fix(FFESUPPORT-726): address Dependabot vulnerabilities

[aarsilv]

Summary

Closes FFESUPPORT-726.

Resolves all 43 open Dependabot alerts (14 high, 19 medium, 10 low) across the JS, Cargo, and Ruby lockfiles.

This repository is still in production use by downstream SDKs, so all bumps are transitive through lockfiles only — no changes to direct-dependency constraints in any Cargo.toml, package.json, pyproject.toml, or .gemspec. Downstream consumers see no public API change.

Changes

package-lock.json — npm audit fix clears all npm advisories (root devDependencies only):

• 12 × axios advisories (HIGH GHSA-q8qp-cvcw-x6jj, GHSA-pf86-5x62-jrwf, GHSA-6chq-wfr3-2hj9, GHSA-43fc-jf86-j433 + 7 MEDIUM + 1 LOW)
• 3 × lodash (HIGH GHSA-r5fr-rjxr-66jc, MEDIUM GHSA-f23m-r3pf-42rh, GHSA-xxjr-mmjv-4gpg)
• 3 × minimatch ReDoS (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m26)
• 2 × picomatch (GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p)
• follow-redirects (GHSA-r4q5-vmmm-2653), qs (GHSA-w7fw-mjwx-w883), brace-expansion
• Workspace package versions for elixir-sdk (0.2.3 → 0.2.4) and eppo_core (9.3.0 → 10.0.0) also re-synced — the lockfile was already stale on main relative to those packages' package.json.

ruby-sdk/Cargo.lock and elixir-sdk/Cargo.lock — cargo update pulls patched transitive crate versions:

• HIGH rustls-webpki (GHSA-82j2-j2ch-gfr8) + MEDIUM (GHSA-pwjx-qhcg-rvj4) + 2 × LOW
• HIGH quinn-proto GHSA-6xvm-j4wr-6v98 (remote DoS via QUIC transport parameter parsing)
• MEDIUM time GHSA-r6v5-fh4h-64xc (stack exhaustion DoS)
• MEDIUM bytes GHSA-434x-w66g-qw3r (integer overflow in BytesMut::reserve)
• MEDIUM rkyv GHSA-vfvv-c25p-m7mm — elixir-sdk only (panic in InlineVec/SerVec ::clear)
• LOW rand GHSA-cq8v-f236-94qc

ruby-sdk/Gemfile.lock — bundle update json bumps json 2.18 → 2.19.5 (HIGH GHSA-3m6g-2423-7cp3 format string injection).

Verification (local)

• Root workspace: cargo build --workspace --all-features ✓, cargo test --workspace --all-features ✓
• cargo build --release in ruby-sdk/ and elixir-sdk/ ✓
• cargo test --release in ruby-sdk/ ✓
• Ruby bundle exec rake build && bundle exec rspec against mock-server: 503 / 503 pass ✓
• npm audit — 0 vulnerabilities

Out of scope

Did not bump any direct-dependency constraint in Cargo.toml/package.json/pyproject.toml. If reviewers want to e.g. bump the direct tokio or reqwest versions, that's a separate change.

Note

This PR was generated with Claude Code.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 74cfbc9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[aarsilv]

🤖 Context from Claude: This PR is intentionally lockfile-only — every advisory in this repo is on a transitive dep, so the patched versions can be pulled in via cargo update, npm audit fix, and bundle update json without touching any direct-dependency constraint in Cargo.toml, package.json, pyproject.toml, or .gemspec. That keeps the public API surface of eppo_core, eppo (Rust SDK), eppo-server-sdk (Ruby), eppo_py (Python), and the Elixir NIF identical to main — downstream consumers see no behavior change beyond patched transitives.

The one minor exception is the package-lock.json diff showing workspace package versions for elixir-sdk (0.2.3→0.2.4) and eppo_core (9.3.0→10.0.0). Those bumps aren't from this PR — the lockfile was already stale on main relative to the corresponding package.json files, and npm install (run as part of npm audit fix) just re-synced it. You can verify by diffing against main: those two package.json files are unchanged here.

If reviewers want any of the direct deps bumped too (e.g. tokio, reqwest), that's a separate follow-up — I deliberately kept this scoped to advisory cleanup since this repo is still in production.

[aarsilv]

🤖 Context from Claude: This is the only Ruby gem bump in the PR. The json 2.18 → 2.19.5 jump clears GHSA-3m6g-2423-7cp3 (format string injection), which is fixed in json >= 2.19.4. I verified the gem still builds (bundle exec rake build) and the rspec suite passes (503/503) against the local mock-server.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aarsilv]

Heads-up for human reviewers: Copilot replied with "Copilot wasn't able to review any files in this pull request" — this is its expected behavior for diffs that are essentially entirely lockfile changes (it doesn't review Cargo.lock, Gemfile.lock, or package-lock.json). There's no actionable feedback from Copilot here, and the verification I ran is captured in the PR description (full cargo test --workspace --all-features clean, bundle exec rspec 503/503 against mock-server, npm audit 0 vulns, plus the existing CI matrix passing all 44 jobs).