npm audit fixes

[mklocek]

Motivation

Address all issues reported by npm audit

Changes

• chore(deps): update package-lock after npm audit fix
• chore(deps): add overrides for minimatch and tmp; chore(deps-dev): bump @anthropic-ai/mcpb from 1.1.1 to 2.1.2

Summary by CodeRabbit

• Chores
  • Locked transitive dependency versions to ensure consistent installs across environments.
  • Added package resolution overrides to enforce those versions at install time.
  • Bumped a development dependency to a newer minor/major release to align tooling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 69c442e1-b5a2-4c03-a869-0bd97f5541d2

📥 Commits

Reviewing files that changed from the base of the PR and between 888e623 and d347a22.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Updated package.json to add overrides (pinning minimatch@9.0.7 and tmp@0.2.5), added matching resolutions entries, and bumped @anthropic-ai/mcpb devDependency from ^1.1.1 to ^2.1.2.

Changes

Cohort / File(s)	Summary
Dependency Management package.json	Added overrides section to force minimatch@9.0.7 and tmp@0.2.5, added corresponding resolutions, and updated @anthropic-ai/mcpb devDependency to ^2.1.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through the JSON with care,
Pinning minimatch and tmp with flair,
Resolutions set, versions bright,
mcpb jumped up, ready to flight,
A tiny rabbit, shipping delight ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'npm audit fixes' accurately and concisely describes the main change—addressing npm audit issues through dependency updates and package-lock modifications.
Description check	✅ Passed	The description includes Motivation and Changes sections matching the template, but omits the 'How to test' and 'Images and GIFs' sections which are non-critical for a dependency management PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-npm-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 50: Add CI coverage that runs the package.json scripts which depend on
`@anthropic-ai/mcpb` to catch v2 regressions: create a CI job that installs
dependencies and executes npm run mcpb:pack and npm run mcpb:info (and
optionally npm run mcpb:sign) and fails the run on non-zero exit; ensure the job
runs on the same node versions/matrix used elsewhere and runs before release
steps. Target the scripts named mcpb:pack, mcpb:info (and mcpb:sign) in
package.json so the workflow actually exercises the upgraded `@anthropic-ai/mcpb`
v2.1.2 CLI and surfaces any breaking changes.
- Around line 43-48: The package.json currently uses the npm-only "overrides"
field to pin "@typescript-eslint/typescript-estree" and "tmp", but the repo
advertises Yarn (engines.yarn) so Yarn Classic will ignore those pins; either
add a top-level "resolutions" object mirroring the same pins
("@typescript-eslint/typescript-estree": "9.0.7", "tmp": "0.2.5") so Yarn 1.22.x
users get the fixes, or remove the "yarn": ">=1.22.17" entry from "engines" if
you intend to support only npm, or alternatively add a "packageManager" field
(e.g. "packageManager":"npm@<version>") to explicitly require npm; update the
"resolutions" approach if you choose Yarn so it matches the "overrides" entries
exactly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0be0ad44-a40b-48dd-9dec-1bf273aa56ec

📥 Commits

Reviewing files that changed from the base of the PR and between d6201c4 and 888e623.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json