## What changed and why Updated `integration-tests/package-lock.json` to resolve 12 Dependabot security alerts: - **#127** fast-xml-parser: Entity Expansion Limits Bypassed (Moderate) - **#126** handlebars: Property Access Validation Bypass (Low, Dev) - **#125** handlebars: Prototype Method Access Control Gap (Moderate, Dev) - **#124** handlebars: JavaScript Injection in CLI Precompiler (High, Dev) - **#123** handlebars: JavaScript Injection via AST Type Confusion (High, Dev) - **#121** handlebars: JavaScript Injection via @partial-block (High, Dev) - **#120** handlebars: JavaScript Injection via AST Type Confusion (Critical, Dev) - **#118** brace-expansion: Zero-step sequence causes process hang (Moderate) - **#117** handlebars: Prototype Pollution Leading to XSS (Moderate, Dev) - **#114** picomatch: Method Injection in POSIX Character Classes (Moderate, Dev) - **#113** yaml: Stack Overflow via deeply nested collections (Moderate) - **#112** fast-xml-parser: numeric entity expansion bypass (High) All affected packages are transitive dependencies. `npm audit fix` updated 19 packages and `npm audit` now reports **0 vulnerabilities**. ## Test approach No source code changes were made — only `package-lock.json` was updated. Integration tests are not required for lockfile-only changes. ## Verification ``` npm audit # found 0 vulnerabilities ``` Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>