Audit fixes

[diegopinate]

1. Fix vulnerabilities.
2. Update to Node 22.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6b7d55d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the repo to target Node.js 22 and refreshes several frontend/backend tooling dependencies and security-related pnpm overrides.

Changes:

• Bump Node.js engine requirement to >=22 and update GitHub Actions workflows to use Node 22.
• Update build/test tooling versions (Vite, Vitest, vite-plugin-static-copy) and TypeScript Node typings.
• Expand pnpm.overrides and add a pinned packageManager version for pnpm.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
packages/test-app-frontend/package.json	Updates Vite and static copy plugin versions.
packages/test-app-backend/package.json	Updates Node typings and Express version range.
packages/changed-elements-react/src/tests/ProgressCoordinator.test.ts	Tightens typing for the Vitest mock callback.
packages/changed-elements-react/package.json	Updates Vite and Vitest versions.
package.json	Raises Node engine, bumps @types/node, expands pnpm overrides, and pins pnpm via packageManager.
.github/workflows/release-workflow.yml	Switches release workflow Node version to 22.
.github/workflows/dependabot-push.yml	Switches dependabot push workflow Node version to 22.
.github/workflows/CI.yaml	Switches CI workflow Node version to 22.21.1.

Comments suppressed due to low confidence (2)

package.json:89

• Several pnpm.overrides entries for the same packages overlap (e.g., multiple happy-dom and tmp selectors) and at least one looks internally inconsistent (happy-dom@<20.8.9 => >=20.8.9 while another targets up to 20.8.7 => >=20.8.8). This can make installs harder to reason about and may produce warnings or unexpected resolutions. Consolidate to a single, non-overlapping selector per package (or add a brief comment/documentation indicating the intent and precedence).
  package.json:89
• Several pnpm.overrides entries for the same packages overlap (e.g., multiple happy-dom and tmp selectors) and at least one looks internally inconsistent (happy-dom@<20.8.9 => >=20.8.9 while another targets up to 20.8.7 => >=20.8.8). This can make installs harder to reason about and may produce warnings or unexpected resolutions. Consolidate to a single, non-overlapping selector per package (or add a brief comment/documentation indicating the intent and precedence).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.