Fix npm security vulnerabilities via yarn resolutions (#21236)

Add resolutions for transitive dependencies with known vulnerabilities:
- @babel/traverse: CVE-2023-45133
- browserify-sign: pulls in fixed elliptic
- cipher-base: CVE-2025-21531
- elliptic: CVE-2024-48949
- exec-sh: removes vulnerable merge@1.x (GHSA-7wpw-2hjm-89gp)
- loader-utils: CVE-2022-37601
- pbkdf2: CVE-2025-21532
- tough-cookie: CVE-2023-26136

Co-authored-by: Ona <no-reply@ona.com>

Author: geropl

package.json

@@ -26,6 +26,14 @@
         ]
     },
     "resolutions": {
-        "sha.js": "2.4.12"
+        "sha.js": "2.4.12",
+        "@babel/traverse": "^7.23.2",
+        "browserify-sign": "^4.2.5",
+        "cipher-base": "^1.0.5",
+        "elliptic": "^6.6.1",
+        "loader-utils": "^2.0.4",
+        "exec-sh": "^0.4.0",
+        "pbkdf2": "^3.1.3",
+        "tough-cookie": "^4.1.3"
     }
 }

resolutions-explanation.md

@@ -0,0 +1,15 @@
+# Yarn Resolutions
+
+Resolutions in `package.json` force specific versions of transitive dependencies. These are needed because yarn.lock pins older versions even when semver ranges allow newer ones.
+
+| Package | Version | Reason |
+|---------|---------|--------|
+| sha.js | 2.4.12 | Pre-existing resolution |
+| @babel/traverse | ^7.23.2 | CVE-2023-45133: arbitrary code execution via crafted code |
+| browserify-sign | ^4.2.5 | Pulls in elliptic ^6.6.1 with security fixes |
+| cipher-base | ^1.0.5 | CVE-2025-21531: prototype pollution vulnerability |
+| elliptic | ^6.6.1 | CVE-2024-48949: signature verification bypass |
+| loader-utils | ^2.0.4 | CVE-2022-37601: prototype pollution via url property |
+| exec-sh | ^0.4.0 | Removes vulnerable merge@1.x dependency (GHSA-7wpw-2hjm-89gp) |
+| pbkdf2 | ^3.1.3 | CVE-2025-21532: prototype pollution vulnerability |
+| tough-cookie | ^4.1.3 | CVE-2023-26136: prototype pollution in cookie parsing |