Security

[novatechflow]

Summary

This PR fixes the local security and CodeQL workflow on the security branch and batches the dependency updates needed to address the reported alerts.

What Changed

• fixed the iceberg processor metadata filter and related tests
• added a repo-local Node 24 toolchain bootstrap via .nvmrc and .tools/node
• added make commit-check and local CodeQL/fuzz helpers
• updated contributor docs to require make commit-check before opening or updating a PR
• fixed local JS/TS CodeQL build issues in the LFS SDK packages
• fixed the browser SDK exports ordering warning at the source
• ignored local SDK dist/ outputs and repo-local .tmp/ / .tools/ artifacts
• bumped vulnerable JS dependencies in lfs-client-sdk/js
• bumped OpenTelemetry and related Go module dependencies

Validation

• go test ./... passed in the repo root earlier during the dependency update pass
• go test ./... passed in addons/processors/iceberg-processor
• local SDK browser build passed after the resolver/type fix
• make check passed with the repo-local Node/npm toolchain
• make -n commit-check matched the expected gate flow
• local CodeQL path was iteratively fixed for:
  • repo-local Node/npm selection
  • devDependency installation during JS builds
  • lower-memory JS defaults
  • Go build flags for local macOS/Xcode linker behavior

Notes

• generated SDK dist/ artifacts are now ignored and are not part of the branch

[novatechflow]

@klaudworks @kamir - pls review.

[klaudworks]

I reviewed this superficially. I'd limit my input on these huge PRs that address multiple things to high level checks for critical shortcomings. Can't see the iceberg fixes but o.w. looks good to me.