fix(deps): Resolve Dependabot security alerts

[sfanahata]

DESCRIBE YOUR PR

Resolves open Dependabot security alerts via dependency bumps, lockfile updates, and targeted pnpm overrides. Supersedes #17699.

Critical (1):

• Alert 329 shell-quote: command injection → override shell-quote: ^1.8.4

High-severity (5):

• Alert 325 js-cookie: prototype hijack → bumped ^3.0.5 → ^3.0.7
• Alert 303 fast-xml-builder → override fast-xml-parser: ^5.7.0
• Alert 343 vite: → added as devDependency at ^7.3.5
• Alerts 346, 347 form-data → override form-data: ^4.0.6

Medium-severity (20+):

• Alerts 291–298, 333–339, 348–357 dompurify (many): XSS bypasses → bumped 3.3.2 → 3.4.11 (direct dep + override)
• Alert 342 js-yaml → bumped ^4.1.0 → ^4.2.0
• Alert 324 uuid → override uuid: ^11.1.1
• Alert 300 fast-xml-parser → override fast-xml-parser: ^5.7.0
• Alert 301 postcss → override postcss: ^8.5.10 (next.js bundles 8.4.31)
• Alert 344 launch-editor → override launch-editor: ^2.14.1
• Alerts 287–289, 345 vite (4 alerts) → ^7.3.5 devDep + override
• Alerts 359–360 undici → bumped override ^6.24.0 → ^6.27.0
• Alert 284 brace-expansion → lockfile update to 2.1.1
• Alerts 277–278 yaml → lockfile update to 1.10.3 / 2.9.0

Not addressed in this PR:

• Alert 355 @opentelemetry/core (medium) — needs @sentry/nextjs to bump its OpenTelemetry deps
• Alert 331 esbuild (low) — already at ^0.28.1 as direct dep; alert may be for transitive 0.27.x
• Alert 341 @babel/core (low) — needs upstream package updates

Cleanup:

• Removed @types/dompurify from devDependencies and pnpm overrides — dompurify 3.x ships its own TypeScript definitions, and @types/dompurify is officially deprecated as a stub

Override justifications:

Override	Why not a direct bump?
dompurify: 3.4.11	mermaid and @sentry-internal/global-search pull it transitively
fast-xml-parser: ^5.7.0	@google-cloud/storage depends on old version
postcss: ^8.5.10	Next.js 15.5.18 bundles postcss 8.4.31 internally
uuid: ^11.1.1	No 8.x/9.x patch exists; API-compatible; 3 of 4 consumers dropped uuid in latest
shell-quote: ^1.8.4	Transitive via launch-editor
launch-editor: ^2.14.1	Transitive via vite/Next.js dev server
form-data: ^4.0.6	Transitive via jsdom (test environment)
undici: ^6.27.0	Bumped existing override from ^6.24.0
vite: ^7.3.5	Also added as devDep since override alone didn't resolve it

IS YOUR CHANGE URGENT?

• None: Not urgent, can wait up to 1 week+

PRE-MERGE CHECKLIST

• Checked Vercel preview for correctness, including links
• PR was reviewed and approved by any necessary SMEs (subject matter experts)
• PR was reviewed and approved by a member of the Sentry docs team

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
develop-docs	Ready	Preview, Comment	Jun 23, 2026 11:55pm
sentry-docs	Ready	Preview, Comment	Jun 23, 2026 11:55pm

[coolguyzone]

Changes look good! Clean up the conflicts and this should be good to go.

[sentry]

Bug: Forcing uuid to v11.1.1 via an override may break transitive dependencies like @google-cloud/storage, which expect an older version and its default export.
_{Severity: HIGH}

Suggested Fix

Remove the global override for uuid in package.json. If a specific version is needed for a direct dependency, address it there. Otherwise, allow the package manager to resolve the correct uuid version for each dependency, like @google-cloud/storage, to ensure it receives a compatible version (e.g., v8 or v9) that includes the expected default export.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: package.json#L184

Potential issue: The `uuid` package is being forced to version 11.1.1 via a
`package.json` override. This version of `uuid` removes the default export, which is a
breaking change from versions like v8 and v9. A transitive dependency,
`@google-cloud/storage@7.19.0`, was built for `uuid@^8.0.0` and may rely on the
now-removed default export. If `@google-cloud/storage` uses the old `require('uuid')`
import pattern, it will fail at runtime when any of its functions that internally use
`uuid` are called, leading to potential application crashes.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sfanahata]

Looks like a false positive:

The default export was actually removed in uuid 10.0.0, but none of these packages use it. They all use v4 as a named export, which uuid 11.x fully supports. I confirmed this with runtime smoke tests from each consumer's dependency context after a clean node_modules reinstall.