chore(security): patch 1 Dependabot alert

[PMerlet]

Summary

1 fixed, 0 ignored, 2 deferred, 1 resolution added, 2 resolutions removed. | label: 🔒 security applied

Fixed

Alert	Package	Ecosystem	From → To	Severity	What was bumped
#69	ip-address	npm	10.1.0 → 10.2.0	medium	resolution ^10.1.1 (transitive via semantic-release → @semantic-release/npm → npm → make-fetch-happen → @npmcli/agent → socks-proxy-agent → socks → ip-address)

Ignored

None.

Deferred

Skipped by the 7-day age gate; will be picked up by the next run:

• feat(form): add HtmlBlock layout element #70 — fast-uri ≤ 3.1.0 (path traversal via percent-encoded dot segments), high — opened 2026-05-08 (6 days)
• feat(action_form): add row layout customization #71 — fast-uri ≤ 3.1.1 (host confusion via percent-encoded authority delimiters), high — opened 2026-05-09 (5 days)

Resolutions added

Alert	Package + pin	Parent chain tried	Why the bump wasn't viable	File	Form
#69	ip-address: ^10.1.1	semantic-release → @semantic-release/npm → npm → make-fetch-happen → @npmcli/agent → socks-proxy-agent → socks → ip-address	The vulnerable ip-address is 7 levels deep under semantic-release. The nearest ancestor that could plausibly carry a patched sub-dep is socks; bumping socks would require a major bump of socks-proxy-agent and @npmcli/agent, which in turn would force a major bump of npm inside @semantic-release/npm and ultimately semantic-release itself. No reasonable single parent bump closes the alert.	root package.json	unconditional (only one chain pulls ip-address in this tree, so root-scoped is the minimum effective placement)

Resolved version in the tree: ip-address@10.2.0 (satisfies >= 10.1.1).

Resolutions removed

File	Package + pin	Reason
root package.json	lodash: ^4.18.0	Redundant — fresh install with the entry removed (lockfile regenerated) still resolves lodash@4.18.1, which satisfies the original ^4.18.0 pin. Upstream parents (@semantic-release/changelog, @semantic-release/git, @commitlint/cli's git-raw-commits) now request a range that naturally lands on >= 4.18.0.
root package.json	lodash-es: ^4.18.0	Redundant — same check: fresh install resolves lodash-es@4.18.1 naturally, satisfying the original ^4.18.0 pin.

The semantic-release-slack-bot/**/micromatch: ^4.0.8 resolution was checked and kept — removing it drops semantic-release-slack-bot#micromatch back to 4.0.2 (the vulnerable range the resolution was added to escape).

Risks

• ip-address 10.1.0 → 10.2.0: per the upstream CHANGELOG, the 10.1.x → 10.2.x series is purely fixes — the XSS patch in Address6 HTML-emitting helpers plus internal refactors. We don't import ip-address directly anywhere in this repo (it's a transitive dep of socks-proxy-agent used by semantic-release at release time only); no API surface we call has changed.
• Removing the lodash and lodash-es resolutions has no behavior impact — the resolved versions in the tree are identical to what was being pinned (both 4.18.1).
• No production runtime code is affected: package.json here exists only for release tooling (semantic-release, commitlint). The shipped artifact is the Ruby gem; none of these packages reach end users.

Manual testing

Covered by CI.

Validation

✅ CI green

Note

Patch Dependabot alert by replacing lodash and lodash-es with ip-address

Removes lodash and lodash-es as direct dependencies and adds ip-address (^10.1.1) to address a Dependabot security alert. The yarn.lock is updated accordingly.

^{Macroscope summarized 91e27de.}