turbo

e0cf4f2a - fix: Resolve pnpm audit vulnerabilities via dependency bumps (#12224)

fix: Resolve pnpm audit vulnerabilities via dependency bumps (#12224) ## Summary Resolves all actionable `pnpm audit` vulnerabilities (17 of 18) by bumping direct dependencies and adding targeted pnpm overrides for transitive deps pinned to vulnerable versions. ## Changes **Direct dependency bumps:** - `ultracite` 7.2.3 → 7.2.5 (resolves minimatch ReDoS via glob) **pnpm overrides added/updated:** - `basic-ftp >=5.2.0` — path traversal (critical) - `fast-xml-parser >=5.3.8` — bumped from >=5.3.4, entity encoding bypass + DoS + stack overflow (critical/high/low) - `bunchee>rollup >=4.59.0` — arbitrary file write (high) - `glob@7>minimatch`, `multimatch>minimatch`, `test-exclude>minimatch` → 3.1.4 — ReDoS (high) - `vscode-languageclient>minimatch` → 5.1.9 — ReDoS (high) - `tmp >=0.2.4` — symlink dir write (low) **Lint config update:** - The `ultracite` bump to 7.2.5 introduced an `overrides` section that enables jest/vitest plugins with all rules set to `error` for test files. The repo's existing top-level `"off"` rules couldn't override those because oxlint applies extended config overrides after local top-level rules. Added a matching `overrides` section in `.oxlintrc.json` (with `plugins: ["jest", "vitest"]`) to suppress the ~16k new lint errors. Also added `unicorn/prefer-module` and `unicorn/prefer-ternary` as `"off"` for rules newly enforced by oxlint 1.51.0. **Remaining:** 1 low-severity false positive (`cli` workspace directory name collides with npm `cli` package).