fix(deps): resolve npm audit advisories (ws/tar/markdown-it)

[BaiyuScope3]

Why

npm audit reports advisories in the dependency tree (also present on main — not introduced by any feature work). This resolves the ones fixable without a breaking change.

What Changed

Non-breaking npm audit fix — lockfile-only, no package.json range changes:

Package	Bump	Advisory	Severity	Scope
ws	8.20.1 → 8.21.0	GHSA-96hv-2xvq-fx4p — memory-exhaustion DoS	high	runtime dep of @adcp/sdk
tar	7.5.15 → 7.5.16	GHSA-vmf3-w455-68vh — PAX header file smuggling	moderate	devDependency (build-time only)
markdown-it	14.1.1 → 14.2.0	GHSA-6v5v-wf23-fmfq — smartquotes quadratic DoS	moderate	dev-only (via typedoc)

Only ws is a runtime dependency; tar and markdown-it are dev/build-time, so their advisories don't reach adopters of the SDK.

Incidental transitive resolutions

npm audit fix also re-resolved a few unrelated transitive deps to satisfy the tree (all dev-only, none flagged by audit — listed here so the lockfile diff doesn't surprise):

• js-yaml 4.1.1 → 4.2.0 across 5 nested instances (@apidevtools/*, @redocly/*, cosmiconfig, json-schema-to-typescript, read-yaml-file)
• hono 4.12.23 → 4.12.25

These are distinct from the @changesets/* → js-yaml advisory chain left out below — those vulnerable @changesets instances are unchanged here.

Left out (deliberately)

The remaining 5 moderate advisories are the @changesets/* → js-yaml chain (release tooling, dev-only). They only clear under npm audit fix --force, which majors the changesets toolchain — a breaking change left for a maintainer decision rather than bundling here.

Verification

• npm run build:lib — passes
• npm audit: high 0 (was 2), total 5 moderate (was ~18), all remaining in dev-only release tooling
• Lockfile-only; no source or package.json changes

🤖 Generated with Claude Code

[aao-ipr-bot]

Clean lockfile-only security bump. Right call splitting the non-breaking npm audit fix from the --force @changesets/* → js-yaml chain that majors the release toolchain — fail-closed on scope beats bundling a breaking dep bump into a security patch.

Things I checked

• Changeset present and correctly typed. .changeset/fix-audit-advisories.md ships a patch. ws is a real runtime dependency (package.json:403), so the GHSA-96hv-2xvq-fx4p DoS fix reaches adopters on install — a changeset is load-bearing here, not optional. patch is the right shape: dep-tree bump, no API surface change.
• No package.json range edits. All bumps land inside existing ranges (ws ^8.20.0 → 8.21.0, tar ^7.5.13 → 7.5.16). Lockfile-only, as advertised.
• No source / no version-field edit. Diff is 2 files: the changeset + package-lock.json. package.json version untouched — changesets keep ownership.
• Scope of the leftover advisories is honest. The 5 remaining moderates are the dev-only @changesets/* → js-yaml chain that only clears under --force; correctly deferred to a maintainer decision rather than forced through here.

Minor nits (non-blocking)

1. tar is a devDependency, not runtime. PR body says "ws and tar are @adcp/sdk runtime deps" — tar lives in devDependencies (package.json:444); only ws is runtime. Doesn't change the fix, but the GHSA-vmf3 PAX-parser advisory only affects build-time, not adopters.
2. Lockfile moves more than the changeset names. npm audit fix also pulled js-yaml 4.1.1 → 4.2.0 across five nested dev instances (@apidevtools, @redocly, cosmiconfig, json-schema-to-typescript, read-yaml-file) and hono 4.12.23 → 4.12.25. These are distinct from the @changesets/* → js-yaml chain the body says it left out, so the body is accurate — but a reader diffing the lockfile will see js-yaml move right after reading "left out" and pause. A one-line "incidental transitive resolutions" note would have saved the double-take.

Approving on the strength of the runtime ws DoS fix plus the clean scope split.

[aao-ipr-bot]

Clean security-driven lockfile bump. Right call splitting the non-breaking npm audit fix from the --force path that would major the changesets toolchain — fail-closed on the breaking change, leave it for a maintainer decision.

Things I checked

• Lockfile-only. package.json is not in the diff (gh pr diff --name-only shows exactly two files: the changeset and package-lock.json) — no manual version edit, no dependency-range changes. MUST FIX #6 clear.
• Changeset present and correctly typed patch. Lockfile-only security bumps with no API-surface change are a patch — no exported symbol moved, no response shape changed. MUST FIX #5 and #7 clear.
• ws 8.20.1 → 8.21.0 is the only runtime dep moved — it's the lone entry in the diff without "dev": true (package-lock.json:7293). GHSA-96hv-2xvq-fx4p (high, memory-exhaustion DoS) is the one advisory that actually reached adopters; closing it is the load-bearing change here. tar and markdown-it carry "dev": true — build-time only, don't ship.
• Incidental transitive re-resolutions (js-yaml 4.1.1 → 4.2.0 across 5 nested instances, hono, linkify-it) are all "dev": true and disclosed in the PR body. No surprise in the lockfile diff.
• No source touched, so no code-reviewer (skip-everything: pure dependency bump). Build verification (npm run build:lib passes) is the author's; the change can't alter runtime behavior beyond the ws patch.

Follow-ups (non-blocking — file as issues)

• The 5 remaining moderate advisories (@changesets/* → js-yaml) need --force and a changesets major. Track separately so they don't sit indefinitely behind "maintainer decision."

LGTM.