fix(security): bump pnpm override floor for undici + markdown-it (TIM-29)

[timoa]

Summary

Closes the 9 advisories surfaced by the TIM-27 dependency audit by raising the pnpm-workspace undici and markdown-it override floors above the vulnerable version range.

The previous floors sat inside the vulnerable window:

undici:      '>=7.24.0'   # resolved to 8.0.2 (vulnerable, 8.0.0 < 8.5.0)
markdown-it: '>=14.1.1'   # resolved to 14.1.1 (<=14.1.1)

This PR raises them to:

undici:      '>=8.5.0'    # resolves to 8.5.0 (patched)
markdown-it: '>=14.2.0'   # resolves to 14.2.0 (patched)

pnpm install --lockfile-only then re-resolves the affected transitives without touching any direct dependency versions in package.json.

Resolves

Sev	Count	Package	Vulnerability	Path
High	4	undici 8.0.2 → 8.5.0	TLS / WebSocket / SOCKS5 advisories	@vscode/vsce > cheerio > undici
Moderate	3	undici 8.0.2 → 8.5.0	cache / cookie / cross-origin advisories	same path
Low	2	undici 8.0.2 → 8.5.0	minor	same path
Moderate	1	markdown-it 14.1.1 → 14.2.0	CVE-2026-48988 (smartquotes DoS)	@vscode/vsce > markdown-it

Full audit: see TIM-27.

Verification

• pnpm audit --audit-level=high → 0 findings (matches the existing CI gate in .github/workflows/pull-request.yml and release.yml)
• pnpm audit --audit-level=moderate → 0 findings
• pnpm audit --audit-level=low → 0 findings
• [[IgnoredVulns]] in osv-scanner.toml unchanged (GHSA-2g4f-4pwh-qvx6 on ajv, GHSA-3ppc-4f35-3m26 on minimatch)
• No new pnpm outdated drift — this is a lockfile-only install
• Lockfile diff: 70 lines (+33 / -33), confined to undici, markdown-it, the transitive linkify-it 5.0.0 → 5.0.1 bump, and dedup of the now-unused supports-color@8.1.1 peer entries

Out of scope (tracked separately)

• @vscode/vsce 3.7.1 → 3.9.2 bump — skipped from this PR. The override-floor fix already closes all 9 advisories; bundling a non-security vsce bump would muddy the audit trail and add unrelated churn. Trivial to land in a follow-up.
• CI --audit-level=moderate (TIM-27 Actionable chore(deps): update actions/cache action to v5 #4) — separate PR for independent rollback.
• osv-scanner CI wiring (TIM-27 Actionable chore(deps): update actions/checkout action to v6 #5) — separate PR.
• Major-bump cycle (@types/vscode 1.80 → 1.125, @types/node 24 → 26, vite 7 → 8, typescript 5 → 6, webpack-cli 6 → 7, @vitejs/plugin-react 5 → 6, @vscode/test-electron 2 → 3) — TIM-27 Actionable chore(deps): update node.js to v24.13.1 #3, separate cycle.

Risk

Build-time only — @vscode/vsce is loaded exclusively by pnpm run package / pnpm run publish and does not ship in the published .vsix. The vulnerable code never reaches the extension host or webview. Patched undici/markdown-it versions are drop-in from the override scope; the only behavioural change is the markdown-it smartquotes performance fix (the typographer: true quadratic-time issue).

Refs: TIM-29, TIM-27.

Summary by CodeRabbit

• Chores
  • Updated workspace dependency version constraints for markdown-it and undici.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 239822b1-29ad-4451-983a-8060dd161f96

📥 Commits

Reviewing files that changed from the base of the PR and between c934c50 and e2c7ca9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Two dependency override version constraints in pnpm-workspace.yaml are incremented: markdown-it minimum is raised from >=14.1.1 to >=14.2.0, and undici minimum is raised from >=7.24.0 to >=8.5.0.

Changes

Dependency Override Bumps

Layer / File(s)	Summary
Raise markdown-it and undici override floors pnpm-workspace.yaml	markdown-it override bumped from >=14.1.1 to >=14.2.0; undici override bumped from >=7.24.0 to >=8.5.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• timoa/workflow-editor#111: Updates undici version constraints in pnpm overrides, directly related to the undici bump in this PR.
• timoa/workflow-editor#144: Modifies pnpm-workspace.yaml overrides for markdown-it and undici, making this PR a direct follow-up to those constraints.

Suggested labels

released

🐇 A hop, a skip, a version bump,
markdown-it cleared a new jump!
And undici leapt to eight-point-five,
Keeping our dependencies alive.
~Bunny approves with a thump! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: bumping pnpm override floors for security-sensitive dependencies to resolve vulnerabilities.
Description check	✅ Passed	The PR description is comprehensive and covers the key sections: summary, type of change (dependency update), verification steps, and out-of-scope items are clearly documented.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agent/devsecops/8cfd6c64

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

No React Doctor issues found. 🎉

_{Reviewed by React Doctor for commit e2c7ca9.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.13%. Comparing base (c934c50) to head (e2c7ca9).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #155   +/-   ##
=======================================
  Coverage   94.13%   94.13%           
=======================================
  Files          10       10           
  Lines         290      290           
  Branches      105      105           
=======================================
  Hits          273      273           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timoa-bot]

🎉 This PR is included in version 1.2.47 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀