What

Two dep bumps on top of master. Skipping #43 (picomatch transitive) by design.

• basic-ftp: pnpm.overrides pin ^5.2.0 → ^5.3.0 (security group)
• vite: dev dep ^7.0.4 → ^7.3.2 (minor)

Why

These Dependabot PRs were auto-created after the Wave 4 batch (#41 plugin-react) touched the lockfile. Both fail the branch-name governance guard; re-created on a codex-compliant branch per docs/SECURITY.md.

• Supersedes #42 — npm-security group
• Supersedes #44 — vite 7.3.1 → 7.3.2
• Skips #43 — picomatch 2.3.1 → 2.3.2 is transitive-only; pinned by a parent and not worth an override hack for a minor patch. picomatch@4.0.3 already coexists at the latest major.

How

One commit. Edited package.json for the two direct/override entries, then pnpm install to re-resolve. Final diff: 21/21 lines across package.json + pnpm-lock.yaml (only the two target packages' resolution lines).

Testing

• Commands run: pnpm install, pnpm build, pnpm test, pnpm typecheck
• Results:
  • pnpm install → vite 7.3.1 → 7.3.2, basic-ftp 5.2.0 → 5.3.0 (only these two deps moved)
  • pnpm build → 636ms, dist shape unchanged
  • pnpm test → 127/127
  • pnpm typecheck → clean

Performance impact

• Bundle delta: none
• Build time delta: negligible
• Lighthouse delta: none
• API latency delta: none
• DB query delta: none

Risk / Notes

• vite 7.3.2 is a patch bump over 7.3.1; plugin-react 5 is fully compatible
• basic-ftp is in the override set for deep-tree security tightening; consumers pull the newer version transparently
• Close build(deps): bump the npm-security group across 1 directory with 2 updates #42 and build(deps): bump vite from 7.3.1 to 7.3.2 #44 after merge; leave build(deps): bump picomatch from 2.3.1 to 2.3.2 #43 open (or close it with the picomatch-is-transitive rationale)

Screenshots (UI only)

• N/A

Lockfile rationale (if lockfile changed)

• pnpm-lock.yaml updated only for the two targeted packages; no other versions moved (verified via pnpm's install diff output).

🤖 Generated with Claude Code