fix(deps): resolve Dependabot alerts

[jeanduplessis]

Summary

Bumps vulnerable direct and transitive npm dependencies to patched patch/minor versions so the Dependabot security alerts can be resolved.

• Updates the requested vulnerable packages: axios, hono, @hono/node-server, next, vite, and fast-xml-parser.
• Updates additional open security-alert dependencies found during verification, including DOMPurify, handlebars, brace-expansion, node-forge, picomatch, yaml, undici, drizzle-orm, uuid, postcss, ip-address, path-to-regexp, lodash-es, @xmldom/xmldom, and @anthropic-ai/sdk.
• Keeps upgrades within the current major line where patched versions exist; brace-expansion uses the patched v5 line because the alert has no non-major patched version.
• Updates pnpm catalog/overrides and regenerates pnpm-lock.yaml.
• Adds minimumReleaseAge exclusions for fast-xml-parser, Next.js packages, and Hono packages so the latest patched security releases can be resolved.

Verification

N/A

Visual Changes

N/A

Reviewer Notes

• Security verification reports no known production vulnerabilities at moderate-or-higher severity.
• Vite resolves to 8.0.10, which is above the Dependabot patched version (8.0.5) while avoiding the too-new 8.0.11 release under the repo minimum release age policy.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (7 files)

• apps/storybook/package.json
• apps/web/package.json
• package.json
• pnpm-lock.yaml
• pnpm-workspace.yaml
• services/images-mcp/package.json
• services/kiloclaw/controller/package.json

---

_{Reviewed by gpt-5.5-2026-04-23 · 776,228 tokens}