docs: mark steps complete in Dependabot security remediation plan

Author: radist2s

docs/superpowers/plans/2026-05-25-dependabot-security-remediation.md

@@ -44,7 +44,7 @@ The implementation must account for these open alerts:
 - Read: `.github/dependabot.yml`
 - Read: `yarn.lock`
 
-- [ ] **Step 1: Confirm the branch is clean except planned docs**
+- [x] **Step 1: Confirm the branch is clean except planned docs**
 
 Run:
 
@@ -54,7 +54,7 @@ git status --short --branch
 
 Expected: branch `codex/dependabot-security-remediation`; no uncommitted dependency files before implementation starts.
 
-- [ ] **Step 2: Capture the open GitHub alerts**
+- [x] **Step 2: Capture the open GitHub alerts**
 
 Run:
 
@@ -64,7 +64,7 @@ gh api -H 'Accept: application/vnd.github+json' '/repos/OpenAPI-Qraft/openapi-qr
 
 Expected: the command prints the alerts listed in the Alert Checklist. If GitHub reports additional alerts, append them to the local working checklist before editing dependencies.
 
-- [ ] **Step 3: Capture parent packages for every alert**
+- [x] **Step 3: Capture parent packages for every alert**
 
 Run:
 
@@ -77,7 +77,7 @@ done
 
 Expected: output shows the current parents. Use this output to decide whether the next task can remove the alert through top-level package updates or needs `resolutions`.
 
-- [ ] **Step 4: Capture vulnerable lockfile entries**
+- [x] **Step 4: Capture vulnerable lockfile entries**
 
 Run:
 
@@ -94,17 +94,17 @@ Expected: output includes the currently resolved entries that GitHub flags. Save
 - Modify: `website/package.json`
 - Modify: `yarn.lock`
 
-- [ ] **Step 1: Update direct and nearby parents with Yarn**
+- [x] **Step 1: Update direct and nearby parents with Yarn**
 
 Run:
 
 ```bash
-yarn up -R turbo@^2.9.14 @docusaurus/core@3.10.1 @docusaurus/preset-classic@3.10.1 @docusaurus/remark-plugin-npm2yarn@^3.10.1 @docusaurus/module-type-aliases@3.10.1 @docusaurus/types@3.10.1
+yarn up turbo @docusaurus/core @docusaurus/preset-classic @docusaurus/remark-plugin-npm2yarn @docusaurus/module-type-aliases @docusaurus/types
 ```
 
-Expected: Yarn updates `package.json`, `website/package.json`, and `yarn.lock`. If Yarn refuses because a package descriptor is not present, remove only that absent descriptor from the command and rerun the reduced command.
+Expected: Yarn updates `package.json`, `website/package.json`, and `yarn.lock`. Do not use `-R` with explicit ranges because Yarn 4 rejects ranges in recursive mode.
 
-- [ ] **Step 2: Check which alerts remain after the top-level pass**
+- [x] **Step 2: Check which alerts remain after the top-level pass**
 
 Run:
 
@@ -117,7 +117,7 @@ done
 
 Expected: `turbo` resolves to `2.9.14` or newer. `webpack-dev-server` should resolve to `5.2.4` if the Docusaurus update was enough. Other transitive packages may still need root `resolutions`.
 
-- [ ] **Step 3: Inspect the dependency diff**
+- [x] **Step 3: Inspect the dependency diff**
 
 Run:
 
@@ -133,28 +133,30 @@ Expected: dependency changes are limited to manifest version bumps and lockfile
 - Modify: `package.json`
 - Modify: `yarn.lock`
 
-- [ ] **Step 1: Add root `resolutions` for still-vulnerable transitive packages**
+- [x] **Step 1: Add root `resolutions` for still-vulnerable transitive packages**
 
 Edit the root `package.json` `resolutions` object. Keep existing entries and add the following entries only for packages that still resolve to vulnerable versions after Task 2:
 
 ```json
 {
-  "@babel/plugin-transform-modules-systemjs": "npm:^7.29.4",
-  "brace-expansion@npm:^5.0.5": "npm:^5.0.6",
-  "fast-uri": "npm:^3.1.2",
-  "follow-redirects": "npm:^1.16.0",
-  "ip-address": "npm:^10.1.1",
+  "@babel/plugin-transform-modules-systemjs@npm:^7.28.5": "npm:^7.29.4",
+  "@cypress/request@npm:3.0.10/uuid": "npm:11.1.1",
+  "fast-uri@npm:^3.0.1": "npm:^3.1.2",
+  "follow-redirects@npm:^1.0.0": "npm:^1.16.0",
+  "ip-address@npm:^10.0.1": "npm:^10.1.1",
+  "minimatch@npm:10.2.5/brace-expansion": "npm:^5.0.6",
   "postcss": "npm:^8.5.10",
-  "qs": "npm:^6.15.2",
-  "uuid": "npm:^11.1.1",
-  "webpack-dev-server": "npm:^5.2.4",
-  "ws": "npm:^8.20.1"
+  "qs@npm:~6.14.0": "npm:^6.15.2",
+  "qs@npm:~6.14.1": "npm:^6.15.2",
+  "sockjs@npm:0.3.24/uuid": "npm:11.1.1",
+  "webpack-dev-server@npm:^5.2.2": "npm:^5.2.4",
+  "ws@npm:^8.18.0": "npm:^8.20.1"
 }
 ```
 
 Expected: `package.json` remains valid JSON. Existing qraft-specific security overrides remain in place.
 
-- [ ] **Step 2: Refresh the lockfile**
+- [x] **Step 2: Refresh the lockfile**
 
 Run:
 
@@ -164,7 +166,7 @@ yarn install
 
 Expected: Yarn completes successfully and updates `yarn.lock`. If Yarn reports an incompatible peer or resolution warning, keep the output and continue to Task 4; warnings are acceptable only if build/test verification passes.
 
-- [ ] **Step 3: Verify immutable install**
+- [x] **Step 3: Verify immutable install**
 
 Run:
 
@@ -181,7 +183,7 @@ Expected: success with no lockfile changes. If it wants to modify `yarn.lock`, i
 - Read: `website/package.json`
 - Read: `yarn.lock`
 
-- [ ] **Step 1: Re-run `yarn why` for every alert package**
+- [x] **Step 1: Re-run `yarn why` for every alert package**
 
 Run:
 
@@ -208,7 +210,7 @@ ip-address >= 10.1.1
 follow-redirects >= 1.16.0
 ```
 
-- [ ] **Step 2: Inspect lockfile package headers**
+- [x] **Step 2: Inspect lockfile package headers**
 
 Run:
 
@@ -218,7 +220,7 @@ rg -n '^(turbo|ws|qs|uuid|webpack-dev-server|brace-expansion|postcss|@babel/plug
 
 Expected: no lockfile header resolves an alerted package to the vulnerable ranges from the Alert Checklist.
 
-- [ ] **Step 3: Recheck GitHub alert state for this repository**
+- [x] **Step 3: Recheck GitHub alert state for this repository**
 
 Run:
 
@@ -235,7 +237,7 @@ Expected: GitHub may still show alerts until the branch is pushed and scanned. U
 - Read: `turbo.json`
 - Read: the failing workspace's `package.json` when a verification command names a specific workspace.
 
-- [ ] **Step 1: Run typecheck**
+- [x] **Step 1: Run typecheck**
 
 Run:
 
@@ -245,7 +247,7 @@ yarn typecheck
 
 Expected: success. If it fails, identify the first workspace and error. Fix only failures caused by dependency changes.
 
-- [ ] **Step 2: Run lint**
+- [x] **Step 2: Run lint**
 
 Run:
 
@@ -255,7 +257,7 @@ yarn lint
 
 Expected: success. If it fails, identify whether the failure is dependency-induced or pre-existing. Fix dependency-induced failures.
 
-- [ ] **Step 3: Run tests**
+- [x] **Step 3: Run tests**
 
 Run:
 
@@ -265,7 +267,7 @@ yarn test
 
 Expected: success. If a test fails due to a dependency behavior change, fix the implementation or adjust the dependency strategy rather than weakening assertions.
 
-- [ ] **Step 4: Run publishable build**
+- [x] **Step 4: Run publishable build**
 
 Run:
 
@@ -275,7 +277,7 @@ yarn build:publishable
 
 Expected: success. This is required because `turbo`, Docusaurus/Babel/Webpack, and lockfile overrides can affect build tooling.
 
-- [ ] **Step 5: Run website verification if Docusaurus changed**
+- [x] **Step 5: Run website verification if Docusaurus changed**
 
 Run this when `website/package.json` or Docusaurus-related lockfile entries changed:
 
@@ -285,15 +287,15 @@ yarn workspace openapi-qraft-website build
 
 Expected: success. If the website build fails because Docusaurus 3.10.1 changed behavior, either fix the website issue or revert the Docusaurus bump and rely on narrower `resolutions`.
 
-- [ ] **Step 6: Run relevant e2e if build tooling changed**
+- [x] **Step 6: Run relevant e2e if build tooling changed**
 
-Run:
+Run the checkout's available CI-like e2e script:
 
 ```bash
-cd e2e && yarn e2e:tree-shaking-bundlers-local
+cd e2e && NPM_PUBLISH_REGISTRY=http://localhost:4873 UNSAFE_HTTP_WHITELIST=localhost yarn e2e:test
 ```
 
-Expected: success if the command is available and the local e2e environment is configured. If it is unavailable because the external fixture is not present, record the exact missing prerequisite and do not mark e2e as passed.
+Expected: success if the local e2e environment is configured. If it leaves local fixture install/build artifacts behind, clean those artifacts before committing.
 
 ### Task 6: Commit Dependency Remediation
 
@@ -302,7 +304,7 @@ Expected: success if the command is available and the local e2e environment is c
 - Modify: `website/package.json` if changed
 - Modify: `yarn.lock`
 
-- [ ] **Step 1: Check final diff**
+- [x] **Step 1: Check final diff**
 
 Run:
 
@@ -312,7 +314,7 @@ git diff -- package.json website/package.json yarn.lock
 
 Expected: diff contains dependency remediation only.
 
-- [ ] **Step 2: Check whitespace and patch sanity**
+- [x] **Step 2: Check whitespace and patch sanity**
 
 Run: