Fix high-severity npm dependency vulnerabilities in web package

[Copilot]

Resolves 11 of 15 npm vulnerabilities in web/, eliminating all high and moderate severity issues. Remaining 4 are low severity and require a Jest 29→30 major upgrade to fix.

Fixed via npm audit fix

• axios (high) — DoS via __proto__ key in mergeConfig
• flatted (high) — unbounded recursion DoS in parse()
• minimatch (high) — multiple ReDoS patterns
• rollup (high) — arbitrary file write via path traversal
• svgo (high) — billion laughs DoS via DOCTYPE entity expansion
• ajv (moderate) — ReDoS with $data option
• lodash (moderate) — prototype pollution in _.unset/_.omit
• diff, @eslint/plugin-kit (low) — DoS/ReDoS fixes

Fixed via overrides in package.json

dompurify (moderate XSS, GHSA-v2wj-7wpq-c8vv) bundled inside monaco-editor >=0.54 couldn't be fixed by a simple audit fix (suggested downgrade to monaco 0.53). Used a nested override instead:

"overrides": {
  "monaco-editor": {
    "dompurify": ">=3.3.2"
  }
}

Not Fixed — Breaking Change Required

@tootallnate/once (4× low) in jest-environment-jsdom's dependency chain. The fix path is jest-environment-jsdom@30 which requires Jest 30. Deferred.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Fix high-severity npm dependency vulnerabilities</issue_title>
<issue_description>## Problem
The project has multiple high-severity npm vulnerabilities that need to be resolved.

What to do

1. Run npm audit in web/ directory
2. Fix all high and critical severity vulnerabilities
3. Use npm audit fix where possible
4. For vulnerabilities that require major version bumps, evaluate if the upgrade is safe and update accordingly
5. Run npm run build and npm run test to verify nothing breaks
6. If a vulnerability cannot be fixed without a breaking change, document it with a comment in package.json

Important

• Do NOT use npm audit fix --force blindly — it can break things
• Test the build after each major dependency update
• Focus on high and critical severity issues first</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Fix high-severity npm dependency vulnerabilities #2130

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[cloudflare-workers-and-pages]

Deploying nodetool-staging with    Cloudflare Pages

Latest commit:	fabcedb
Status:	🚫  Build failed.

View logs

[cloudflare-workers-and-pages]

Deploying nodetool with    Cloudflare Pages

Latest commit:	fabcedb
Status:	🚫  Build failed.

View logs