chore: harden supply chain — patch transitive CVEs, enforce frozen lockfile

[27Bslash6]

Summary

Resolves the 21 open Dependabot advisories on main (1 critical, 10 high, 10 moderate) — all in transitive devDependencies — via pnpm.overrides, plus tightens install/audit discipline in CI.

• pnpm.overrides: pin protobufjs >=7.5.8, vite >=8.0.5, lodash >=4.18.0, flatted >=3.4.2, picomatch >=4.0.4, yaml >=2.8.3, postcss >=8.5.14. All reachable only via testcontainers / vitest / eslint chains — no production exposure.
• pnpm.onlyBuiltDependencies: explicit allowlist (cpu-features, ssh2, protobufjs). Every other transitive postinstall hook becomes inert by default. Equivalent to ignore-scripts=true but compatible with pnpm's native build flow (verified: native .node binaries still produced for both allowlisted packages).
• pnpm install --frozen-lockfile on all 7 install steps in ci.yml — fails closed on lockfile drift.
• Second audit gate: existing pnpm audit --prod --audit-level=high is preserved, plus a new pnpm audit --audit-level=high covering all deps. The --prod filter silently passes today since every vulnerable package is a devDep — surfacing them in CI prevents future dev-only CVEs from sitting unsurfaced.

Verification

• pnpm audit → {critical: 0, high: 0, moderate: 0, low: 0, info: 0} (was 1/10/10/0/0)
• pnpm build → 2/2 packages succeed
• pnpm test → 456 passed, 1 skipped
• pnpm lint, pnpm type-check → clean
• cpu-features and ssh2 native .node binaries produced (allowlist works as intended)

Context: this was identified by a full supply-chain review against the late-2024 → mid-2026 npm compromise wave (Shai-Hulud I/II/III, Qix-cluster, axios/plain-crypto-js, TanStack CVE-2026-45321, SANDWORM_MODE). No malicious-package matches or active IOCs were found — this PR is the CVE-cleanup half of that audit.

Test plan

• pnpm install reproduces clean lockfile state
• pnpm audit reports zero vulnerabilities
• pnpm build succeeds
• pnpm test (unit) passes 456/457
• pnpm lint clean
• pnpm type-check clean
• Native binaries (cpu-features, ssh2) still built — allowlist verified
• CI green on this branch (new --frozen-lockfile + dual audit gate)

Summary by CodeRabbit

• Chores
  • Improved build system consistency by enforcing locked dependencies across CI jobs.
  • Enhanced security scanning in the build pipeline with expanded dependency auditing.
  • Updated dependency override configuration for improved build reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bcce08f7-82d9-46ec-9dc4-4f8f3dc14447

📥 Commits

Reviewing files that changed from the base of the PR and between e2c7105 and 3a69eee.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json

---

📝 Walkthrough

Walkthrough

This PR hardens dependency management and security scanning by introducing dependency override constraints, enforcing frozen-lockfile installation across all CI jobs, and expanding npm audit coverage in the security job to detect both production and development dependency vulnerabilities at a high severity threshold.

Changes

Dependency Management and Security Hardening

Layer / File(s)	Summary
Dependency override and build configuration package.json	pnpm.overrides establishes minimum version constraints for seven security-sensitive packages; pnpm.onlyBuiltDependencies allowlist designates three packages (cpu-features, protobufjs, ssh2) for native builds.
Frozen-lockfile enforcement across CI jobs .github/workflows/ci.yml	All CI jobs (lint, test, test-integration, coverage, smoke-test) switch from pnpm install to pnpm install --frozen-lockfile to prevent transitive dependency drift during workflow runs.
Enhanced security auditing .github/workflows/ci.yml	security job adopts frozen-lockfile installation and replaces a single npm audit step with two independent high-severity audits: one for production-only dependencies and one for all dependencies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• cachekit-io/saas#60: Both PRs modify .github/workflows/ci.yml to enforce frozen-lockfile installation and enhance npm audit steps with higher severity thresholds.

🐰 Dependencies now freeze, no more drift,
Audits run twice with mighty shift,
Overrides guard the supply chain tight,
Security builds grow stronger tonight! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically summarizes the main changes: hardening supply chain by patching CVEs and enforcing frozen lockfile, which are the core objectives of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}