security: second wave of dependency advisories

[Polliog]

Resolves the nine Dependabot advisories that surfaced right after the 1.0.0-beta cut. All upgraded to their patched releases; no vulnerable version remains in pnpm-lock.yaml.

Direct dependencies

• nodemailer >= 8.0.9 (3 advisories): TLS cert validation in OAuth2 token fetch, List-* header CRLF injection, jsonTransport file/url access bypass.
• vite >= 6.4.3 (high + moderate): server.fs.deny bypass on Windows alternate paths, and the bundled launch-editor NTLMv2 hash disclosure. Also forced repo-wide via overrides so no transitive 6.4.2 lingers.
• js-yaml >= 4.2.0: quadratic-complexity DoS in merge-key handling.
• protobufjs >= 7.6.3: schema-derived names shadowing runtime-significant properties (override floor raised).

Transitive (root pnpm overrides)

• form-data >= 4.0.6 (high): CRLF injection via unescaped multipart field names/filenames.
• @opentelemetry/core >= 2.8.0: unbounded memory allocation in W3C Baggage propagation.

Verification

• pnpm install clean, no peer-dependency warnings.
• Backend typecheck green.
• Frontend production build green (vite 6.4.3 + esbuild 0.28.1 + es2022 target).
• OTLP test suite (381 tests) green against @opentelemetry/core 2.8.0 and protobufjs 7.6.4 (real protobuf path).

No application code changes; lockfile + manifests only (plus the changelog entry).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!