chore: remediate postcss and ws CVEs

.github/dependabot.yml

@@ -1,11 +1,21 @@
-# Scheduled dependency version bumps (pull requests).
-# Security PRs for fixable CVEs come from Dependabot Security updates — enable those in GitHub under
-# Organization/repository Settings → Code security → "Dependabot security updates".
+# Dependabot version + security updates for npm.
+# Security PRs also require: Settings → Code security → Dependabot security updates.
 version: 2
 updates:
   - package-ecosystem: npm
     directory: "/"
     schedule:
       interval: weekly
-    open-pull-requests-limit: 15
+    open-pull-requests-limit: 2
     versioning-strategy: increase-if-necessary
+    groups:
+      # All CVE fixes in one PR (instead of one PR per package)
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+      # All routine version bumps in one weekly PR
+      npm-dependencies:
+        applies-to: version-updates
+        patterns:
+          - "*"

package.json

@@ -87,7 +87,7 @@
     "vite-plugin-svgr": "4.3.0",
     "vite-tsconfig-paths": "5.1.4",
     "webextension-polyfill": "0.12.0",
-    "ws": "8.20.0"
+    "ws": "8.20.1"
   },
   "pnpm": {
     "overrides": {
@@ -100,6 +100,7 @@
       "minimatch": "9.0.9",
       "@eslint/eslintrc>minimatch": "3.1.5",
       "picomatch": "4.0.4",
+      "postcss": "8.5.10",
       "rollup": "4.60.1",
       "svgo": "3.3.3",
       "yaml": "1.10.3"