floor from ^8.5 to ^8.5.10.
• packages/ui/package.json:177 raises @vllnt/ui PostCSS from ^8.5.6 to ^8.5.10.
• pnpm-lock.yaml updates the direct importer entries, postcss@8.5.6 package entry, and peer snapshots for autoprefixer, postcss-import, postcss-js, postcss-load-config, postcss-nested, Tailwind, shadcn, and tsup from postcss@8.5.6 / 8.5.6 to postcss@8.5.10 / 8.5.10.
• Targeted grep found no remaining postcss@8.5.6, postcss: 8.5.6, or version: 8.5.6 references in the lockfile.
• The remaining postcss@8.4.31 lockfile entry is Next.js’ internal dependency under next@16.2.6, not the @vllnt/ui PostCSS floor being remediated by this PR.

LINE / HUNK COVERAGE LEDGER

• apps/registry/package.json:45 — PASS. Reviewed the exact manifest hunk; scoped floor bump only.
• packages/ui/package.json:177 — PASS. Reviewed the exact manifest hunk; scoped PostCSS devDependency bump only.
• pnpm-lock.yaml:101,106-107,324,335-336,351,6138-6139,10549,10555,13941,13943,13948,13951,13953,13958,13961,13963,13984,14522,14886-14890,15007,15018,15028,15301,15315 — PASS. Reviewed every changed lockfile hunk; all changed references consistently move the 8.5.6 graph to 8.5.10 with no unrelated package-version drift observed.

RULE COVERAGE

• Issue-linked PR rule — PASS (Closes #355; check green).
• PR body matches HEAD — PASS for current head and scoped diff.
• Workspace gates green at HEAD — WARN/CAVEAT: GitHub Actions/CodeQL/Quality Gates/storybook are green, but Vercel – ui.vllnt.ai remains failed/canceled externally.
• No unauthorized policy/security/license files — PASS.
• No new dependency without explanation — PASS; this is an existing dependency range/resolution bump, explained in PR body.
• Generated-file rule — PASS; no generated registry metadata or dist/ files touched.
• Branch hygiene / supersession — PASS for review scope; PR chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 and issue lanes chore: remediate residual runtime dependency advisories from superseded #359 #361-chore: remediate residual build-tool glob advisories from superseded #359 #363 are acknowledged separately.

VALIDATION

Evidence checked:

• git diff --name-status origin/main...HEAD
• git diff --unified=0 origin/main...HEAD
• package manifest JSON parse for PostCSS fields
• targeted lockfile grep for vulnerable 8.5.6 references
• live PR metadata/check status via GitHub
• related issue/PR state for chore: replace stale Next/PostCSS security bump PR from current main #355, chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359, chore: remediate residual runtime dependency advisories from superseded #359 #361, chore: remediate residual utility parser advisories from superseded #359 #362, chore: remediate residual build-tool glob advisories from superseded #359 #363

Not rerun locally:

• Full pnpm -F @vllnt/ui lint, typecheck, build, and test suite. I relied on the current GitHub Quality Gates success plus PR body evidence for the expensive full-suite commands, and independently verified the dependency/lockfile remediation directly.

Manual approval is still reserved for bntvllnt; I am not submitting an autonomous APPROVE.

[bntvllnt]

@bntvllnt REQUEST_CHANGES — one blocking dependency-audit finding remains.

Blocking:

• PR #360 moves the direct workspace PostCSS peer slice to 8.5.10, but pnpm audit --audit-level moderate --json at head still reports the scoped PostCSS advisory (1117015, patched >=8.5.10) through next@16.2.6 -> postcss@8.4.31 in both apps/registry and packages/ui. Because this PR is the canonical PostCSS remediation for #355, the review cannot treat the PostCSS advisory as remediated until the residual finding is either fixed or explicitly documented/escalated as non-actionable.

Evidence checked at head 172b32b0f178b5da608d16ffafcf4301fd3f1394:

• pnpm install --frozen-lockfile --ignore-scripts passed.
• pnpm audit --audit-level moderate --json exited 1 and still contains module postcss advisory 1117015 via next@16.2.6 -> postcss@8.4.31.
• PR body links Closes #355 and the diff is dependency-manifest/lockfile only.
• GitHub checks are green for Quality Gates, CodeQL, health scan, issue-link, JS/TS analysis, actions analysis, preview comments, and Storybook; Vercel – ui.vllnt.ai remains failed/canceled externally.

Requested change:

• Either eliminate the residual PostCSS audit finding, or update the PR/issue evidence with an explicit non-actionable residual-audit rationale for the next@16.2.6 -> postcss@8.4.31 path so the security claim matches HEAD.

[bntvllnt]

Blocking: this direct PostCSS bump does not fully clear the PostCSS audit finding at HEAD. pnpm audit --audit-level moderate --json still reports advisory 1117015 through next@16.2.6 -> postcss@8.4.31, so the #355 remediation evidence needs either a fix or an explicit residual-audit/non-actionable rationale.

[vllnt-pilot]

Preview ready · pr-360-ui-registry

Service	Status	Preview
ui-registry	Ready	https://pr-360-ui-registry.preview.vllnt.ai

Inspect

• Deployed to vllnt-cluster from 48ccea3
• Reply with /clean to destroy this preview now

[bntvllnt]

@bntvllnt REQUEST_CHANGES — current-head review for PR #360 at 48ccea342d2c9811c83f98b99c4959da030fb927.

Review — 2 blocking findings, 0 warnings

BLOCKING

• C1 — PostCSS advisory still remains in the current lockfile

  • Evidence: pnpm-lock.yaml still resolves next@16.2.6 with postcss: 8.4.31, and still contains postcss@8.4.31 package/snapshot entries. A current-head pnpm audit --json reports advisory 1117015 (PostCSS has XSS via Unescaped </style> in its CSS Stringify Output) with vulnerable_versions: <8.5.10, patched_versions: >=8.5.10, and finding version 8.4.31.
  • Why it matters: issue #355 is a security-remediation issue for the PostCSS <8.5.10 XSS advisory. This PR does bump the direct workspace PostCSS peer slices to 8.5.10, but the current lockfile still contains the vulnerable PostCSS version through the registry Next.js dependency graph, so closing #355 from this PR would leave the advisory unresolved in the dependency graph.
  • Fix: update the remediation so the lockfile no longer contains or audits postcss@8.4.31 / <8.5.10, or keep #355 open and narrow this PR/body so it does not claim the full PostCSS advisory is resolved.

• C2 — PR body is stale for the current head

  • Evidence: the live head is 48ccea342d2c9811c83f98b99c4959da030fb927, but the PR body still says Current PR head: 172b32b0f178b5da608d16ffafcf4301fd3f1394 and its CI/status section describes a failed/canceled Vercel preview caveat. Live checks on the current head are now green/acceptable, including vllnt-pilot / preview deploy, build · sign · scan · deploy, CodeQL, Quality Gates, and issue-link enforcement.
  • Why it matters: repo rule R3 requires the PR body to match HEAD. Reviewers should not have to reconcile stale validation/head/preview claims against the live PR state during a security dependency merge.
  • Fix: rewrite the PR body for head 48ccea342d2c9811c83f98b99c4959da030fb927, with the current changed-file list, current dependency evidence, and current check status.

VERIFIED CLEAN

• Scope is bounded to the three routed files: apps/registry/package.json, packages/ui/package.json, and pnpm-lock.yaml.
• The direct workspace PostCSS devDependency floors in apps/registry/package.json and packages/ui/package.json now point to ^8.5.10.
• The lockfile updates for those direct PostCSS peer slices are internally consistent: the registry and UI importer entries now resolve direct postcss to 8.5.10, and related autoprefixer / tsup peer snapshots moved to postcss@8.5.10.
• PR metadata is linked to issue #355.

VALIDATION

• Confirmed live PR state immediately before review: OPEN, non-draft, mergeStateStatus=CLEAN, mergeable=MERGEABLE, head 48ccea342d2c9811c83f98b99c4959da030fb927.
• Inspected every changed file and surrounding manifest/lockfile context.
• Marked all three changed files viewed in GitHub.
• Checked live GitHub checks: 9 visible checks, all success/pass or acceptable neutral.
• Ran pnpm audit --json against the current lockfile; it still reports the PostCSS <8.5.10 advisory through version 8.4.31.

Manual approval is not the next action yet; the PostCSS advisory and stale PR body need to be resolved first.

[bntvllnt]

@bntvllnt REQUEST_CHANGES — current-head review for PR #360 at 77a8f1d747f90b43e905e3234b8e2adbc5a1456f.

Review — 1 blocking finding, 0 warnings

BLOCKING

• pnpm-lock.yaml:69-71 — FAIL [Rules/Dependency] The lockfile upgrades apps/registry's floating shadcn canary resolution from 3.5.1-canary.0 on origin/main to 4.2.0-canary.0 while the manifest remains "shadcn": "canary". The PR body says this PR intentionally targets the PostCSS advisory only and leaves the remaining Dependabot/dependency batch for separate triage. This unrelated canary jump also brings new transitive lock entries/deps in the shadcn snapshot (open, validate-npm-package-name, postcss-selector-parser, tailwind-merge, etc.) without a tradeoff/risk note, so the PR does not satisfy the no-drift-beyond-chore: replace stale Next/PostCSS security bump PR from current main #355 review focus.
  • Fix: regenerate the lockfile so the existing shadcn@3.5.1-canary.0 resolution is preserved while PostCSS resolves to 8.5.10, or explicitly expand the PR/issue scope and document the shadcn@4.2.0-canary.0 dependency tradeoff/security review.

VERIFIED CLEAN

• Exact live head verified: 77a8f1d747f90b43e905e3234b8e2adbc5a1456f; PR is open, non-draft, mergeable/clean.
• Changed-file coverage completed for all four files: apps/registry/package.json, root package.json, packages/ui/package.json, and pnpm-lock.yaml.
• apps/registry/package.json:43-45 correctly raises the direct registry PostCSS devDependency floor to ^8.5.10.
• package.json:35-48 correctly adds root pnpm.overrides.postcss: ">=8.5.10" without touching protected policy files or generated artifacts.
• packages/ui/package.json:174-178 correctly raises @vllnt/ui's PostCSS devDependency floor to ^8.5.10.
• PostCSS remediation itself is effective: the lockfile has postcss@8.5.10, no postcss@8.4.31 refs, and targeted audit parsing found no PostCSS advisories.
• R3 PR body freshness: PASS — body head SHA and diff stat match the fetched PR head.
• R5 linked issue policy: PASS — PR closes chore: replace stale Next/PostCSS security bump PR from current main #355 and the issue-link CI check is green.
• R6 workspace gates at HEAD: PASS — 8/8 fetched GitHub checks are successful at this head.

VALIDATION

• Ran: gh pr view 360 --repo vllnt/ui --json ... and gh pr checks 360 --repo vllnt/ui --json ....
• Ran: detached review worktree checkout at /home/ubuntu/ui/.worktrees/pr-360-review, HEAD verified as 77a8f1d747f90b43e905e3234b8e2adbc5a1456f.
• Ran: pnpm install --lockfile-only --frozen-lockfile --ignore-scripts --offline — passed.
• Ran: pnpm audit --json plus targeted PostCSS advisory parsing — audit still exits nonzero for unrelated repo advisories, but postcss_advisories is empty.
• Ran: regex check for postcss@8.4.31 / postcss: 8.4.31 / version: 8.4.31 — no matches.

Verdict: changes requested. Manual approval should wait until the unintended shadcn canary lockfile drift is removed or explicitly scoped and justified.

[bntvllnt]

@bntvllnt COMMENT — current-head review for PR #360 at 048ba54776a001d1e1be219319d2f2e3be1d42c5.

Review — 0 blocking findings, 1 warning

BLOCKING

• None.

WARN

• W1 — Deploy check is still infra-red, not code-red
  • Evidence: current-head checks show build · sign · scan · deploy failed only at the deployer POST step. The job built and produced the deployment payload for this exact SHA, then curl failed to connect to the vllnt deployer endpoint after three retries and returned HTTP 000.
  • Why it matters: branch protection may still report the PR as UNSTABLE, but the observed failure is deployer availability, not a PostCSS/package diff regression.
  • Suggested next step: rerun/repair the deployer lane before merge if the protected check is required; do not treat it as a dependency-remediation blocker.

VERIFIED CLEAN

• Reviewed all four changed files: apps/registry/package.json, root package.json, packages/ui/package.json, and pnpm-lock.yaml.
• The manifest changes are scoped to the intended PostCSS remediation: registry PostCSS ^8.5.10, @vllnt/ui PostCSS ^8.5.10, and root pnpm.overrides.postcss >=8.5.10.
• The lockfile is internally consistent for the intended remediation: postcss@8.5.10 is the only PostCSS package entry, next@16.2.6 now resolves postcss: 8.5.10, and the relevant autoprefixer/Tailwind/PostCSS/tsup peer snapshots point at postcss@8.5.10.
• The previous broad lockfile drift called out in review is gone: no shadcn@4.2.0-canary.0, validate-npm-package-name@7.0.2, or wsl-utils@0.3.1 package entries remain in the PR diff/lockfile.
• The PR body now matches the current head, accurately lists the 4-file diff and current SHA, includes Closes #355, and separates the remaining non-PostCSS audit backlog from this targeted PostCSS PR.

VALIDATION

• Confirmed live PR state immediately before publication: OPEN, non-draft, head 048ba54776a001d1e1be219319d2f2e3be1d42c5, branch chore/355-postcss-security, mergeable=MERGEABLE, mergeStateStatus=UNSTABLE because of the deploy check.
• Ran pnpm install --frozen-lockfile --lockfile-only at the reviewed head: passed.
• Ran git diff --check origin/main...HEAD: passed.
• Ran targeted residual checks: no 8.4.31 refs in the changed manifests/lockfile; no exact broad-drift package keys for shadcn@4.2.0-canary.0, validate-npm-package-name@7.0.2, or wsl-utils@0.3.1.
• Ran pnpm audit --audit-level moderate --json: audit still exits 1 for unrelated backlog advisories, but it contains zero postcss advisories at this head.
• Re-read current GitHub checks: 6 pass, 1 fail (build · sign · scan · deploy) with deployer HTTP 000 / connection refused evidence from the job log.

Approval is recommended from the code/dependency-review side, with final approval/merge still reserved for bntvllnt and the deployer-lane status to resolve per branch protection.