issue-link js-issue-link" data-error-text="Failed to load title" data-id="4454270882" data-permission-text="Title is private" data-url="https://github.com/script-development/fs-packages/issues/87" data-hovercard-type="pull_request" data-hovercard-url="/script-development/fs-packages/pull/87/hovercard" href="https://github.com/script-development/fs-packages/pull/87">#87, #90, #91, #92, #94 plus dependabot). Diagnosis: CI failures show on PRs with trivial diffs (e.g. #94 is a 1-line .gitignore) → failure is in the baseline, not the PR diffs. - brace-expansion 5.0.5 → 5.0.6 — DoS in numeric range (GHSA-jxxr-4gwj-5jf2) - ws 8.20.0 → 8.20.1 — uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx) Both are dev-only transitive deps. Patch-level bumps, no public-API ripple. `npm audit fix` produces the minimal lockfile delta. Verified locally: - npm audit: 0 vulnerabilities - format:check, lint, build, typecheck, test:coverage all green - lint:pkg still fails on publint sideEffects suggestion — distinct baseline issue addressed by PR #88 (queue #70) Closes the npm-audit half of envelope #23.