Fix tar, SDK, and axios vulnerabilities via pnpm overrides

[Copilot]

Security audit revealed 6 high severity tar vulnerabilities (≤7.5.6) transitively through @jazzer.js/core → @jazzer.js/fuzzer → cmake-js → tar, plus 2 CVEs in @modelcontextprotocol/sdk <1.26.0, and 1 high severity axios DoS vulnerability (≤1.13.4).

Changes

Security fixes via pnpm overrides:

{
  "pnpm": {
    "overrides": {
      "tar": "^7.5.7",
      "@modelcontextprotocol/sdk": ">=1.26.0",
      "axios": ">=1.13.5"
    }
  }
}

Repository cleanup (pnpm-only):

• Removed package-lock.json and npm overrides field
• Added package-lock.json to .gitignore
• Repository already specifies "packageManager": "pnpm@9.0.0"

Vulnerabilities Fixed

tar ≤7.5.6 (6 high severity):

• Arbitrary file overwrite via symlink poisoning
• Race condition via Unicode ligature collisions
• Hardlink path traversal

@modelcontextprotocol/sdk <1.26.0 (2 high severity):

• CVE-2026-0621: ReDoS in UriTemplate (CVSS 8.7)
• CVE-2026-25536: Cross-client data leak (CVSS 7.1)

axios ≤1.13.4 (1 high severity):

• GHSA-43fc-jf86-j433: Denial of Service via proto Key in mergeConfig

Original prompt

---

This section details on the original issue you should resolve

<issue_title>PNPM Audit issues</issue_title>
<issue_description>We have an high level pnpm audit issue. Find and fix the pnpm audit issue. You mcp-taskflow to come up with a task list to fix the issue. The verification critera is that all tests pass. We should expect to see in the output pr a update to the package json pnpm lock file and a new changeset.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes PNPM Audit issues #15

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CalebGerman]

@copilot I do not see any changes to the package.json or pnpm lock. You should fix the error put a resolution in the package json and run pnpm install then commit the changes

[Copilot]

@copilot I do not see any changes to the package.json or pnpm lock. You should fix the error put a resolution in the package json and run pnpm install then commit the changes

Fixed in commit be004fc. Added @modelcontextprotocol/sdk: ">=1.26.0" to pnpm overrides in package.json and ran pnpm install --no-frozen-lockfile to update pnpm-lock.yaml. Both files are now updated, changeset reflects the actual changes, and all 593 tests pass.

[CalebGerman]

@copilot
Run pnpm audit --audit-level high
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ Axios is Vulnerable to Denial of Service via proto │
│ │ Key in mergeConfig │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ axios │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.13.4 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=1.13.5 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > @jazzer.js/core@2.1.0 > @jazzer.js/fuzzer@2.1.0 > │
│ │ cmake-js@7.4.0 > axios@1.13.4 │
│ │ │
│ │ . > @jazzer.js/core@2.1.0 > │
│ │ @jazzer.js/instrumentor@2.1.0 > │
│ │ @jazzer.js/fuzzer@2.1.0 > cmake-js@7.4.0 > │
│ │ axios@1.13.4 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ GHSA-43fc-jf86-j433 │
└─────────────────────┴────────────────────────────────────────────────────────┘
5 vulnerabilities found
Severity: 4 moderate | 1 high

[Copilot]

@copilot
Run pnpm audit --audit-level high
┌─────────────────────┬────────────────────────────�...

Fixed in commit 96eae9a. Added axios: ">=1.13.5" to pnpm overrides in package.json and ran pnpm install --no-frozen-lockfile to update pnpm-lock.yaml. Axios is now at version 1.13.5 (verified with pnpm why axios), fixing GHSA-43fc-jf86-j433. All 593 tests pass.