fix(deps): resolve high dependency alerts

- Patch high-severity transitive JS advisories with scoped pnpm overrides.

- Update openssl and hickory resolver crates, including DNS resolver API use.

- Replace fixed crypto test keys with generated keys and dependency pin tests.

Tests:

- npx --yes pnpm@9.15.9 ui:gate:static

- npx --yes pnpm@9.15.9 test

- npx --yes pnpm@9.15.9 test:security-regression

- npx --yes pnpm@9.15.9 audit --audit-level high

- npx --yes pnpm@9.15.9 git:guard:all

- cd src-tauri && cargo check

- cd src-tauri && cargo test --test security_dependency_versions

Author: saagpatel

docs/adr/0013-security-alert-dependency-overrides.md

@@ -0,0 +1,34 @@
+# 0013. Security Alert Dependency Overrides
+
+## Status
+
+Accepted
+
+## Context
+
+Dependabot and audit checks reported high-severity transitive dependency alerts
+in JavaScript tooling packages and Rust networking or TLS crates. The affected
+JavaScript packages are not direct runtime dependencies, but they still run in
+developer and CI workflows. The Rust alerts sit on security-sensitive TLS and DNS
+resolution paths.
+
+## Decision
+
+Use scoped package-manager overrides for patched JavaScript transitive versions,
+and update the Rust lockfile for patched `openssl` and `hickory` dependency
+versions. Keep the hickory resolver API migration local to the pinned DNS
+resolver so the SSRF protection boundary stays unchanged.
+
+## Consequences
+
+High-severity JavaScript audit output is cleared while preserving the existing
+toolchain shape. Rust TLS and DNS dependency versions move forward with a small
+API compatibility update. The remaining moderate audit items are left visible
+for a separate pass instead of widening this remediation.
+
+## Alternatives Considered
+
+Directly upgrading parent tools such as Lighthouse, Commitizen, and Stylelint
+would touch more of the frontend toolchain than needed for this security slice.
+Suppressing the alerts was rejected because patched versions are available for
+the high-severity items handled here.

package.json

@@ -95,56 +95,63 @@
   "dependencies": {
     "@fontsource-variable/ibm-plex-sans": "^5.2.8",
     "@fontsource-variable/jetbrains-mono": "^5.2.8",
-    "@tauri-apps/api": "^2.11.0",
-    "@tauri-apps/plugin-dialog": "^2.7.1",
-    "@tauri-apps/plugin-opener": "^2.5.4",
-    "react": "^19.2.6",
-    "react-dom": "^19.2.6"
+    "@tauri-apps/api": "^2",
+    "@tauri-apps/plugin-dialog": "^2.6.0",
+    "@tauri-apps/plugin-opener": "^2",
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0"
   },
   "devDependencies": {
-    "@axe-core/playwright": "^4.11.3",
+    "@axe-core/playwright": "^4.11.0",
     "@commitlint/cli": "^19.8.1",
     "@commitlint/config-conventional": "^19.8.1",
     "@commitlint/cz-commitlint": "^19.8.1",
-    "@eslint/js": "^9.39.4",
+    "@eslint/js": "^9.39.1",
     "@lhci/cli": "^0.15.1",
-    "@playwright/test": "^1.59.1",
-    "@tauri-apps/cli": "^2.11.1",
-    "@testing-library/react": "^16.3.2",
+    "@playwright/test": "^1.56.1",
+    "@tauri-apps/cli": "^2",
+    "@testing-library/react": "^16.3.0",
     "@testing-library/user-event": "^14.6.1",
-    "@types/react": "^19.2.14",
-    "@types/react-dom": "^19.2.3",
-    "@typescript-eslint/eslint-plugin": "^8.59.2",
-    "@typescript-eslint/parser": "^8.59.2",
+    "@types/react": "^19.1.8",
+    "@types/react-dom": "^19.1.6",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
+    "@typescript-eslint/parser": "^8.46.1",
     "@vitejs/plugin-react": "^5.2.0",
     "@vitest/coverage-v8": "^3.2.4",
     "commitizen": "^4.3.1",
-    "eslint": "^9.39.4",
+    "eslint": "^9.39.1",
     "eslint-plugin-react-hooks": "^5.2.0",
-    "globals": "^16.5.0",
+    "globals": "^16.4.0",
     "husky": "^9.1.7",
-    "jsdom": "^27.4.0",
+    "jsdom": "^27.1.0",
     "lighthouse": "^12.8.2",
     "lint-staged": "^15.5.2",
-    "prettier": "^3.8.3",
-    "prettier-plugin-tailwindcss": "^0.7.4",
-    "stylelint": "^16.26.1",
+    "prettier": "^3.6.2",
+    "prettier-plugin-tailwindcss": "^0.7.1",
+    "stylelint": "^16.25.0",
     "stylelint-config-standard": "^39.0.1",
     "typescript": "~5.8.3",
-    "typescript-eslint": "^8.59.2",
-    "vite": "^7.3.3",
+    "typescript-eslint": "^8.46.1",
+    "vite": "^7.3.2",
     "vitest": "^3.2.4",
-    "web-vitals": "^5.2.0"
+    "web-vitals": "^5.1.0"
   },
   "pnpm": {
     "overrides": {
       "@lhci/cli>tmp": "^0.2.4",
-      "basic-ftp": "^5.3.0",
-      "commitizen>lodash": "^4.17.23",
+      "basic-ftp": "^5.3.1",
+      "commitizen>lodash": "^4.18.1",
       "eslint>ajv": "^6.14.0",
       "external-editor>tmp": "^0.2.4",
+      "express>path-to-regexp": "0.1.13",
+      "fast-uri": "^3.1.2",
       "flatted": "^3.4.2",
+      "fdir>picomatch": "^4.0.4",
+      "lodash": "^4.18.1",
+      "lodash-es": "^4.18.1",
+      "micromatch>picomatch": "^2.3.2",
       "minimatch": "^10.2.3",
+      "tinyglobby>picomatch": "^4.0.4",
       "rollup": "^4.59.0",
       "tmp": "^0.2.4",
       "yauzl": "^3.2.1"