chore(deps): consolidate open Dependabot npm bumps

[gergelylovas]

Roll up root lockfile updates with resolutions for diff, jws, lodash, pbkdf2, and rollup; bump @hpke/core, bn.js, and lodash in @core/ui and @core/service-worker; refresh e2e yarn.lock for tar and @isaacs/brace-expansion.

Supersedes Dependabot PRs 534, 683, 713, 720, 724, 728, 749, 781, 786, 787, 794, 795, 797, 811. PR 796 (ajv) omitted: pinning ajv 6.14.0 breaks commitlint with the current toolchain.

Made-with: Cursor

Description

Changes

Testing

Screenshots:

Checklist for the author

Tick each of them when done or if not applicable.

• I've covered new/modified business logic with Jest test cases.
• I've tested the changes myself before sending it to code review and QA.

[Copilot]

Pull request overview

This PR consolidates multiple Dependabot-driven npm dependency bumps across the monorepo by updating root Yarn resolutions and refreshing the root + e2e lockfiles, plus aligning select workspace package.json dependencies with the new versions.

Changes:

• Update root resolutions (and root yarn.lock) for several transitive dependencies (notably diff, jws, lodash, pbkdf2, rollup, and ajv).
• Bump direct dependencies in packages/ui and packages/service-worker (e.g. @hpke/core, bn.js, lodash).
• Refresh e2e/yarn.lock for tar and @isaacs/brace-expansion.

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
yarn.lock	Updates resolved versions for multiple transitive dependencies (incl. ajv, diff, jws, pbkdf2, rollup, lodash, bn.js).
package.json	Adds/updates root Yarn resolutions to force specific versions repo-wide.
packages/ui/package.json	Bumps UI workspace direct deps to match updated/security-patched versions.
packages/service-worker/package.json	Bumps service-worker workspace direct deps to match updated/security-patched versions.
e2e/yarn.lock	Updates e2e lockfile for tar and @isaacs/brace-expansion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

resolutions.diff pins diff to 4.0.4, but the lockfile includes packages that declare diff: "^5.1.0" (e.g. libnpmdiff). Forcing a version outside a dependency’s declared semver range can cause install-time warnings and runtime breakage for the consumer expecting v5 APIs. Consider scoping the resolution to only the v4 range (e.g. diff@npm:^4.0.1) or letting v5 consumers resolve to a compatible v5 release while keeping v4 consumers on 4.0.4.

Suggested change

	"diff": "4.0.4",
	"diff@npm:^4.0.1": "4.0.4",

[semgrep-ava-labs]

Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and websocket is not disabled

Fix: Upgrade this library to at least version 6.4.2 at core-extension/yarn.lock:28831.

Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363

🧼 Fixed in commit ed3be30 🧼

[erictaylor]

/ar --host flag not used. will upgrade Vite in future PR.

[erictaylor]

/update-lavamoat-policies

[github-actions]

LavaMoat policies updated in a Verified commit, and validate-lavamoat-policies has been re-dispatched against the new HEAD — the previously red check should turn green on its own within a few minutes.

👀 Please review the diff for suspicious new powers before approving.

🧠 How to read a policy diff: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff