chore: resolve open dependabot security alerts

[jonathannorris]

Summary

Resolved 7 of 8 open Dependabot security alerts by bumping vulnerable transitive dependencies. Four were fixed by a lockfile-only re-resolution (their parents' ranges already permit the patched versions); three required scoped Yarn resolutions.

Dependabot Alerts Resolved

Alert	Package	Severity	Fix
#229	form-data	high	Bumped to 4.0.6 via lockfile re-resolution
#240	http-proxy-middleware	medium	Bumped to 3.0.7 via scoped resolution (webpack-dev-server/http-proxy-middleware)
#237	markdown-it	medium	Bumped to 14.2.0 via scoped resolution (markdownlint/markdown-it)
#228	tar	medium	Bumped to 7.5.16 via lockfile re-resolution
#227	launch-editor	medium	Bumped to 2.14.1 via lockfile re-resolution
#226	js-yaml	medium	Bumped 4.x consumers to 4.2.0 via scoped resolution js-yaml@^4.1.0
#225	@babel/core	low	Bumped to 7.29.7 via lockfile re-resolution

Notes

• The js-yaml resolution is intentionally scoped to the ^4.1.0 range (not global). gray-matter@4.0.3 depends on js-yaml@^3.13.1 and calls the safeLoad API that was removed in js-yaml 4; a global bump would break Docusaurus frontmatter parsing at build time. The scoped resolution keeps gray-matter on js-yaml 3.14.2 while patching the 4.x consumers.
• The existing webpack: 5.104.1 pin is retained so webpackbar's ProgressPlugin keeps working.
• http-proxy-middleware is dev-server-only (not in the production build). The only patched line is 3.x; yarn docusaurus start was verified to boot cleanly with 3.0.7.

Unresolvable

• [DOC] update OFO tutorial with Helm and new spec changes #80 tsup (low): no patched version is available yet (first_patched_version is null), so this alert is left open.

Verification

• yarn build (full Docusaurus production build): succeeds, both Server and Client compiled.
• yarn lint:md (markdownlint-cli2, the js-yaml/markdown-it consumer): 0 errors.
• yarn install --immutable: passes (lockfile consistent).
• yarn docusaurus start: dev server boots with http-proxy-middleware 3.0.7.
• Pre-existing yarn typecheck errors (missing image type declarations and a C++ dataset entry) are unrelated to these changes and reproduce on a clean origin/main.

[netlify]

✅ Deploy Preview for openfeature ready!

Name	Link
🔨 Latest commit	3f5cc56
🔍 Latest deploy log	https://app.netlify.com/projects/openfeature/deploys/6a394467c1fe860008f3d609
😎 Deploy Preview	https://deploy-preview-1402--openfeature.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7723a284-f48a-45e2-9f21-a8e553445452

📥 Commits

Reviewing files that changed from the base of the PR and between 1a509ff and 3f5cc56.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

The resolutions section in package.json is updated to pin additional transitive dependency versions: js-yaml@^4.1.0, markdownlint-cli2/js-yaml, markdownlint/markdown-it, and webpack-dev-server/http-proxy-middleware are added or updated, replacing the previous markdownlint-cli2/js-yaml entry (>=4.1.1).

Changes

Dependency Resolution Pins

Layer / File(s)	Summary
Transitive dependency resolution pins package.json	Adds js-yaml, markdownlint/markdown-it, and webpack-dev-server/http-proxy-middleware to the resolutions block and replaces the prior markdownlint-cli2/js-yaml version constraint.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: resolve open dependabot security alerts' directly summarizes the main change: addressing Dependabot security vulnerabilities by updating transitive dependencies.
Description check	✅ Passed	The description is comprehensive and highly relevant, detailing the 7 resolved alerts, the fix approach, key implementation decisions, and thorough verification steps performed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR addresses Dependabot security alerts in the site’s Yarn (v4) dependency graph by re-resolving the lockfile and adding targeted resolutions overrides to bump vulnerable transitive packages while avoiding known-breaking upgrades (notably keeping gray-matter on js-yaml v3).

Changes:

• Updated yarn.lock to pull patched transitive versions (e.g., form-data@4.0.6, tar@7.5.16, launch-editor@2.14.1, @babel/core@7.29.7, markdown-it@14.2.0, http-proxy-middleware@3.0.7, js-yaml@4.2.0).
• Added/adjusted scoped Yarn resolutions entries to force specific dependency subtrees onto patched versions while avoiding incompatible majors (e.g., js-yaml v4 only for v4 consumers).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
yarn.lock	Re-resolves dependency tree to patched versions, including major transitive bumps where required (e.g., http-proxy-middleware to v3).
package.json	Adds scoped resolutions to force patched transitive versions (including js-yaml, markdown-it, http-proxy-middleware).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.