[codex] Refresh security dependency locks

[TabishB]

Summary

This replaces the two bot dependency PRs with a cleaner direct-update path:

• updates the direct Inquirer packages so tmp drops out of the dependency tree entirely
• updates Vitest and typescript-eslint within the current major lines so newer tooling paths resolve patched picomatch
• refreshes the remaining micromatch -> picomatch lockfile edge to patched picomatch@2.3.2 without forcing a picomatch major override under micromatch

Why

The reported picomatch and tmp advisories are real, but the bot PRs patch subdependencies in a brittle way. In particular, pinning tmp@0.2.6 is already stale because a follow-up tmp advisory is patched in 0.2.7; removing tmp from the tree is better.

fast-glob@3.3.3 and micromatch@4.0.8 are already current, and micromatch still depends on picomatch:^2.3.1, so the production picomatch fix is a lock refresh to 2.3.2 rather than forcing v4.

Validation

• pnpm install --frozen-lockfile
• pnpm run lint (passes; one unrelated existing warning in src/core/references.ts)
• pnpm test (98 files, 1787 tests passed)
• pnpm why tmp returns no dependency path
• pnpm audit reports no tmp or picomatch advisories remaining

Summary by CodeRabbit

• Chores
  • Updated project dependency versions across the testing toolchain, TypeScript linting, and command-line prompt libraries.
  • Updated the Nix flake’s pinned fetch checksum to keep dependency retrieval in sync with the new package set.
  • These changes are expected to improve maintenance, compatibility, and overall stability without altering public functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e72bc6c9-12b9-4ccd-9eb5-1d2e12ef1fac

📥 Commits

Reviewing files that changed from the base of the PR and between 079f1d9 and dc5855a.

📒 Files selected for processing (1)

• flake.nix

---

📝 Walkthrough

Walkthrough

package.json version pins were updated for five packages, and flake.nix now uses a new pinned fetchPnpmDeps hash.

Changes

Dependency Refresh

Layer / File(s)	Summary
package.json version bumps package.json	@vitest/ui, vitest, typescript-eslint, @inquirer/core, and @inquirer/prompts have newer version pins.
flake.nix hash update flake.nix	The pinned fetchPnpmDeps sha256 value is updated.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 I hopped through pins and hashes bright,
Five packages gleam in updated light.
A fresh pnpm seed, a tidy trail,
With bunny-approved version sail!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: refreshing security-related dependency locks and hashes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/security-dependency-refresh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[alfred-openspec]

Approved. CI is green except the Nix flake validation, which is failing because the pnpm dependency store hash is stale after the lockfile refresh.

[alfred-openspec]

Re-approved after the latest updates.