chore(deps): update lockfile and constrain simple-git version

[zalewskigrzegorz]

What/Why/How?

What: Fix CVE-2026-28292 in simple-git (RCE via case-insensitive protocol.allow bypass).

Why: simple-git 3.20.0 (transitive via @redocly/realm) had a critical vulnerability (CVSS 9.8) where blockUnsafeOperationsPlugin could be bypassed with case variants like PROTOCOL.ALLOW=always, allowing arbitrary command execution via the ext:: protocol.

How: Added an npm override to force simple-git to >=3.32.3, which includes the fix. After npm install, the resolved version is 3.33.0.

Reference

• CVE-2026-28292
• simple-git issue #61

Testing

• Ran npm install and confirmed simple-git resolves to 3.33.0 in package-lock.json
• Ran npm audit and confirmed the simple-git vulnerability is no longer reported

Screenshots (optional)

N/A

Check yourself

• Code is linted
• Tested
• All new/updated code is covered with tests

Security

• Security impact of change has been considered
• Code follows company security practices and guidelines

[DmitryAnansky]

@zalewskigrzegorz can it be fixed with bumping @redocly/realm ?
Without adding overrides.

[zalewskigrzegorz]

Yeh, should be possible
https://github.com/Redocly/redocly/pull/21556
But IDK if this is already deployed I will check this locally

[zalewskigrzegorz]

Current version still had
'simple-git': '3.20.0',

Fix is in 3.32.3 We will need to wait for next release

[DmitryAnansky]

Overrides like this one is not practical.
Imagine

• someone review package.json file in a month
• then check the usage
• find that this package not used
• and we are back where started

IMHO its better to fix this in the @redocly/realm package.

[zalewskigrzegorz]

Yes, I agree. I'll update this PR as soon as the new package is released.

[zalewskigrzegorz]

Hey @DmitryAnansky – PR updated! We now have a new version that doesn't have this vulnerability.

[DmitryAnansky]

@zalewskigrzegorz
What version of npm are you using?

[zalewskigrzegorz]

10.9.3