fix(deps): patch security vulnerabilities (CIP-2732, CIP-2734, CIP-2736)

[tobyhede]

Summary

• next: 15.5.9 → 15.5.10 (GHSA-h25m-26qc-wcjf) — catalog:security version bump
• @isaacs/brace-expansion: 5.0.0 → >=5.0.1 (CVE-2026-25547) — pnpm override (transitive via minimatch → glob)
• fast-xml-parser: 5.2.5 → >=5.3.4 (CVE-2026-25128) — pnpm override (transitive via @aws-sdk/xml-builder)

Addresses Vanta HIGH vulnerabilities with SLAs Feb 28 – Mar 14.

Supersedes Dependabot PR #269 (major version bump to next 16.x not needed — patch to 15.5.10 is sufficient).

Linear Issues

• CIP-2732 (next)
• CIP-2734 (@isaacs/brace-expansion)
• CIP-2736 (fast-xml-parser)

Test plan

• pnpm install completes without errors
• pnpm build succeeds across all 5 workspace packages
• Lockfile confirms: next 15.5.10, @isaacs/brace-expansion 5.0.1, fast-xml-parser 5.3.6
• CI passes

Summary by CodeRabbit

• Chores
  • Updated project dependencies and package versions to enhance security and stability across the development environment.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8639813

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Configuration updates to dependency management: two new pnpm package overrides added to package.json (brace-expansion and fast-xml-parser), and Next.js version bumped from 15.5.9 to 15.5.10 in the pnpm-workspace.yaml security catalog.

Changes

Cohort / File(s)	Summary
Dependency Overrides package.json	Added two pnpm overrides: @isaacs/brace-expansion (>=5.0.1) and fast-xml-parser (>=5.3.4).
Workspace Catalog pnpm-workspace.yaml	Updated Next.js version in security catalog from 15.5.9 to 15.5.10.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A hop, skip, and version bump so neat,
Dependencies dance to a package beat,
Brace-expansion and fast-xml play,
While Next steps forward in its own way! 📦✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the main change—patching three security vulnerabilities with specific issue references (CIP-2732, CIP-2734, CIP-2736), which directly matches the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/cip-2732-2734-2736-security-patches

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}