chore(deps): bump transitive deps to patch 5 Dependabot alerts

[pflynn-virtru]

Summary

Targeted npm update for vulnerable transitive packages in the root package-lock.json. Each bump stays within existing semver ranges to avoid breaking parent dependencies (notably, picomatch stays on the 2.x line so postman-code-generators is not affected).

Alerts addressed

Alert	Package	Before	After
#127	postcss	8.5.5	8.5.14
#107 (high)	picomatch	2.3.1	2.3.2
#108	picomatch	2.3.1	2.3.2
#105	brace-expansion	1.1.12 / 2.0.2 / 5.0.2	1.1.14 / 2.1.0 / 5.0.6
#129	uuid	11.1.0	11.1.1 (8.3.2 not affected, untouched)

Why targeted (not npm audit fix)

A plain npm audit fix transitively bumps postman-code-generators to a major version that drops bundled Node polyfills, breaking the Docusaurus webpack build (Module not found: Can't resolve 'path'). The targeted approach in this PR sidesteps that regression.

Not addressed here (need separate decisions)

• #134 @babel/plugin-transform-modules-systemjs — Dependabot closed PR chore(deps): bump @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.4 #318 saying no update is available
• #113 / #112 lodash — requires npm audit fix --force, which performs a semver-major bump of docusaurus-plugin-openapi-docs / docusaurus-theme-openapi-docs
• #104 serialize-javascript — no upstream fix available yet

Test plan

• Build verified locally: npx docusaurus build — server and client both compile cleanly (only pre-existing broken-links error, same as main)
• CI Test deployment passes
• Confirm alerts auto-close after merge

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e2b5e354-1e86-4d59-aa89-70e3409f5cfe

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-security-fixes

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates several dependencies in package-lock.json, including brace-expansion, uuid, picomatch, and postcss, and marks various architecture-specific packages as development dependencies. I have no feedback to provide.

[marythought]

ty