chore(deps) Fix/security vulnerabilities (#114)

* fix(security): update vulnerable dependencies

Update dompurify, hono, @hono/node-server, and multer to patched
versions in testplanit. Run npm audit fix in forge-app to resolve
transitive dependency vulnerabilities.

Remaining unresolvable vulns are in transitive deps locked by
eslint-config-next, shadcn, swagger-ui-react, @svgr/webpack, and pm2.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(security): update overrides for vulnerable transitive dependencies

Update pnpm overrides to resolve Dependabot security alerts:
- @hono/node-server: 1.19.9 → 1.19.10 (authorization bypass)
- hono: >=4.11.10 → >=4.12.4 (serveStatic file access, SSE injection, cookie injection)
- dompurify: ^3.2.4 → ^3.3.2 (XSS vulnerability)
- svgo: add override >=3.3.3 (DoS via entity expansion)
- minimatch@3: ^3.1.3 → ^3.1.4 (ReDoS)
- serialize-javascript: add override >=7.0.3 (RCE via RegExp/Date)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore(deps): update dependencies in testplanit

- Bump @tanstack/react-virtual from ^3.13.20 to ^3.13.21
- Update @tiptap/core and related extensions from ^3.20.0 to ^3.20.1
- Update ioredis from 5.10.0 to 5.9.2
- Update @types/node from ^25.3.0 to ^25.3.5
- Update dompurify from ^3.2.4 to ^3.3.2
- Update hono from >=4.11.10 to >=4.12.4
- Update @hono/node-server from 1.19.9 to 1.19.10
- Update various other dependencies to their latest versions

This update includes minor version bumps and security patches to ensure stability and security of the project.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: therealbrad

cli/package.json

@@ -27,26 +27,26 @@
   },
   "dependencies": {
     "chalk": "^5.6.2",
-    "commander": "^12.1.0",
-    "conf": "^13.1.0",
+    "commander": "^14.0.3",
+    "conf": "^15.1.0",
     "form-data": "^4.0.5",
-    "glob": "^11.1.0",
-    "ora": "^8.2.0"
+    "glob": "^13.0.6",
+    "ora": "^9.3.0"
   },
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
-    "@semantic-release/github": "^11.0.6",
-    "@types/bun": "^1.3.9",
-    "@types/node": "^22.19.11",
+    "@semantic-release/github": "^12.0.6",
+    "@types/bun": "^1.3.10",
+    "@types/node": "^25.3.5",
     "@vitest/coverage-v8": "^4.0.18",
-    "semantic-release": "^24.2.9",
+    "semantic-release": "^25.0.3",
     "tsup": "^8.5.1",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "keywords": [
     "testplanit",

forge-app/package-lock.json

@@ -25,17 +25,17 @@
     "@babel/core": "^7.29.0",
     "@babel/preset-env": "^7.29.0",
     "@babel/preset-react": "^7.28.5",
-    "@forge/cli": "^12.14.1",
-    "autoprefixer": "^10.4.24",
-    "babel-loader": "^10.0.0",
-    "css-loader": "^7.1.3",
+    "@forge/cli": "^12.15.0",
+    "autoprefixer": "^10.4.27",
+    "babel-loader": "^10.1.0",
+    "css-loader": "^7.1.4",
     "html-webpack-plugin": "^5.6.6",
     "mini-css-extract-plugin": "^2.10.0",
-    "postcss": "~8.5.6",
-    "postcss-loader": "^8.2.0",
+    "postcss": "~8.5.8",
+    "postcss-loader": "^8.2.1",
     "style-loader": "^4.0.0",
     "tailwindcss": "^3.4.19",
-    "webpack": "^5.105.2",
+    "webpack": "^5.105.4",
     "webpack-cli": "^6.0.1"
   }
 }