chore: pin all deps to exact versions, update to latest safe releases, fix transitive vulns

[CodeDeficient]

User description

Summary

• Pin all dependencies to exact versions (no more ^ ranges)
• Update all deps to latest versions published >7 days ago
• Fix transitive vulnerabilities via scoped overrides

Changes

Package	From	To	Published
glob	11.0.0	13.0.6	2026-02-19
tsx	4.19.1	4.22.4	2026-05-31
@babel/cli	7.28.3	7.29.7	2026-05-25
@babel/core	7.28.5	7.29.7	2026-05-25
@babel/preset-typescript	7.28.5	7.29.7	2026-05-25
@types/node	24.10.1	25.9.2	2026-06-05
typescript	5.9.3	6.0.3	2026-04-16

Vulnerabilities Fixed

• glob CLI command injection (GHSA-5j98-mcp5-4vw2) — fixed by updating to 13.0.6
• @babel/core arbitrary file read (GHSA-4x5r-pxfx-6jf8) — fixed by updating to 7.29.7
• minimatch ReDoS (multiple advisories) — fixed via scoped override to 3.1.4
• brace-expansion process hang — fixed via scoped override to 1.1.13
• esbuild RCE via registry (GHSA-gv7w-rqvm-qjhr) — fixed by updating tsx to 4.22.4

Test Plan

• npm test — 9/9 pass
• npm audit — 0 vulnerabilities
• npm ls minimatch — glob@13 gets minimatch@10.2.5, @babel/cli gets minimatch@3.1.4 (scoped override)

Summary by CodeRabbit

• Chores
  • Updated npm dependencies to specific versions for improved stability and consistency.
  • Pinned transitive dependencies to ensure reproducible builds across environments.

---

CodeAnt-AI Description

Pin project dependencies and remove known vulnerable versions

What Changed

• Locks the main project dependencies to exact versions instead of version ranges
• Updates build and tooling packages to newer releases, including the TypeScript, Babel, glob, and tsx toolchain
• Adds a targeted override so the Babel CLI uses safer versions of minimatch and brace-expansion
• Updates the lockfile to match the new dependency set and remove outdated transitive packages

Impact

✅ Fewer dependency-related security warnings
✅ Safer installs with repeatable package versions
✅ Lower risk of build-time vulnerability exposure

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@CodeDeficient, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 73b9ba5c-1ac9-4f51-890b-ba291536aa3e

📥 Commits

Reviewing files that changed from the base of the PR and between b7323b6 and 2538650.

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

package.json is updated to replace caret-range versions with exact pinned versions for glob and tsx in dependencies, and for @babel/cli, @babel/core, @babel/preset-typescript, @types/node, and typescript in devDependencies. A new top-level overrides block is added to pin minimatch and brace-expansion as transitive dependencies of @babel/cli.

Changes

Dependency Pinning and Overrides

Layer / File(s)	Summary
Dependency pinning and transitive overrides package.json	glob pinned to 13.0.6 and tsx to 4.22.4 in dependencies; Babel toolchain, @types/node, and typescript pinned to exact versions in devDependencies; new overrides block added to constrain minimatch (3.1.4) and brace-expansion (1.1.13) under @babel/cli.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hopping through the version tree,
No more carets bouncing free!
Each package pinned with precision tight,
Minimatch locked, brace-expansion right.
A tidy burrow, versions neat —
The rabbit's work is now complete! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: pinning dependencies to exact versions, updating to latest safe releases, and fixing transitive vulnerabilities—all central changes in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 65-69: Add an explicit packageManager field to package.json to
specify the npm version being used. Insert the field at the top level of the
package.json object (alongside the existing overrides field) with the format
"packageManager": "npm@<version>" where <version> is the specific npm version
currently in use (e.g., npm@10.2.3). This ensures consistent dependency
resolution behavior across all environments including CI and local development
when handling the specified overrides.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 67227fcb-6bf7-4236-9486-35e5ef683dd9

📥 Commits

Reviewing files that changed from the base of the PR and between 17be43a and b7323b6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json