chore(deps): patch protobufjs, hono, dompurify security advisories

[chevyphillip]

Summary

Resolves all three open GitHub security advisories by bumping affected transitive dependencies to patched versions. Only package-lock.json changes — no source code modified.

Advisories Fixed

Advisory	Package	Before → After
GHSA-xq3m-2v4x-88gg (critical)	protobufjs	7.5.4 → 7.5.5
GHSA-458j-xx4x-4375 (moderate)	hono	4.12.12 → 4.12.14
GHSA-39q2-94rc-95cp (moderate)	dompurify	3.3.3 → 3.4.0

Verification

• npm audit — 0 vulnerabilities (info/low/moderate/high/critical all 0)
• npm ls — confirmed resolved versions above
• git diff --name-only — only package-lock.json modified
• npm run lint — ✅ PASS
• npm run build — ✅ PASS (Next 15.5.15 web + tsup CLI)
• npm run test --workspace ./packages/cli — ✅ PASS (50/50, 11 suites, 0 failures)

Scope

• ✅ Security-only lockfile bumps
• ❌ Non-security upgrades intentionally deferred (Next 16, Ink 7, Commander 14, TS 6, etc.)

Rollback

git revert ba3d68f or git checkout main -- package-lock.json && npm ci

---

Pull Request opened by Augment Code with guidance from the PR author

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the lockfile to pull in patched transitive dependency versions addressing three GitHub security advisories.

Changes: Bumps resolved versions for protobufjs, hono, and dompurify via package-lock.json only (no source changes).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.