chore(deps): postcss-selector-parser 6.1.4, dompurify 3.4.11 to address CVEs

[tomkdgun]

Description

• upgrade postcss-selector-parser to 6.1.4 to address CVE-2026-9358 (Medium) detected in postcss-selector-parser-6.0.10.tgz - autoclosed #12053
• upgrade dompurify to 3.4.11 to address CVEs
• remove unnecessary entires in "resolutions" section on package.json
• express 4.22.1 -> 4.22.2 - webpack dev server dependency
• reduce number of pngjs versions by upgrade pixelmatch and pngjs

Issues Resolved

#12053

After delivery the PR below can be closed also:
#12237

Screenshot

Testing the changes

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Commits are signed per the DCO using --signoff

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 1680562.

Path	Line	Severity	Description
package.json	241	high	Dependency version change: dompurify bumped from ^3.4.7 to ^3.4.11. This is a security-critical XSS sanitization library; version changes must be verified against the official release.
package.json	361	high	Dependency version change: @types/dompurify bumped from ^3.0.5 to ^3.2.0. yarn.lock shows its transitive dependency changed from @types/trusted-types to dompurify directly — a structural dependency graph change requiring verification.
package.json	502	high	Dependency version change: pngjs bumped from ^3.4.0 to ^7.0.0 (major version jump of 4 major versions). Large jumps increase supply chain risk surface.
package.json	501	high	Dependency version change: pixelmatch bumped from ^5.1.0 to ^5.3.0. Must verify artifact authenticity at the new version.
package.json	400	high	Dependency version change: @types/pngjs bumped from ^3.4.0 to ^6.0.5 (major version jump). Must verify artifact authenticity.
yarn.lock	11221	high	Dependency version change: express bumped from 4.22.1 to 4.22.2 with a corresponding body-parser constraint change (~1.20.3 to ~1.20.5). Requires verification of resolved artifact integrity.
yarn.lock	17103	high	Dependency version change: postcss-selector-parser bumped from 6.0.10 to 6.1.4. Must verify artifact authenticity at new version.
package.json	159	high	Removal of resolution pins for **/lodash and **/lodash-es (^4.18.0). These pins enforced a minimum safe version; removal allows transitive dependencies to resolve to older potentially vulnerable versions.
package.json	138	high	Removal of resolution pin for **/es5-ext (^0.10.63). This pin enforced a safe version of a package with a known postinstall telemetry incident; removal allows transitive deps to resolve to older versions.
package.json	130	high	Removal of resolution pin for **/@microsoft/tsdoc-config/ajv (^6.14.0) and **/minimist (^1.2.8). These were explicit security-motivated pins; their removal allows transitive resolution to older vulnerable versions.

The table above displays the top 10 most important findings.

Total: 15 | Critical: 0 | High: 15 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

✅ All unit and integration tests passing

🔗 Workflow run · commit 1680562b3162716b1daaf7a6e7d7a2c89e049d6c