fix: resolve high-severity dependabot alerts for transitive dependenc…

[Dargon789]

…ies (#965)

Add pnpm overrides for node-forge, picomatch, path-to-regexp, and fast-xml-parser. Bump happy-dom devDependency in siwx package.

Description

Please include a brief summary of the change.

Type of change

• Chore (non-breaking change that addresses non-functional tasks, maintenance, or code quality improvements)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Associated Issues

For Linear issues: Closes APKT-xxx
For GH issues: closes #...

Showcase (Optional)

If there is a UI change include the screenshots with before and after state.
If new feature is being introduced, include the link to demo recording.

Checklist

• Code in this PR is covered by automated tests (Unit tests, E2E tests)
• My changes generate no new warnings
• I have reviewed my own code
• I have filled out all required sections
• I have tested my changes on the preview link
• Approver of this PR confirms that the changes are tested on the preview link

Summary by Sourcery

Address security alerts by overriding vulnerable transitive dependencies and updating related tooling dependencies.

Build:

• Add pnpm overrides to enforce secure versions of node-forge, picomatch, path-to-regexp, and fast-xml-parser in the root package configuration.

Chores:

• Update the siwx package happy-dom devDependency to a newer version and refresh the pnpm lockfile to align with dependency changes.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
appkit	Ready	Preview, Comment	Apr 9, 2026 0:18am
appkit-builder-12k5	Error		Apr 9, 2026 0:18am
appkit-builder-gw75	Error		Apr 9, 2026 0:18am
appkit-builder-mgkr	Ready	Preview, Comment	Apr 9, 2026 0:18am
appkit-dapp	Error		Apr 9, 2026 0:18am
appkit-demo	Error		Apr 9, 2026 0:18am
appkit-demo-df32	Ready	Preview, Comment	Apr 9, 2026 0:18am
appkit-walletkit	Ready	Preview, Comment	Apr 9, 2026 0:18am
web3-game	Ready	Preview, Comment	Apr 9, 2026 0:18am
web3game	Error		Apr 9, 2026 0:18am

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR addresses high-severity Dependabot alerts by adding pnpm overrides for vulnerable transitive dependencies and bumping a dev-only DOM emulation library in the siwx package, with corresponding lockfile updates.

File-Level Changes

Change	Details	Files
Add pnpm overrides to force secure versions of vulnerable transitive dependencies.	Extend the pnpm.overrides section in the root package.json to pin node-forge, picomatch, path-to-regexp, and fast-xml-parser to versions that satisfy Dependabot security requirements. Keep existing overrides and patchedDependencies structure intact while only appending the new entries.	package.json
Update siwx test tooling to use a newer happy-dom version.	Bump the happy-dom devDependency version in the siwx package to 20.8.9 to resolve security alerts transitively and stay compatible with current tooling. Ensure that only devDependencies are affected and no runtime dependencies are modified in this package.	packages/siwx/package.json
Refresh pnpm lockfile to reflect new overrides and devDependency version.	Regenerate pnpm-lock.yaml so that the resolved versions of node-forge, picomatch, path-to-regexp, fast-xml-parser, and happy-dom match the new constraints. Align lockfile metadata with the updated dependency graph without introducing additional dependency changes beyond those implied by overrides and the version bump.	pnpm-lock.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The pnpm overrides entries are using open-ended >= ranges, which can reduce build determinism; consider pinning to specific versions that resolve the alerts so dependency trees remain reproducible.
• It may be helpful to add a brief inline comment near the new overrides explaining which dependabot alerts they address and any context for future removal or adjustment.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The pnpm `overrides` entries are using open-ended `>=` ranges, which can reduce build determinism; consider pinning to specific versions that resolve the alerts so dependency trees remain reproducible.
- It may be helpful to add a brief inline comment near the new `overrides` explaining which dependabot alerts they address and any context for future removal or adjustment.

## Individual Comments

### Comment 1
<location path="package.json" line_range="117-120" />
<code_context>
       "has-ansi": "<=5.0.1",
-      "oxc-parser": "0.56.5"
+      "oxc-parser": "0.56.5",
+      "node-forge": ">=1.4.0",
+      "picomatch": ">=4.0.4",
+      "path-to-regexp": ">=8.4.0",
+      "fast-xml-parser": ">=5.5.6"
     },
     "patchedDependencies": {
</code_context>
<issue_to_address>
**🚨 issue (security):** Using open-ended `>=` ranges in overrides may reintroduce future vulnerabilities.

The existing overrides here all use upper-bounded ranges (for example `<=2.13.1`) to keep dependency resolution within a known-safe window. These new entries use unbounded `>=` constraints, so future vulnerable releases of `node-forge`, `picomatch`, `path-to-regexp`, or `fast-xml-parser` could be pulled in. Please switch to pinned or upper-bounded ranges (for example `^1.4.0` with monitoring, or `>=1.4.0 <2` / `<=x.y.z` once a safe range is known) to match the security posture of the surrounding overrides.
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request adds several dependency constraints to the root package.json and updates happy-dom in the siwx package. Feedback was provided regarding the use of non-existent version numbers for node-forge, picomatch, path-to-regexp, fast-xml-parser, and happy-dom, which would cause installation failures.

[Dargon789]

#973

[Dargon789]

@Mergifyio refresh

[Dargon789]

@Mergifyio refresh

[mergify]

refresh

☑️ Command refresh ignored because it is already running from a previous command.

[mergify]

refresh

✅ Pull request refreshed