fix: remediate Dependabot security alerts (2026-06-20)

[typeagent-bot]

Automated Dependabot Alert Remediation

This PR was automatically generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and build-verified before inclusion.

Summary

• Applied (14): diff esbuild http-proxy-middleware ip-address js-yaml lodash-es nodemailer qs underscore undici uuid vite ws xml2js
• **Blocked (1):**js-yaml
• No patch available (0): (none)
• Rolled back (0): (none)
• Skipped (recent rollback, 0): (none)
• Workspaces with analysis failures: (none)
• Build: ✅ Passed
• Shell packaging: ✅ Passed

Note: the analysis source (fix-dependabot-alerts.mjs) is broader than the GitHub Dependabot REST API — it also audits the lockfile directly. Some packages listed above may not have a corresponding open Dependabot alert, and vice versa.

Why blocked packages couldn't be auto-fixed

Dependency chains (`--show-chains` output)

===== docs =====

══════════════════════════════════════════════════════════════════════
  Fetching open Dependabot alerts from GitHub
══════════════════════════════════════════════════════════════════════
  Repository: microsoft/TypeAgent
  Found 1 alert(s) across 1 package(s)

══════════════════════════════════════════════════════════════════════
  Analyzing vulnerabilities
══════════════════════════════════════════════════════════════════════
  ⚠  Could not resolve shell production deps — shell packaging post-check will still validate

  [1/1] 📦 js-yaml (medium) — ✗ 3.14.2, ✗ 4.1.1 → need ≥4.2.0
     ↳ used by: typeagent-docs
     Actions: (requires --auto-fix)
       [override] gray-matter@4.0.3 pins js-yaml ^3.13.1, already at latest — no update available
     Risk: ▲ high — major version bump 3.14.2 → 4.2.0, 1 parent(s) may break
     → @11ty/eleventy@3.1.2
       → typeagent-docs
     → gray-matter@4.0.3
       → @11ty/eleventy@3.1.2 (see above)

══════════════════════════════════════════════════════════════════════
  Summary
══════════════════════════════════════════════════════════════════════

  1 blocked

  Risk assessment:
     ▲ high  [override] js-yaml >=4.2.0: major version bump 3.14.2 → 4.2.0, 1 parent(s) may break

  Run with --auto-fix to fix: js-yaml
    (or --apply-overrides for: js-yaml)

  ⚠  DRY RUN — no changes were made. Run without --dry-run to apply.

How this works

1. Analyses all open Dependabot alerts
2. Applies each fix individually with build verification
3. Rolls back any fix that breaks the build
4. Only passing fixes are included in this PR

Review checklist

• Check that no breaking changes were introduced
• Verify rolled-back packages are investigated separately
• Run tests locally if concerned about specific packages