fix(security): remediate dependency vulnerabilities via upgrades and overrides

[Shriram96]

Summary

• updates security-sensitive direct dependencies to patched versions
• adds targeted pnpm.overrides to force patched transitive resolutions where upstream ranges lag
• refreshes lockfile to capture the remediated dependency graph

Changes

• upgraded direct dependencies:
  • @modelcontextprotocol/sdk -> 1.29.0
  • mcp-handler -> 1.1.0
  • @excalidraw/excalidraw -> ^0.18.1
  • express -> ^5.2.1
  • vite -> ^6.4.2
• added/updated pnpm.overrides for vulnerable transitive packages (path-to-regexp, lodash-es, nanoid, uuid)
• updated pnpm-lock.yaml with patched transitive versions

Verification

• pnpm audit -> No known vulnerabilities found
• pnpm run build -> successful (BUILD_OK)

No functional code-path changes were introduced; this is a dependency security remediation only.

[vercel]

@Shriram96 is attempting to deploy a commit to the Excalidraw Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull request overview

This PR focuses on dependency-security remediation by upgrading direct dependencies, forcing patched transitive resolutions via pnpm.overrides, and refreshing the pnpm lockfile to reflect the remediated graph.

Changes:

• Upgraded direct dependencies (notably @modelcontextprotocol/sdk, mcp-handler, @excalidraw/excalidraw, express, vite)
• Added pnpm.overrides to force patched transitive versions (path-to-regexp, lodash-es, nanoid, uuid)
• Regenerated pnpm-lock.yaml to capture updated resolutions

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
package.json	Bumps direct dependency versions and adds pnpm.overrides configuration for vulnerable transitive deps.
pnpm-lock.yaml	Reflects the upgraded dependency graph plus override-enforced transitive resolutions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.