chore(security): patch 1 Dependabot alert

[PMerlet]

Summary

1 fixed, 6 ignored, 6 deferred, 1 resolution added, 6 resolutions removed. | label: 🔒 security applied

Fixed

Alert	Package	Ecosystem	From → To	Severity	What was bumped
#340	fast-xml-parser	npm	5.5.8 → 5.7.3	medium	Yarn resolution **/fast-xml-parser: ">=5.7.0" (transitive via @aws-sdk/client-s3 → @aws-sdk/core → @aws-sdk/xml-builder); xml-builder pins fast-xml-parser exactly so a parent bump alone wouldn't close the alert

Ignored

• chore: allow to create alpha and beta branches specific for a package #330 (@fastify/express, GHSA-hrwm-hgmj-7p9c, critical) — dev/test only and the exploit requires untrusted input at runtime. Listed only in packages/agent devDependencies (and as an optional peer dep). Fixed version 4.0.5 requires express ^5.2.1 and fastify-plugin ^5.0.0 (i.e. fastify v5). We ship support for fastify v2/v3/v4. The auth bypass requires a real HTTP server with untrusted input; our test suite drives only controlled requests.
• fix(datasource-sequelize): serialize record to transform date to iso string  #331 (@fastify/express, GHSA-6hw5-45gm-fj88, critical) — same reasoning as chore: allow to create alpha and beta branches specific for a package #330 (dev/test only + untrusted-input requirement).
• chore: create firebase package directory #332 (@fastify/express, GHSA-hrwm-hgmj-7p9c) — duplicates chore: allow to create alpha and beta branches specific for a package #330 on the same root cause (both reference the @fastify/express peer/dev install at packages/agent).
• chore(firebase): add new empty classes for firebase #333 (@fastify/express, GHSA-6hw5-45gm-fj88) — duplicates fix(datasource-sequelize): serialize record to transform date to iso string  #331 on the same root cause.
• fix(typing-generator): add simple quote around the collection and field name to support unconventional characters  #336 (@fastify/middie, GHSA-v9ww-2j6r-98q6, medium) — dev/test only and the exploit requires untrusted input at runtime. Pulled in only by @nestjs/platform-fastify@10.x, which is in devDependencies of packages/agent and packages/_example; @nestjs/platform-fastify@10.4.16 exact-pins @fastify/middie@8.3.3. Patched version 9.3.2 requires fastify-plugin@5 / @fastify/error@4 (fastify v5 ecosystem). Tests do not expose untrusted HTTP input.
• fix(decorators): remove useless isRequired field #337 (@fastify/middie, GHSA-72c6-fx6q-fr5w, critical) — same reasoning as fix(typing-generator): add simple quote around the collection and field name to support unconventional characters  #336.

Deferred

Skipped by the 7-day age gate (will be picked up next run): #344, #345, #346, #347, #348 (all uuid, 2 days old), #349 (ip-address, 0 days).

Resolutions added

• feat: add collection hooks #340 fast-xml-parser → >=5.7.0 — placed at root package.json under resolutions, unconditional **/ form.
  • Parent chains tried: bumping @aws-sdk/client-s3 (^3.750.0 → latest 3.1044.0) would not deterministically close the alert because xml-builder pins fast-xml-parser to an exact version — only the latest xml-builder builds use 5.7.x. A parent bump is therefore non-deterministic; a resolution is required.
  • Workspace-level placement isn't applicable for Yarn classic in this repo (workspace-level resolutions aren't honored by Yarn 1).
  • Scoped form "@aws-sdk/xml-builder/fast-xml-parser": ">=5.7.0" was tried first and did not override the xml-builder request (Yarn 1 oddity with scoped-package paths). Fell back to the **/ form, which only matches one chain in this repo so the blast radius is narrow.

Resolutions removed

Audited every entry in root resolutions by temporarily removing it, running yarn install, and checking whether the natural resolution still satisfied the original pin. Removed when redundant (parent packages now pull a satisfying version on their own).

File	Pinned package + version	Reason
package.json	axios: ^1.15.0	Redundant — natural resolution is 1.15.2
package.json	follow-redirects: ^1.16.0	Redundant — natural resolution is 1.16.0
package.json	hono: ^4.12.12	Redundant — natural resolution is 4.12.14
package.json	@hono/node-server: ^1.19.13	Redundant — natural resolution is 1.19.14
package.json	langsmith: ^0.5.18	Redundant — natural resolution is 0.5.21
package.json	lodash-es: ^4.18.0	Redundant — natural resolution is 4.18.1

Pins kept (still needed): tar, lerna/**/glob, micromatch, semantic-release, qs, lodash. Removing semantic-release triggered a Yarn 1 Invariant Violation during install regardless of resolved version, so the pin was kept on stability grounds rather than vulnerability grounds.

Risks

• fast-xml-parser 5.5.8 → 5.7.3: per the upstream changelog (5.6.x–5.7.x), the bump introduces strnum/@nodable/entities/path-expression-matcher runtime deps and tightens the XML escaping rules used by the builder (the patched code path). The parser API surface used by @aws-sdk/xml-builder for response parsing in @aws-sdk/client-s3 is unchanged. No expected behavior change beyond the patched vuln.
• Removed redundant resolutions: no behavior change — every removed pin's natural resolution already satisfied the original constraint.

Manual testing

Covered by CI.

Validation

✅ CI green

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.