chore: remediate runtime HTTP dependency advisories

[bntvllnt]

Summary

• Remediates the residual runtime/HTTP dependency advisories from chore: remediate residual runtime dependency advisories from superseded #359 #361 using narrow root pnpm.overrides only.
• Pins patched transitive/runtime packages: hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, ip-address, and proxy-from-env (1.1.0 → 2.1.0, transitive via axios).
• Refreshes pnpm-lock.yaml without shadcn canary/tooling drift; the diff is limited to root overrides and the selected dependency resolution/snapshot entries.

Fixes #361

Validation

• pnpm install --frozen-lockfile ✅
• pnpm audit --json --audit-level moderate ✅ selected runtime/HTTP findings: 0
  • final audit metadata: low=1, moderate=12, high=13, critical=1, totalDependencies=1534
• pnpm -F @vllnt/ui lint ✅
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json ✅
• pnpm build ✅
  • Note: existing Turbopack warning about unexpected NFT trace from apps/registry/next.config.mjs remains non-blocking.
• pnpm test:once ✅ 216 files / 1215 tests passed
  • Note: existing jsdom navigation and component warning noise appears during passing tests.
• pnpm check:circular ⚠️ attempted, blocked by missing madge binary in the current dependency graph (sh: 1: madge: not found). No source import graph was changed by this PR.

Scope note

This intentionally does not address unrelated remaining advisories in the default branch audit; it only removes the runtime/HTTP package findings named in #361.

[bntvllnt]

Review — 0 blocking findings (manual approval recommended)

BLOCKING

None.

WARN

• CI/merge-state warning: Vercel – ui.vllnt.ai is failing because the deployment was canceled from the Vercel Dashboard. I did not find evidence this is caused by the dependency diff, and Vercel – storybook plus the repo quality/security checks are green, but this status may still need a rerun/waiver before merge depending on branch protection.

VERIFIED CLEAN

• Reviewed current head 9ef8fb8fdd02e3b7656aaa747e1be654d3c269e1 on chore/361-runtime-http-advisories.
• PR body links Fixes #361 and matches the current two-file diff (package.json, pnpm-lock.yaml).
• Scope stays within issue #361: root pnpm.overrides plus lockfile resolution/snapshot updates for hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, and ip-address.
• No PostCSS remediation is included in the diff, and there is no shadcn/PostCSS diff churn from #355/#360.
• This does not repair, merge, or broaden superseded PR #359; #359 remains a separate broad Dependabot PR and this PR uses the scoped chore/361-runtime-http-advisories branch.
• No source, generated registry output, release, security policy, or direct-main changes are included.

VALIDATION

• Locally ran pnpm install --frozen-lockfile at the reviewed head: pass.
• Locally ran pnpm audit --json --audit-level moderate at the reviewed head: command exits 1 because unrelated default-branch advisories remain, but none of the #361 scoped runtime/HTTP packages remain in the advisory set. Audit metadata matches the PR body: low=1, moderate=12, high=13, critical=1, totalDependencies=1534.
• Live GitHub checks observed: Quality Gates, CodeQL, Analyze (actions), Analyze (javascript-typescript), Enforce issue-linked PRs, Scan codebase health, Vercel Preview Comments, and Vercel Storybook are passing; Vercel – ui.vllnt.ai is canceled/failing as noted above.
• PR body explicitly documents the pnpm check:circular blocker (madge: not found) and states no source import graph changed.

Approval is recommended, but final approval remains reserved for bntvllnt.

[bntvllnt]

@bntvllnt APPROVE — dependency/security review clean for the scoped runtime/HTTP remediation.

Evidence checked at head 9ef8fb8fdd02e3b7656aaa747e1be654d3c269e1:

• Diff is limited to package.json and pnpm-lock.yaml; it pins the scoped runtime/HTTP packages (hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, ip-address) to the intended patched versions plus lockfile updates.
• pnpm install --frozen-lockfile --ignore-scripts passed.
• pnpm audit --json still exits 1 for unrelated advisories, but scoped targets are absent: hono: 0, @hono/node-server: 0, express-rate-limit: 0, axios: 0, follow-redirects: 0, fast-uri: 0, ip-address: 0.
• PR body links Fixes #361 and documents remaining advisories as out of scope.
• GitHub checks are green for Quality Gates, CodeQL, health scan, issue-link, JS/TS analysis, actions analysis, preview comments, and Storybook; Vercel – ui.vllnt.ai remains failed/canceled externally and needs human/Vercel handling before merge if the repo treats that preview as required.

No blocking source/dependency findings from this review.

[vllnt-pilot]

Preview ready · pr-367-ui-registry

Service	Status	Preview
ui-registry	Ready	https://pr-367-ui-registry.preview.vllnt.ai

Inspect

• Deployed to vllnt-cluster from a249612
• Reply with /clean to destroy this preview now

[bntvllnt]

Review — 0 blocking findings, manual approval recommended

BLOCKING

None.

WARN / NOTES

• No merge-blocking issues found. One freshness note: a live pnpm audit --json --audit-level moderate now reports the scoped runtime/HTTP packages from #361 at 0 findings, but the unrelated residual audit metadata currently reads low=1, moderate=14, high=13, critical=1, totalDependencies=1534 rather than the PR body's older moderate=12 line. The scoped remediation claim is still correct; refresh that count if you want exact audit metadata current at merge time.

VERIFIED CLEAN

• Current PR head matches the routed review SHA: a2496123a898e2714881376c6f9e56dd7f8e178b.
• Changed-file coverage complete: reviewed package.json and pnpm-lock.yaml; both files were marked viewed.
• Scope matches #361: the diff is limited to root pnpm.overrides and lockfile resolution/snapshot entries for hono, @hono/node-server, express-rate-limit, axios, follow-redirects, fast-uri, and ip-address.
• Lockfile/manifests are consistent: pnpm install --frozen-lockfile succeeds, and installed resolution paths show the scoped patched versions (hono@4.12.18, @hono/node-server@1.19.13, express-rate-limit@8.2.2, axios@1.15.2, follow-redirects@1.16.0, fast-uri@3.1.2, ip-address@10.1.1).
• Live GitHub checks are acceptable: 8 passing checks, 1 neutral superseded preview check.
• Issue-link policy is satisfied: PR body contains Fixes #361.
• No generated files, source files, release artifacts, or policy/security docs are changed.

VALIDATION

Ran locally at this head:

• pnpm install --frozen-lockfile ✅
• pnpm audit --json --audit-level moderate ✅ for scoped #361 packages: 0 findings
• pnpm -F @vllnt/ui lint ✅
• pnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.json ✅
• pnpm build ✅ (existing Turbopack NFT warning observed; build succeeds)
• pnpm test:once ✅ 216 files / 1215 tests passed, with existing jsdom/component warning noise

Manual approval remains the next action; I am not submitting an autonomous APPROVE.