build(deps): pin patched transitive dependency versions

[dev-jodee]

Summary

• Remediates the remaining lockfile-resolvable Dependabot alerts from sdks/pnpm-lock.yaml and Cargo.lock.
• Added pnpm.overrides pins in sdks/package.json for vulnerable transitives:
  • flatted@^3 -> 3.4.2
  • minimatch@^3 -> 3.1.5
  • minimatch@^5 -> 5.1.8
  • minimatch@^9 -> 9.0.7
• Updated Rust lockfile packages:
  • aws-lc-rs 1.16.0 -> 1.16.2
  • aws-lc-sys 0.37.1 -> 0.39.0
  • rustls-webpki 0.103.4 -> 0.103.10

Targeted Alerts

• Expected fixed by this PR:
  • #67 #68 #69 #70 #71 #72 #73 #74 #75 (minimatch, npm, sdks/pnpm-lock.yaml)
  • #80 #84 (flatted, npm, sdks/pnpm-lock.yaml)
  • #81 #82 #83 #85 #86 (aws-lc-sys, rust, Cargo.lock)
  • #88 (rustls-webpki, rust, Cargo.lock)
• Expected to remain unresolved (unpatchable):
  • #31 (bigint-buffer, npm, examples/x402/demo/api/pnpm-lock.yaml) — first_patched_version: none / npm audit patched_versions: <0.0.0.

Test Plan

• pnpm install --lockfile-only (in sdks/) -> success
• rg -n "minimatch@3\\.1\\.2|minimatch@5\\.1\\.6|minimatch@9\\.0\\.5|flatted@3\\.3\\.3" sdks/pnpm-lock.yaml -> no matches
• rg -n "minimatch@3\\.1\\.5|minimatch@5\\.1\\.8|minimatch@9\\.0\\.7|flatted@3\\.4\\.2" sdks/pnpm-lock.yaml -> matches found
• pnpm audit --json (in sdks/) -> exit 0, vulnerabilities {high: 0, moderate: 0, low: 0, critical: 0}
• cargo update -p aws-lc-rs --precise 1.16.2 -> updates aws-lc-sys to 0.39.0
• cargo update -p rustls-webpki@0.103.4 --precise 0.103.10 -> success
• cargo tree -i aws-lc-sys --workspace -> shows aws-lc-sys v0.39.0
• cargo tree -i rustls-webpki@0.103.10 --workspace -> shows rustls-webpki v0.103.10
• cargo check --workspace -> success
• pnpm audit --json (in examples/x402/demo/api) -> bigint-buffer advisory with patched_versions: <0.0.0

Remaining Unresolved Alerts

• #31 bigint-buffer is currently unpatchable based on advisory metadata (no patched release).

---

📊 Unit Test Coverage

Unit Test Coverage: 84.0%

View Detailed Coverage Report

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.9%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[greptile-apps]

Greptile Summary

This PR remediates multiple Dependabot security alerts by pinning vulnerable transitive dependencies across both the Node (sdks/) and Rust (Cargo.lock) ecosystems.\n\n- npm (sdks/): Adds pnpm.overrides entries in sdks/package.json for flatted@^3 → 3.4.2 and three minimatch range overrides (^3 → 3.1.5, ^5 → 5.1.8, ^9 → 9.0.7). The lockfile (sdks/pnpm-lock.yaml) is correctly regenerated, removing all references to the previously vulnerable versions and updating all snapshot dependencies. Notably, minimatch@9.0.7 changes its brace-expansion peer from 2.0.3 to 5.0.5, which is consistent with its updated dependency range.\n- Rust (Cargo.lock): Bumps aws-lc-rs → 1.16.2, aws-lc-sys → 0.39.0, and rustls-webpki → 0.103.10 via cargo update --precise. All dependents referencing rustls-webpki are updated. No Cargo.toml workspace changes are needed since these are transitive lockfile-only pins — the correct and expected approach.\n- The lone unresolvable alert (bigint-buffer #31, patched_versions: <0.0.0) is acknowledged and documented as unpatchable.

Confidence Score: 5/5

Safe to merge — all changes are lockfile and override pins targeting known CVEs with no functional code modifications.

All three changed files are dependency lockfiles or override configs. The approach (pnpm overrides + cargo update --precise) is the correct and idiomatic method for pinning transitive dependencies. The test plan is thorough (pnpm install, pnpm audit, cargo check, cargo tree). No production logic is modified and no P1/P0 issues were found.

No files require special attention.

Important Files Changed

Filename	Overview
sdks/package.json	Adds four pnpm overrides to pin vulnerable transitive dependencies: flatted@3.4.2, minimatch@3.1.5, minimatch@5.1.8, minimatch@9.0.7
sdks/pnpm-lock.yaml	Lockfile regenerated to reflect the four new overrides; removes vulnerable versions (flatted@3.3.3, minimatch@3.1.2, minimatch@5.1.6, minimatch@9.0.5) and replaces all snapshot references with patched versions
Cargo.lock	Bumps aws-lc-rs (1.16.0→1.16.2), aws-lc-sys (0.37.1→0.39.0), and rustls-webpki (0.103.4→0.103.10) to patched versions; all dependents updated accordingly

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot Alerts] --> B{Ecosystem}
    B --> C[npm / pnpm]
    B --> D[Rust / Cargo]

    C --> C1["sdks/package.json\npnpm.overrides added"]
    C1 --> C2["flatted ^3 → 3.4.2\nminimatch ^3 → 3.1.5\nminimatch ^5 → 5.1.8\nminimatch ^9 → 9.0.7"]
    C2 --> C3["sdks/pnpm-lock.yaml\nregenerated"]
    C3 --> C4["Alerts #67-75, #80, #84\nRemediated ✓"]

    D --> D1["cargo update --precise"]
    D1 --> D2["aws-lc-rs 1.16.0 → 1.16.2\naws-lc-sys 0.37.1 → 0.39.0\nrustls-webpki 0.103.4 → 0.103.10"]
    D2 --> D3["Cargo.lock updated"]
    D3 --> D4["Alerts #81-83, #85-86, #88\nRemediated ✓"]

    E["bigint-buffer #31\npatched_versions: <0.0.0"] --> F["Unpatchable — no fix available\nRemains unresolved"]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): pin patched transitive depe..." | Re-trigger Greptile}