fix: consolidate Dependabot security alert fixes into single PR

[Copilot]

Aggregates all open Dependabot security alert fixes across JS lockfiles and Go modules into one PR rather than merging ~31 individual Dependabot PRs. Security resolutions are pinned via resolutions fields in each workspace's package.json, and all lock files are regenerated via scripts/update-package-locks.sh.

JS lockfiles (Yarn v4)

Root yarn.lock

• brace-expansion 1.1.11 → 1.1.15, cross-spawn 6.0.5 → 6.0.6, express 5.0.1 → 5.2.1, flatted 3.3.2 → 3.4.2, glob ^10/^11 updated, http-proxy-middleware 2.0.6 → 2.0.9, lodash 4.17.21 → 4.18.1, picomatch ^2/^4 updated, tar ^7 updated, tmp updated, ws@^7 → 7.5.11

a3p-integration/yarn.lock

• brace-expansion → 1.1.15, flatted → 3.4.2, tar-fs → 2.1.4

All applicable proposal lockfiles (z:acceptance, n:upgrade-next, h:hook-msg-send, l:wallet-upgrade, k:param-change, m:before-next-upgrade, f:ymax0-restart, g:ymax1)

• ws@^7 → 7.5.11, tar-fs → 2.1.4, tar@^7 → 7.5.16, lodash → 4.18.1, brace-expansion → 1.1.15, picomatch 2.3.1 → 2.3.2 (^2.x) and → 4.0.4 (^4.x), glob@^10 → 10.5.0
• h:hook-msg-send, k:param-change, l:wallet-upgrade, m:before-next-upgrade: axios updated, follow-redirects 1.15.9 → 1.16.0, form-data → 4.0.5
• h:hook-msg-send: @protobufjs/utf8 1.1.0 → 1.1.1, fast-uri 3.0.6 → 3.1.2
• f:ymax0-restart, g:ymax1: js-yaml → 3.14.2

multichain-testing/yarn.lock

• follow-redirects, form-data@^4, ws@^7, tmp updated

Go modules (golang/cosmos)

Package	Before	After
github.com/go-jose/go-jose/v4	4.1.3	4.1.4
github.com/ulikunitz/xz	0.5.11	0.5.14
go.opentelemetry.io/otel (all 5 sub-packages)	1.39.0	1.43.0
google.golang.org/grpc	1.79.1	1.79.3
golang.org/x/sys	0.40.0	0.42.0

go.sum updated with corresponding hashes for all bumped modules. go mod tidy run to normalise go.mod.

Note: g:gtm-fast-usdc and e2e_test do not exist in this branch; those Dependabot PRs are not applicable. Several Go packages (x/crypto, x/net, x/oauth2) were already at versions newer than their respective Dependabot PRs targeted.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[michaelfig]

@copilot:

• Next, do another pass to examine all of the Dependabot alerts, and resolve each of them by relying on a fixed version that is the smallest upgrade to our current dependencies.
• run scripts/update-package-locks.sh and cd golang/cosmos && go mod tidy and commit the results.

[Copilot]

@copilot:

• Next, do another pass to examine all of the Dependabot alerts, and resolve each of them by relying on a fixed version that is the smallest upgrade to our current dependencies.
• run `scr...

Done in e693ea5. Re-examined all Dependabot alerts, added resolutions entries to every applicable package.json, then ran scripts/update-package-locks.sh (all 11 yarn.lock files updated) and go mod tidy in golang/cosmos (normalised go 1.25 → go 1.25.0; no go.sum changes needed since the Go module pins were already at their fixed versions).