fix: remediate high-severity Dependabot findings

[bpkennedy]

Summary

Remediates 32 high-severity npm Dependabot findings across root and template manifests for SOC2 compliance (Vanta SLA 2026-04-25).

Root (yarn.lock) — 24 findings

• yarn upgrade yeoman-environment yeoman-generator yeoman-test eslint eslint-plugin-* mocha webpack pulled patched transitives for picomatch, minimatch, flatted, lodash, lodash-es, tar, simple-git, @isaacs/brace-expansion
• Added resolution serialize-javascript: ^7.0.3. Mocha 11 (latest stable) pins serialize-javascript: ^6.0.2; only mocha 12 beta uses 7.x. serialize-javascript is devDep-only; 7.x is API-compatible.

Template (generators/app/templates/) — 8 findings

• next and eslint-config-next → 15.5.15
• Updated axios resolution to ^1.13.5 (was ^1.12.0)
• Added resolutions for @typescript-eslint/parser and @typescript-eslint/eslint-plugin at ^8.58.0. eslint-config-next@15.5.15 (latest) ships a nested @typescript-eslint/parser@8.50.0 which exact-pins typescript-estree@8.50.0 → vulnerable minimatch 9.0.5. Bumping to 8.58+ pulls minimatch 10.2+.

Webpack rebuild refreshes dist/bundle.js (tracked build artifact).

Verification

• yarn audit --level high → 0 in root and template
• yarn build → webpack compiled successfully
• yarn test → 47 passing

Test plan

• CI passes
• Regenerate a sample project with create-integrity-app and verify it builds

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Remediates high-severity Dependabot findings across the generator’s root dependencies and the generated app template dependencies, and refreshes the bundled build artifact.

Changes:

• Upgraded a large set of root transitive dependencies via lockfile updates and added a serialize-javascript Yarn resolution.
• Updated the template app to next / eslint-config-next 15.5.15 and refreshed template lockfile resolutions (axios + TypeScript ESLint packages).
• Rebuilt dist/bundle.js (tracked artifact) after dependency updates.

Reviewed changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
yarn.lock	Updates root dependency graph to patched versions; introduces serialize-javascript@7.x resolution effects.
package.json	Adds serialize-javascript resolution for audit remediation.
generators/app/templates/yarn.lock	Updates template dependency graph to patched versions (Next.js, axios, TS ESLint, transitives).
generators/app/templates/package.json	Bumps next / eslint-config-next and adds resolutions for axios + TS ESLint packages.
dist/bundle.js	Rebuilt webpack bundle artifact after dependency upgrades.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new resolutions.serialize-javascript forces Yarn to install serialize-javascript@7.x, but mocha@^11.0.1 declares serialize-javascript as ^6.0.2 (see yarn.lock), so this override crosses a major-version boundary and can break Mocha at runtime. Prefer upgrading Mocha to a version that officially supports serialize-javascript@^7, or pin to the latest patched 6.x release if available, to keep the dependency graph semver-consistent.

Suggested change

	"serialize-javascript": "^7.0.3"
	"serialize-javascript": "^6.0.2"

[bpkennedy]

Rejecting this suggestion — downgrading to ^6.0.2 would re-introduce the CVE.

GHSA-5c6j-r48x-rmvq (Serialize JavaScript RCE via RegExp.flags / Date.prototype.toISOString) has:

• Vulnerable range: <= 7.0.2 (all 6.x is vulnerable — no 6.x patch exists)
• First patched version: 7.0.3

Verified via gh api graphql against the GitHub Advisory DB.

The resolution is necessary because mocha@11 exact-pins ^6.0.2; only mocha@12 beta uses 7.x. serialize-javascript is a devDep-only transitive used by mocha for test reporter serialization — verified yarn test (47 mocha tests) passes with the ^7.0.3 resolution.

Keeping serialize-javascript: ^7.0.3.