chore: fix 15 dependabot alerts with version overrides

[ignaciosantise]

Summary

• Updates resolutions (root/yarn) and overrides (expo-multichain/npm) to fix 15 of 17 open dependabot security alerts
• lodash 4.17.23 → 4.18.1 (Code Injection + Prototype Pollution)
• @xmldom/xmldom → 0.8.12, defu → 6.1.5, minimatch → 3.1.4, brace-expansion → 1.1.13, hono → 4.12.12
• 2 remaining alerts (bigint-buffer) have no patched version available

Test plan

• yarn install succeeds at root
• npm install succeeds in examples/expo-multichain
• yarn test passes (pre-existing failure in useAppKitTheme.test.tsx unrelated to this change)

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9a5422d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude finished @ignaciosantise's task in 2s —— View job

---

Review Complete

• Gather context
• Read changed files
• Run license compliance check
• Run breaking changes check
• Run data classification check
• Post review findings

---

Found 1 issue(s)

Issue 1: @xmldom/xmldom override crosses minor API boundary for @expo/plist

ID: package-json-xmldom-cross-major-override-b3e1
File: package.json:117
Severity: LOW
Category: code_quality

Context:

• Pattern: The yarn.lock previously had two entries: @xmldom/xmldom@^0.8.8 → 0.8.10 and @xmldom/xmldom@~0.7.7 → 0.7.13. The override pins both to 0.8.12, forcing @expo/plist (which required ~0.7.7) to use a version outside its declared semver range.
• Risk: @xmldom/xmldom 0.8.x changed DOMException handling and error throwing behavior compared to 0.7.x. @expo/plist may have been pinned to ~0.7.7 intentionally.
• Impact: Potential breakage in iOS plist parsing during Expo build steps (expo prebuild, pod install). This is a build-time concern, not runtime.
• Trigger: iOS native builds via expo prebuild or plist manipulation tooling.

Recommendation: Tests pass so this is low risk in practice. If iOS native builds are verified to work, no action needed. Otherwise consider scoping the override: "overrides/@expo/plist/@xmldom/xmldom": "0.8.12" to avoid affecting @expo/plist specifically.

Subagent findings:

• License compliance: No issues (lodash MIT, @xmldom/xmldom MIT, defu MIT, brace-expansion MIT, hono MIT)
• Breaking changes: No issues — all changes are transitive dependency overrides, no public API changed
• Data classification: No issues — only manifest/lockfile changes

[Copilot]

Pull request overview

Updates dependency pinning/override mechanisms (Yarn resolutions at repo root and npm overrides in the Expo example) to remediate a set of Dependabot security alerts across the monorepo.

Changes:

• Bump root Yarn resolutions for lodash, minimatch, @xmldom/xmldom, defu, and brace-expansion; update yarn.lock accordingly.
• Bump examples/expo-multichain npm overrides (notably hono and lodash) and refresh package-lock.json.
• Align lockfiles to the pinned versions used to address reported vulnerabilities.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package.json	Updates root Yarn resolutions to force patched dependency versions.
yarn.lock	Reflects the new resolved versions for patched transitive deps.
examples/expo-multichain/package.json	Updates npm overrides for patched versions in the Expo example.
examples/expo-multichain/package-lock.json	Updates locked dependency versions/integrities to match new overrides.

Files not reviewed (1)

• examples/expo-multichain/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud