chore: add grype config and fix transitive vulnerabilities (#450)

Add .grype.yaml with exclusion rules for build artifacts and test output,
and resolve 6 Grype findings via pnpm overrides (kysely, picomatch, qs, yaml).

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: peppescg

.github/workflows/security-checks.yml

@@ -21,7 +21,6 @@ jobs:
         with:
           path: "."
           fail-build: true
-          only-fixed: true
           severity-cutoff: "medium"
           output-format: "table"
 

.grype.yaml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Grype configuration for toolhive-cloud-ui.
+# - node_modules/:        lock file is the source of truth; scanning installed packages is redundant.
+# - dist/, out/:          build artifacts produced by Next.js.
+# - .next/:               Next.js build output cache.
+# - .cache/:              build-tool caches, not source packages.
+# - coverage/, playwright-report/, test-results/, test-videos/: test output, not source packages.
+
+# Only report vulnerabilities that have a fix available — unfixed ones are noise with no actionable remedy.
+only-fixed: true
+
+exclude:
+  - '**/node_modules/**'
+  - '**/dist/**'
+  - '**/out/**'
+  - '**/.next/**'
+  - '**/coverage/**'
+  - '**/playwright-report/**'
+  - '**/test-results/**'
+  - '**/test-videos/**'
+  - '**/.cache/**'

package.json

@@ -118,7 +118,11 @@
       "lodash-es": ">=4.17.23",
       "hono": "4.12.8",
       "rollup": ">=4.59.0",
-      "undici": "7.24.4"
+      "undici": "7.24.4",
+      "kysely": ">=0.28.14",
+      "picomatch": ">=4.0.4",
+      "qs": ">=6.14.2",
+      "yaml": ">=2.8.3"
     }
   }
 }