chore: resolve open dependabot advisories and cap axios below 1.14

[jonathannorris]

Summary

• Add Yarn resolutions so transitive versions match patched releases for the open Dependabot findings (handlebars, path-to-regexp 8.x, brace-expansion, picomatch).
• Pin axios to ~1.13.6 and resolve all axios ranges to 1.13.6 so we don't pick up 1.14.1 (supply chain concern).

Notes

• After merge, Dependabot should re-scan and clear the related alerts on the default branch.
• yarn npm audit can still report other unrelated advisories; this PR targets the current open Dependabot set plus the axios cap.

Tests: yarn test:ci (run locally on this branch).

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	devcycle-mcp-server	34f3e1c	Mar 31 2026, 03:38 AM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	devcycle-mcp-server	34f3e1c	Mar 31 2026, 03:38 AM

[Copilot]

Pull request overview

This PR aims to clear currently open Dependabot advisories by forcing patched transitive dependency versions via Yarn resolutions, and to cap axios to avoid picking up 1.14.x releases.

Changes:

• Pin axios to ~1.13.6 and add Yarn resolutions for axios descriptors.
• Add Yarn resolutions to force patched versions of handlebars, path-to-regexp (8.x), brace-expansion, and picomatch.
• Update yarn.lock to reflect the resolved dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Caps direct axios dependency and adds resolutions for axios + patched transitive packages targeted by Dependabot alerts.
yarn.lock	Updates locked versions to the patched releases and removes older vulnerable transitive versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The axios cap is implemented via dependencies.axios: "~1.13.6", but the new resolutions only target axios@npm:^... descriptors. Since the lock currently has axios@npm:~1.13.6, this setup won’t prevent a future yarn install from moving to a newer 1.13.x patch (if published) unless you also pin the ~1.13.6 descriptor (or use a broader single resolution like axios/axios@npm:* to enforce an exact version, if that’s the intent stated in the PR description).