fix(deps): patch utility parser advisories

[bntvllnt]

Summary

• Adds narrow root pnpm.overrides floors for lodash >=4.18.1 and flatted >=3.4.2 to remediate the residual utility/parser advisories from chore: remediate residual utility parser advisories from superseded #359 #362.
• Regenerates pnpm-lock.yaml only; final diff is limited to package.json and pnpm-lock.yaml.
• Leaves PostCSS (chore: replace stale Next/PostCSS security bump PR from current main #355/chore: bump @vllnt/ui postcss security range #360), chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359, Hono/Axios/runtime updates, and Vite/glob/build-tool advisories out of scope.

Closes #362

Type of change

• feat — new component or API
• fix — bug fix
• docs — documentation only
• chore — tooling / CI / deps
• refactor — no behavior change

Screenshots / Visuals

No UI changes; dependency lockfile-only remediation.

Test plan

• pnpm install --lockfile-only
• pnpm install --frozen-lockfile
• Scoped audit parse: lodash/flatted advisories are absent from pnpm audit --json --audit-level moderate output (utilityAdvisories: []; remaining 55 advisories are unrelated/out-of-scope)
• pnpm -F @vllnt/ui lint
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json
• pnpm build (passes; existing Turbopack NFT-list warning observed)
• pnpm test:once (216 files / 1215 tests passed)
• pnpm -F @vllnt/ui test:visual (not run; no UI/component output changed)
• Manual verification: lockfile resolves flatted@3.4.2 and lodash@4.18.1; generated apps/registry/registry.json timestamp from build was reverted so the PR only contains dependency files.

Breaking changes

None.

Checklist

• Component(s) follow the conventions in AGENTS.md. (No component changes.)
• New exports added to packages/ui/src/index.ts. (N/A, no exports changed.)
• Tests added (unit + visual, as applicable). (N/A, dependency-only remediation.)
• CHANGELOG note added under [Unreleased] for user-facing changes. (N/A, no user-facing API/component change.)
• No any, as, @ts-ignore, or eslint-disable added.

[bntvllnt]

CI monitoring reached terminal state for head 4a8d21195d27ed92d55f7eb767781311066f571a: GitHub checks passed (CI Quality Gates, CodeQL, PR issue link, react-doctor); Vercel storybook passed; Vercel ui.vllnt.ai is red because the deployment was canceled from the Vercel Dashboard, not from a repository build/test failure surfaced in GitHub. Local required gates also passed as listed in the PR body.

[bntvllnt]

Blocking: this lockfile hunk bumps shadcn from 3.5.1-canary.0 to 4.2.0-canary.0, which pulls in a separate toolchain/transitive dependency graph. Issue #362 is scoped to the residual lodash/flatted utility/parser advisories and explicitly excludes broader tooling/PostCSS/#359 work unless unavoidable coupling is proved and documented. Please preserve the existing shadcn resolution while applying the overrides, or update the PR scope/body with evidence that this bump is inseparable from the lodash/flatted remediation.

[bntvllnt]

Review — 1 finding (1 blocking, 0 warn)

BLOCKING

• S1 — Lockfile drift includes an out-of-scope shadcn canary/toolchain bump
  • Evidence: pnpm-lock.yaml changes shadcn from 3.5.1-canary.0 to 4.2.0-canary.0 and adds/removes its transitive graph (open@11.0.0, validate-npm-package-name@7.0.2, postcss-selector-parser@7.1.1, removal of @antfu/ni, ansis, fzf, etc.).
  • Why it matters: issue chore: remediate residual utility parser advisories from superseded #359 #362 explicitly limits this PR to the residual lodash/flatted utility/parser advisories and says Hono/Axios/runtime updates, Vite/glob/build-tool updates, PostCSS, and superseded PR chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #359 must stay out of scope unless package-manager coupling is unavoidable and documented. This shadcn canary jump is a separate tooling dependency change, and the PR body currently claims the final diff is narrow while leaving PostCSS/build-tool work out of scope.
  • Fix: regenerate the lockfile while preserving the existing shadcn@3.5.1-canary.0 resolution, or explicitly prove/document why the shadcn canary bump is inseparable from the lodash/flatted overrides and move that broader toolchain change into the PR scope.

VERIFIED CLEAN

• PR body links the required issue with Closes #362 and GitHub resolves the closing reference to issue chore: remediate residual utility parser advisories from superseded #359 #362.
• The manifest change in package.json is narrow: root pnpm.overrides floors for lodash >=4.18.1 and flatted >=3.4.2.
• The lockfile does resolve lodash to 4.18.1 and flatted to 3.4.2.
• Changed files are limited to package.json and pnpm-lock.yaml; no source, generated registry artifact, SECURITY/CODE_OF_CONDUCT/LICENSE, main edit, merge, release, or force-push action was observed.
• No PostCSS version bump is present; shadcn@4.2.0-canary.0 still depends on postcss: 8.5.6, so this does not remediate or alter the PostCSS route owned by chore: replace stale Next/PostCSS security bump PR from current main #355/chore: bump @vllnt/ui postcss security range #360.

VALIDATION

• Reviewed live PR fix(deps): patch utility parser advisories #364 at head 4a8d21195d27ed92d55f7eb767781311066f571a.
• Fetched PR metadata/body/files, issue chore: remediate residual utility parser advisories from superseded #359 #362, full patch, and current check rollup.
• GitHub checks are green for CodeQL, PR Issue Link, Quality Gates, react-doctor, Vercel Preview Comments, and Storybook Vercel; Vercel – ui.vllnt.ai is red from the current check rollup.
• Local repo gates were not rerun in this review because the blocking finding is scope/lockfile drift visible in the diff; PR-body validation evidence claims pnpm install, scoped audit parse, pnpm -F @vllnt/ui lint, tsc, pnpm build, and pnpm test:once passed on this head.

Formal REQUEST_CHANGES could not be submitted from this authenticated account because it is the PR author account; treat this comment as the blocking review handoff for the current head.

[bntvllnt]

Updated the lockfile remediation to stay scoped to lodash/flatted only.

Validation run locally:

• pnpm audit --json scoped parse: lodash/flatted advisory hits = 0
• pnpm -F @vllnt/ui lint: pass
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json: pass
• pnpm build: pass
• pnpm test:once: pass (216 files / 1215 tests)

Diff check:

• final PR diff vs origin/main is only package.json + pnpm-lock.yaml
• shadcn remains pinned at 3.5.1-canary.0; no shadcn 4.2.0-canary.0 or related lockfile drift remains

CI note at time of update: GitHub analysis/code scanning checks are passing; Quality Gates was still pending; Vercel ui.vllnt.ai preview is marked failed because it was canceled from the Vercel dashboard.

[bntvllnt]

Review — clean/manual-ready (approval reserved for bntvllnt)

Current head SHA: 42c8af3760fe7dfd61acc82526ef6793d243f280
Verdict: COMMENT — no blocking code/dependency findings found; final approval is reserved for bntvllnt.

BLOCKING

• None.

WARN / GAPS

• The Vercel – ui.vllnt.ai check is still reported as failing in GitHub checks while the code gates are green. I did not treat it as a dependency-diff blocker because the scoped local gates and GitHub Quality Gates pass, but do not ignore it if branch protection requires that deployment check.

VERIFIED CLEAN

• Scope is now limited to package.json and pnpm-lock.yaml; no apps/registry/registry.json or broader generated-file churn remains.
• The previous shadcn/transitive-graph blocker is resolved: shadcn remains 3.5.1-canary.0; no 4.2.0-canary.0 lockfile drift remains.
• Root pnpm.overrides add only lodash >=4.18.1 and flatted >=3.4.2; the lockfile resolves lodash@4.18.1 and flatted@3.4.2, with the old lodash@4.17.23 / flatted@3.3.3 entries gone.
• PR metadata still links Closes #362, and the body’s test-plan claims match the final head I reviewed.

VALIDATION

• Ran pnpm install --frozen-lockfile — pass.
• Ran scoped audit parse from pnpm audit --json --audit-level moderate — utility_advisory_hits: [] for lodash / flatted; remaining 55 advisories are unrelated to this scoped PR.
• Ran pnpm -F @vllnt/ui lint — pass.
• Ran pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json — pass.
• Ran pnpm build — pass.
• Ran pnpm test:once — pass, 216/216 files and 1215/1215 tests.
• Reviewed files: package.json, pnpm-lock.yaml.
• Viewed-state tracking: marked both changed files viewed.

safe_for_next_step: true for bntvllnt manual approval/review handoff, subject to the Vercel app check caveat above.

[bntvllnt]

Status-gate classification for current head 42c8af3:

• The only non-green live signal I see is the external Vercel – ui.vllnt.ai status, reported by GitHub as dashboard-canceled.
• GitHub Actions gates, CodeQL, issue-link enforcement, health scan, preview comment, and Vercel – storybook are green.
• The PR is still mergeable; I found no additional code/dependency blocker beyond the already-noted external preview noise.

Recommendation: safe for bntvllnt manual next step if he accepts the known external preview-status caveat. Approval/merge remains manual.

[bntvllnt]

@bntvllnt APPROVE — dependency/security review clean for the scoped utility-parser remediation.

Evidence checked at head 42c8af3760fe7dfd61acc82526ef6793d243f280:

• Diff is limited to package.json and pnpm-lock.yaml; it adds only the scoped lodash >=4.18.1 and flatted >=3.4.2 override floor plus lockfile resolution updates.
• pnpm install --frozen-lockfile --ignore-scripts passed.
• pnpm audit --json still exits 1 for unrelated advisories, but scoped targets are absent: lodash: 0, flatted: 0.
• PR body links Closes #362 and documents remaining advisories as out of scope.
• GitHub checks are green for Quality Gates, CodeQL, health scan, issue-link, JS/TS analysis, actions analysis, preview comments, and Storybook; Vercel – ui.vllnt.ai remains failed/canceled externally and needs human/Vercel handling before merge if the repo treats that preview as required.

No blocking source/dependency findings from this review.

[bntvllnt]

@bntvllnt APPROVE recommended — manual approval reserved for bntvllnt.

Review — clean/manual-ready

Current head SHA: 6da4c5ba918ff3d088f409a59d727b304bdf7f22
Verdict: 0 blocking findings, 0 warnings. I am submitting this as a COMMENT review, not an approval.

Coverage

• Reviewed every changed file: package.json, pnpm-lock.yaml.
• Scope matches issue #362: the diff is limited to dependency override metadata and the regenerated lockfile for lodash and flatted.
• PR body is current with the reviewed diff and links Closes #362.

Dependency/security review

• package.json adds only the scoped root pnpm overrides: lodash >=4.18.1 and flatted >=3.4.2.
• pnpm-lock.yaml resolves the old vulnerable entries forward to lodash@4.18.1 and flatted@3.4.2; no old lodash@4.17.23 or flatted@3.3.3 entries remain in the lockfile.
• No generated app/component artifacts, component code, build config, release config, or unrelated runtime dependency changes are included.

Validation evidence

• Live PR state re-fetched immediately before publication: OPEN, non-draft, mergeable=MERGEABLE, mergeStateStatus=CLEAN, head matches 6da4c5ba918ff3d088f409a59d727b304bdf7f22.
• GitHub checks at this head are acceptable: CI Quality Gates, build/sign/scan/deploy, CodeQL, react-doctor, PR Issue Link, and preview deploy are SUCCESS; one superseded legacy preview is NEUTRAL.
• Local pnpm install --frozen-lockfile completed successfully on this head.
• Local git diff --check origin/main...HEAD -- package.json pnpm-lock.yaml passed.
• Local scoped audit parse confirmed lodash and flatted are absent from current pnpm audit --json --audit-level moderate advisories. The audit command still exits non-zero for unrelated remaining advisories documented out of scope by the PR body.
• Visual tests were not rerun because this is a dependency/lockfile-only remediation with no UI/component output changes.

Manual approval remains the next action.

[vllnt-pilot]

Preview ready · pr-364-ui-registry

Service	Status	Preview
ui-registry	Ready	https://pr-364-ui-registry.preview.vllnt.ai

Inspect

• Deployed to vllnt-cluster from 6da4c5b
• Reply with /clean to destroy this preview now