chore: remediate build-tool glob advisories

[bntvllnt]

Summary

• Add targeted pnpm overrides for vulnerable Vite peer resolutions used by Playwright/Storybook/Vitest tooling.
• Override vulnerable picomatch and brace-expansion ranges to patched versions, including brace-expansion v5 to 5.0.6 for advisory 1119088.
• Regenerate/preserve the lockfile narrowly so shadcn and other unrelated canary/tooling packages stay unchanged.

Closes #363

Validation

• pnpm install --frozen-lockfile --ignore-scripts
• pnpm audit --json --audit-level moderate: expected nonzero because unrelated advisories remain; confirmed target_present {'vite': False, 'picomatch': False, 'brace-expansion': False}; current audit metadata reports 50 total advisories (3 low, 31 moderate, 15 high, 1 critical)
• pnpm -F @vllnt/ui lint
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json
• pnpm build
• pnpm test:once: 216 files passed, 1215 tests passed

Notes

• Scope intentionally limited to package.json and pnpm-lock.yaml.
• No generated registry/dist artifacts are included.

[bntvllnt]

Review — 0 findings (0 blocking, 0 warn)

@bntvllnt PR #365 is clean from this review gate. Approval is recommended, with final approval reserved for the human reviewer.

VERIFIED CLEAN

• Scope matches issue #363: only package.json and pnpm-lock.yaml changed, limited to Vite/picomatch/brace-expansion dependency remediation.
• PR body links Closes #363, matches the current head 2c76fea7e00bb5dd5b5d8c1eb2996b344ba747c5, and documents the remaining unrelated audit advisories.
• No PostCSS remediation is included in this diff; existing postcss@8.5.6 lockfile paths are unchanged and remain outside this issue's route (#355/#360).
• No evidence of using, repairing, or broadening superseded PR #359: this head is a single commit on current origin/main, with only the two dependency files changed.
• Vite moved only by patch versions (6.4.1 -> 6.4.2, 7.3.1 -> 7.3.2), not by major version.

VALIDATION

• Reviewed live PR metadata and diff for current head 2c76fea7e00bb5dd5b5d8c1eb2996b344ba747c5.
• CI evidence: Quality Gates, Enforce issue-linked PRs, CodeQL, react-doctor, Vercel Preview Comments, and Storybook Vercel are green. Vercel – ui.vllnt.ai is canceled/failing externally from Vercel, not a code-level finding in this dependency-only PR.
• Ran pnpm audit --json --audit-level moderate locally on the review worktree: exit 1 because unrelated advisories remain, but target advisory counts are vite=0, picomatch=0, brace-expansion=0.
• Checked the lockfile directly: old scoped vulnerable entries vite@6.4.1, vite@7.3.1, picomatch@2.3.1, picomatch@4.0.3, brace-expansion@1.1.12, and brace-expansion@5.0.4 are absent.

Verdict: clean/manual-review-ready; no blocking findings.

[bntvllnt]

Status-gate classification for current head 2c76fea:

• The only non-green live signal I see is the external Vercel – ui.vllnt.ai status, reported by GitHub as dashboard-canceled.
• GitHub Actions gates, CodeQL, issue-link enforcement, health scan, preview comment, and Vercel – storybook are green.
• The PR is still mergeable; I found no additional code/dependency blocker beyond the already-noted external preview noise.

Recommendation: safe for bntvllnt manual next step if he accepts the known external preview-status caveat. Approval/merge remains manual.

[bntvllnt]

@bntvllnt APPROVE — dependency/security review clean for the scoped build-tool/glob remediation.

Evidence checked at head 2c76fea7e00bb5dd5b5d8c1eb2996b344ba747c5:

• Diff is limited to package.json and pnpm-lock.yaml; it adds targeted overrides for Vite, picomatch, and brace-expansion resolution floors plus corresponding lockfile updates.
• pnpm install --frozen-lockfile --ignore-scripts passed.
• pnpm audit --json still exits 1 for unrelated advisories, but scoped targets are absent: vite: 0, picomatch: 0, brace-expansion: 0.
• PR body links Closes #363 and documents the remaining advisory count as out of scope.
• GitHub checks are green for Quality Gates, CodeQL, health scan, issue-link, JS/TS analysis, actions analysis, preview comments, and Storybook; Vercel – ui.vllnt.ai remains failed/canceled externally and needs human/Vercel handling before merge if the repo treats that preview as required.

No blocking source/dependency findings from this review.

[vllnt-pilot]

Preview ready · pr-365-ui-registry

Service	Status	Preview
ui-registry	Ready	https://pr-365-ui-registry.preview.vllnt.ai

Inspect

• Deployed to vllnt-cluster from cb8f260
• Reply with /clean to destroy this preview now

[bntvllnt]

Review — 1 blocking finding (REQUEST_CHANGES recommended)

GitHub will not allow this account to submit REQUEST_CHANGES on this PR (Can not request changes on your own pull request), so I am posting this as a comment review. Treat this as blocking until fixed.

BLOCKING

• C1 — brace-expansion v5 override still resolves to an audited vulnerable version
  • Evidence: package.json:58 pins brace-expansion@>=4.0.0 <5.0.5 to 5.0.5, and pnpm-lock.yaml resolves brace-expansion@5.0.5.
  • Local validation: pnpm audit --json --audit-level moderate still reports advisory 1119088 for brace-expansion with vulnerable range >=5.0.0 <5.0.6 and patched range >=5.0.6.
  • Why it matters: issue #363 acceptance requires the scoped Vite/picomatch/brace-expansion advisories to be absent or explicitly documented as out of scope. This PR body currently says the target advisories are absent, but live audit still reports the scoped brace-expansion advisory.
  • Fix: change the v5 brace-expansion override to a patched version (5.0.6 or newer), regenerate the lockfile, rerun audit, then update the PR validation note.

VERIFIED CLEAN

• Scope is limited to package.json and pnpm-lock.yaml.
• No generated registry/dist artifacts are included.
• The old scoped lockfile entries for vite@6.4.1, vite@7.3.1, picomatch@2.3.1, picomatch@4.0.3, brace-expansion@1.1.12, and brace-expansion@5.0.4 are absent.
• GitHub checks at PR head are green/neutral, and pnpm install --frozen-lockfile succeeds locally.

VALIDATION

• Ran: pnpm install --frozen-lockfile — pass.
• Ran: pnpm audit --json --audit-level moderate — expected nonzero overall, but still includes scoped brace-expansion advisory 1119088 for 5.0.5.
• Checked PR metadata/body and issue #363 acceptance criteria.

[bntvllnt]

This v5 override still lands on brace-expansion@5.0.5, but a fresh pnpm audit --json --audit-level moderate reports advisory 1119088 with vulnerable_versions: >=5.0.0 <5.0.6 and patched_versions: >=5.0.6. That means the scoped brace-expansion target is still present, contrary to the PR validation note and issue #363 acceptance criteria. Please override to 5.0.6 or newer, regenerate the lockfile, and rerun/update the audit evidence.

[bntvllnt]

Remediation for the current-head brace-expansion blocker is pushed at a1f0aa2.

Evidence:

• Updated the v5 brace-expansion override from 5.0.5 to 5.0.6 and kept the diff limited to package.json + pnpm-lock.yaml.
• pnpm install --frozen-lockfile --ignore-scripts: pass.
• pnpm audit --json --audit-level moderate: still nonzero due to unrelated existing advisories, but target modules are absent from advisories: vite=false, picomatch=false, brace-expansion=false. Current audit metadata: 50 total advisories (3 low, 31 moderate, 15 high, 1 critical).
• pnpm -F @vllnt/ui lint: pass.
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json: pass.
• pnpm build: pass.
• pnpm test:once: pass (216 files, 1215 tests).
• GitHub checks at the new head are green; mergeStateStatus is CLEAN.

PR body has been refreshed with the updated validation note.

[bntvllnt]

Review — 0 findings (0 blocking, 0 warn)

@bntvllnt PR #365 is clean from this retry publication gate. Approval is recommended, but final approval remains reserved for the human reviewer; I am not merging or approving from automation.

BLOCKING

• None.

WARN

• None.

VERIFIED CLEAN

• Reviewed current head a1f0aa2854ce1ef7bbcfb803d97d2929dbb2de55; it is still open, non-draft, mergeable, and mergeStateStatus: CLEAN.
• Changed-file scope is limited to package.json and pnpm-lock.yaml.
• The diff only adds/preserves targeted overrides and lockfile resolutions for the dependency/security remediation: Vite 6.4.2 / 7.3.2, picomatch 2.3.2 / 4.0.4, and brace-expansion 1.1.13 / 5.0.6.
• The previous brace-expansion v5 blocker is resolved: the v5 override is now brace-expansion@>=4.0.0 <5.0.6: 5.0.6, and the lockfile package/snapshot entries now resolve to brace-expansion@5.0.6.
• PR metadata matches the current diff, links Closes #363, and accurately documents the residual pnpm audit advisories as unrelated to the target packages.
• Current GitHub checks are green for the visible required gates, including Quality Gates, build, PR Issue Link, CodeQL, react-doctor, and preview deploy.

VALIDATION

• Re-checked live GitHub metadata/check state for PR #365 immediately before publication.
• Re-checked local diff at the exact head against origin/main: package.json and pnpm-lock.yaml only.
• Reused the prior same-head package/lockfile validation evidence: pnpm install --frozen-lockfile --ignore-scripts passed, and pnpm audit --json --audit-level moderate remained nonzero only for unrelated advisories while confirming target packages absent from audit findings.
• Did not rerun full local build/test gates in this publication retry; current PR body and live GitHub checks report the workspace gates green at this head.