fix(deps): clear pnpm audit critical+high — protobufjs ACE override, next 16.2.9, transitive bumps

[paperclip-resolver]

Summary

Clears the 1 critical + 22 high findings from pnpm audit --prod (Sentinel dependency-audit sweep, crew task #359). Audit now reports 0 critical / 0 high (15 moderate remain — explicitly out of scope for this task).

Changes

Package	Before	After	Why
protobufjs (transitive: posthog-js → @opentelemetry)	7.5.4	7.6.3 via pnpm override ^7.5.8	CRITICAL arbitrary code execution GHSA-xq3m-2v4x-88gg (<7.5.5) + 4 HIGH (GHSA-75px-5xx7-5xc7, GHSA-66ff-xgx4-vchm, GHSA-685m-2w69-288q, GHSA-jvwf-75h9-cwgg) + GHSA-jggg-4jg4-v7c6 (≤7.5.7). Override stays on major 7 — no breaking change for opentelemetry.
next	16.1.6	16.2.9 (^16.2.9)	8 HIGH: DoS via Server Components ×2, Cache-Components connection exhaustion, middleware/proxy bypass ×4, SSRF via WebSocket upgrades + 2 low cache-poisoning advisories
minimatch (transitive)	10.2.2	10.2.5	2 HIGH ReDoS (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) — in-range pnpm update
picomatch (transitive)	2.3.1 / 4.0.3	2.3.2 / 4.0.4	HIGH ReDoS GHSA-c2c7-rcm5-vvqj — in-range pnpm update
lodash-es (transitive)	4.17.23	4.18.1 via override ^4.17.24	HIGH _.template code injection GHSA-r5fr-rjxr-66jc — exact-pinned by chevrotain (under nextra → mermaid), unreachable by pnpm update
@xmldom/xmldom (transitive)	0.9.8	0.9.10 via override ^0.9.10	5 HIGH (XML injection ×4 + uncontrolled-recursion DoS) — exact-pinned by speech-rule-engine (under nextra → mathjax)

Overrides live in pnpm-workspace.yaml (pnpm 11 ignores package.json#pnpm.overrides when a workspace file exists — verified: the package.json form did NOT take effect, the workspace form did).

Verification

• pnpm audit --prod → 0 critical / 0 high (15 moderate, out of scope; mermaid/DOMPurify/yaml etc. under nextra)
• pnpm typecheck → clean
• pnpm build → full pipeline green (stamp-openapi → sitemap → next build on 16.2.9 → locale/anchor fixups → pagefind: 224 pages, 4 locales indexed) — Nextra 4.6.1 is compatible with Next 16.2.9
• pnpm peers check → same single pre-existing twoslash/typescript warning as on main (not introduced here)
• Lockfile holds ONLY patched versions (grep-verified: no protobufjs@7.5.4, lodash-es@4.17.23, @xmldom/xmldom@0.9.8 entries remain)
• Build-stamped artifacts (public/openapi*.json, sitemap.xml) reverted — diff is exactly the 3 dependency files

Type: deps

🤖 Generated with Claude Code