fix: update vulnerable dependencies (flatted, markdownlint-cli2)

[Copilot]

Summary

Fixes the npm audit failure in the Dependency Vulnerability Audit CI workflow (failing run).

Changes

Updates two vulnerable devDependencies:

Package	Old Version	New Version	Severity	Advisory
flatted	3.4.1	3.4.2	high	GHSA-rf6f-7fwh-wjgh — Prototype Pollution via parse()
markdownlint-cli2	0.17.2	0.21.0	moderate (transitive)	GHSA-mh29-5h37-fv8m (js-yaml), GHSA-38c4-r59v-3vqw (markdown-it)

Verification

• npm audit --audit-level=high → 0 vulnerabilities (was 1 high + 4 moderate)
• npm run build → compiles successfully
• npm test → all 1116 tests pass
• npm run lint → passes
• npx markdownlint-cli2 README.md → works with existing .markdownlint.json config

Security Summary

No new vulnerabilities introduced. All existing high and moderate vulnerabilities have been resolved.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.05%	86.23%	📈 +0.18%
Statements	85.97%	86.15%	📈 +0.18%
Functions	86.13%	86.13%	➡️ +0.00%
Branches	79.21%	79.38%	📈 +0.17%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	87.4% → 88.1% (+0.73%)	86.8% → 87.5% (+0.70%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR resolves an npm audit failure in CI by updating vulnerable Node.js development dependencies used by the project’s build/lint tooling.

Changes:

• Bump markdownlint-cli2 from ^0.17.2 to ^0.21.0 in package.json.
• Refresh package-lock.json to pick up patched versions (including flatted 3.4.2) and updated transitive dependencies for the markdownlint toolchain.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates the direct devDependency markdownlint-cli2 to a non-vulnerable release.
package-lock.json	Locks updated versions for markdownlint-cli2 and patched transitive dependencies (including flatted).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke Test Results — @Mossaka @Copilot

✅ GitHub MCP: #1372 "fix: resolve high severity flatted prototype pollution vulnerability", #1370 "[WIP] Fix the failing GitHub Actions workflow for test coverage report"
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-23319964293.txt created
✅ Bash verification: file content confirmed

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1374

[github-actions]

Smoke Test Results — PASS

✅ GitHub MCP: #1372 fix: resolve high severity flatted prototype pollution vulnerability, #1369 feat: support base path prefix for OpenAI and Anthropic API targets
✅ Playwright: GitHub page title verified
✅ File write: /tmp/gh-aw/agent/smoke-test-claude-23319964333.txt created
✅ Bash: File contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1374

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.1	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot.

Go matches, but Python (3.12.13 vs 3.12.3) and Node.js (v24.14.0 vs v20.20.1) do not. The chroot is using the system Ubuntu packages while the host runner has newer versions installed via tool caches.

Tested by Smoke Chroot for issue #1374

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1374 · ◷

[github-actions]

🔮 The oracle records this smoke reading.
PR titles: "feat: support base path prefix for OpenAI and Anthropic API targets"; "fix: resolve high severity flatted prototype pollution vulnerability".

1. GitHub MCP (last 2 merged PRs): ✅
2. safeinputs-gh PR query: ❌ (tool unavailable here)
3. Playwright github.com title contains "GitHub": ✅
4. Tavily web search: ❌ (tool unavailable here)
5. File write /tmp/gh-aw/agent/smoke-test-codex-23319964329.txt: ✅
6. Bash cat verification: ✅
7. Discussion query + mystical discussion comment: ❌ (required tools/extra safe-output call unavailable)
8. npm ci && npm run build: ✅
   Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.