security: pin Actions to SHAs and upgrade vulnerable transitive deps

[shrijayan]

Summary

• GitHub Actions pinning — all Actions pinned to immutable commit SHAs, preventing supply-chain attacks via mutable version tags. Fixes code-scanning alerts chore(deps-dev): bump typescript from 5.9.3 to 6.0.2 #81–fix: prevent release workflow infinite loop #84.
• pnpm overrides — force-upgrade three vulnerable transitive devDependencies:
  • handlebars >= 4.7.9 — JS injection via AST type confusion (critical fix: add documentation links to the landing page and improve hub management logic #24, high Feat/notification #20–Feat/dashboard #22, medium fix: update version badge to reflect latest release and enhance terminal animation output #18, Fix/bugs #25)
  • js-yaml >= 4.2.0 — Quadratic-complexity DoS via merge key aliases (chore(deps-dev): bump vite from 8.0.0 to 8.0.1 #55)
  • undici >= 7.28.0 — TLS certificate bypass, HTTP header injection, cache poisoning, SOCKS5 proxy reuse (Please give me idea for New Features. #43–chore(deps): bump pnpm/action-setup from 4 to 5 #53)

All 135 tests pass with no regressions.

What cannot be fixed (noted separately)

Alert	Package	Reason
#27, #28, #29, #30	lodash / lodash-es	No 4.18.0 patch exists upstream
#38	esbuild	Requires vite to bump its esbuild dep; dev-server only, low severity
#34, #56, #57	vite 6.x	Stale — we use vite 8.1.0 which is patched
#1	esbuild < 0.25.0	Already at 0.27.4 (stale alert)

Test plan

• All 135 unit tests pass (pnpm -r test)
• pnpm why handlebars/js-yaml/undici confirms patched versions are resolved

🤖 Generated with Claude Code