Fix: Resolve High Vulnerable Dependency

[ping-huang1]

Summary

VULN-9964

This PR resolves a set of High dependency vulnerabilities using Socket Fix. See the Socket scan for details.

This patch was applied with the following Socket fix command.

npx socket fix \
  --id GHSA-5j59-xgg2-r9c4 \
  --id GHSA-5j98-mcp5-4vw2 \
  --id GHSA-67pg-wm7f-q7fj \
  --id GHSA-9vjf-qc39-jprp \
  --id GHSA-f8cm-6447-x5h2 \
  --id GHSA-h25m-26qc-wcjf \
  --id GHSA-mwv6-3258-q52c \
  --id GHSA-p5xg-68wr-hm3m 

Changes

Vulnerabilities fixed (8 CVEs across 3 packages):

• minimatch — patched in webflow-cli (v3.1.2, v5.1.6) and typescript-eslint (v9.0.5) for 3 CVEs:
  **CVE-2026-27904 (GHSA-5j59-xgg2-r9c4, GHSA-67pg-wm7f-q7fj)
  **CVE-2026-26996 (GHSA-5j98-mcp5-4vw2, GHSA-9vjf-qc39-jprp)
  **CVE-2026-27903 (GHSA-f8cm-6447-x5h2, GHSA-mwv6-3258-q52c)
  *koa — patched in webflow-cli (v3.0.1) for CVE-2026-27959 (GHSA-h25m-26qc-wcjf)
  *rollup — patched in plugin-react (v4.53.2) for CVE-2026-27606 (GHSA-p5xg-68wr-hm3m)

Scope of changes:

• Updated package.json files in affected workspaces
• Regenerated package-lock.json lockfiles
• Applied via npx socket fix with the 8 GHSA IDs

Notes

• Upgraded vulnerable dependencies across affected workspaces
• Updated relevant package.json files
• Regenerated lockfiles where necessary (package-lock.json)
• No application or infrastructure logic changes

Validation

• Ran pnpm install successfully after applying dependency upgrades
• Lockfiles regenerated to ensure consistent dependency resolution