chore(deps): resolve remaining Dependabot alerts via cross-major dependency upgrades (#13449)

* chore(deps): resolve remaining Dependabot alerts via dependency upgrades

Cross-major security upgrades that pnpm overrides alone could not fix:

- next 14/15.3 -> 15.5.18 (docs + apps/dev/nextjs)
- svelte 4 -> 5.55.7, @sveltejs/kit -> 2.60.1, devalue -> 5.8.1
  (frameworks-sveltekit, apps/dev/sveltekit, sveltekit example)
- vitest 1.6.1 -> 3.2.6, vite 5 -> 6.4.2 (root + qwik/sveltekit apps)
- nodemailer 7 -> 8.0.5 (devDep) and widen peer to ^7.0.7 || ^8.0.0
  (core, next-auth, frameworks-sveltekit)
- vite-plugin-static-copy -> 2.3.2 (frameworks-qwik)
- better-auth -> 1.6.16, shell-quote -> 1.8.4, @grpc/grpc-js -> 1.14.4,
  brace-expansion -> 2.1.1, mailparser -> 3.9.3,
  estree-util-value-to-estree -> 3.3.3 (root overrides)
- undici -> ^6.24.0 (qwik apps), @actions/core -> 1.11.1, qs -> 6.15.2
  (broken-link-checker)
- example lockfile refreshes (qwik, sveltekit, express, solid-start)

Resolves 167 of 200 open Dependabot alerts. The remainder are pinned
by upstream majors (tar@6 via node-gyp chain, undici@5 via miniflare 2,
old AWS/Azure/GCP SDK transitives, archived solid-start) and will be
dismissed with comments.

* chore(deps): fix additional alerts (jsonwebtoken, socks/ip, micromatch, cross-spawn, vue-template-compiler, tsup)

- override jsonwebtoken@8 -> 9.0.0 (legacy @azure/msal-node chain)
- override socks@2 -> 2.8.9, eliminating abandoned 'ip' package
- override micromatch@4 -> 4.0.8, cross-spawn@5 -> 6.0.6
- vite-plugin-dts 3 -> 4 in frameworks-qwik (drops vue-template-compiler)
- tsup -> 8.5.1 in broken-link-checker

Author: Bekacru

.github/broken-link-checker/package.json

@@ -19,12 +19,12 @@
   "license": "MIT",
   "devDependencies": {
     "@types/node": "^20.11.15",
-    "tsup": "^8.0.1",
+    "tsup": "^8.5.1",
     "tsx": "^4.7.0",
     "typescript": "^5.3.3"
   },
   "dependencies": {
-    "@actions/core": "^1.10.1",
+    "@actions/core": "^1.11.1",
     "@actions/github": "^6.0.0",
     "broken-link-checker": "^0.7.8"
   },
@@ -40,13 +40,13 @@
       "glob@10": "10.5.0",
       "minimatch@9": "9.0.7",
       "picomatch@2": "2.3.2",
-      "qs@6": "6.14.1",
+      "qs@6": "6.15.2",
       "robots-txt-guard@1": "1.0.2",
       "rollup@4": "4.59.0",
       "semver@5": "5.7.2",
       "tmp@0": "0.2.6",
       "tough-cookie@4": "4.1.3",
-      "undici@5": "5.29.0",
+      "undici@5": "6.24.0",
       "undici@6": "6.24.0",
       "uuid@11": "11.1.1"
     }

.github/broken-link-checker/pnpm-lock.yaml

@@ -1,6 +1,7 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
 /// <reference types="next/navigation-types/compat/navigation" />
+/// <reference path="./.next/types/routes.d.ts" />
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

apps/dev/nextjs/next-env.d.ts

@@ -11,7 +11,7 @@
   },
   "license": "ISC",
   "dependencies": {
-    "next": "15.3.1",
+    "next": "15.5.18",
     "next-auth": "workspace:*",
     "react": "19.0.0-rc-4c58fce7-20240904",
     "react-dom": "19.0.0-rc-4c58fce7-20240904"

apps/dev/nextjs/package.json

@@ -37,8 +37,8 @@
     "eslint-plugin-qwik": "^1.5.5",
     "prettier": "^3.2.5",
     "typescript": "5.4.5",
-    "undici": "*",
-    "vite": "^5.2.10",
+    "undici": "^6.24.0",
+    "vite": "^6.4.2",
     "vite-tsconfig-paths": "^4.2.1"
   }
 }

apps/dev/qwik/package.json

@@ -12,10 +12,10 @@
   },
   "devDependencies": {
     "@sveltejs/adapter-auto": "next",
-    "@sveltejs/kit": "^2.5.7",
-    "@sveltejs/vite-plugin-svelte": "^3.0.0",
-    "svelte": "^4",
-    "svelte-check": "2.10.2",
+    "@sveltejs/kit": "^2.60.1",
+    "@sveltejs/vite-plugin-svelte": "^5.1.1",
+    "svelte": "^5.55.7",
+    "svelte-check": "^4.0.4",
     "typescript": "5.2.2"
   },
   "dependencies": {

apps/dev/sveltekit/package.json

@@ -19,17 +19,17 @@
   "license": "ISC",
   "dependencies": {
     "@auth/express": "latest",
-    "express": "^4.19.2",
-    "morgan": "^1.10.0",
-    "pug": "^3.0.2",
-    "tailwindcss": "^3.4.3"
+    "express": "^4.22.2",
+    "morgan": "^1.11.0",
+    "pug": "^3.0.4",
+    "tailwindcss": "^3.4.19"
   },
   "devDependencies": {
-    "@types/express": "^4.17.21",
-    "@types/morgan": "^1.9.9",
-    "@types/node": "^20.12.7",
+    "@types/express": "^4.17.25",
+    "@types/morgan": "^1.9.10",
+    "@types/node": "^20.19.43",
     "@types/pug": "^2.0.10",
-    "tsx": "^4.7.0",
+    "tsx": "^4.22.4",
     "typescript": "5.3.3"
   },
   "pnpm": {
@@ -41,7 +41,8 @@
       "path-to-regexp@0": "0.1.13",
       "picomatch@2": "2.3.2",
       "qs@6": "6.15.2",
-      "yaml@2": "2.8.3"
+      "yaml@2": "2.8.3",
+      "postcss@8": "8.5.10"
     }
   }
 }