Bump dependencies to patched versions (security bundle)

[feruzm]

What

Bundles the outstanding npm Dependabot security updates into one change by extending the existing yarn resolutions block (plus an axios bump), so the vulnerable transitive versions are removed from yarn.lock. Each corresponding Dependabot PR should auto-close once this merges.

No build-toolchain changes — webpack 3 / babel 6 / node-sass 4.x stay put, so the build is unaffected.

Verification

Built against the actual deploy toolchain (node:8, the Dockerfile-web base):

• yarn install regenerates the lock with patched versions
• yarn build ✅ succeeds (production bundle emitted)
• yarn test ✅ 14/15 (the 1 failure is a pre-existing stale snapshot — linkify expects the old steemit.com domain; unrelated to deps and not run at deploy time)

Key bumps (via resolutions, unless noted)

dep	to	note
axios	^0.28.0 (direct)	resolved 0.28.1
lodash / lodash-es	^4.17.21	floats to 4.18.1, clears GHSA-r5fr-rjxr-66jc (≤4.17.23)
handlebars	^4.7.8	4.7.9
elliptic	^6.6.1
minimist	^1.2.8
qs	^6.5.3
url-parse	^1.5.10
decode-uri-component	^0.2.2
cross-fetch	^3.1.5
urijs	^1.19.11
http-proxy	^1.18.1
ini	^1.3.7
y18n	^3.2.2
tmpl / path-parse / dns-packet / hosted-git-info / express	latest patched
node-sass	^4.14.1	stays on 4.x (5+ needs newer node)

Expected to auto-close

Dependabot PRs: #40 #39 #37 #36 #35 #34 #31 #26 #25 #22 #21 #19 #17 #14 #12 #10 #9

Deferred (require modernization, not this PR)

• Bump node-sass from 4.12.0 to 7.0.0 in /react_app #28 (node-sass 4→7) and Bump react-dev-utils from 5.0.3 to 11.0.4 in /react_app #15 (react-dev-utils 5→11) — welded to the ejected webpack-3 toolchain; need a Vite/CRA-5 migration.
• Python PRs Bump certifi from 2018.8.24 to 2022.12.7 #38 Bump urllib3 from 1.24.2 to 1.26.5 #23 Bump flask-cors from 3.0.6 to 3.0.9 #18 Bump jinja2 from 2.10.1 to 2.11.3 #16 (certifi/urllib3/flask-cors/jinja2) — the patched releases dropped Python 3.5 support, so they need the base image bumped first.

These, plus the remaining build-tooling alerts (webpack/babel/loader-utils/etc., which never ship to the browser), are best handled in a follow-up modernization PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 056e9c71d4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bump the actual node-sass dependency

This resolution does not upgrade the top-level devDependencies.node-sass entry, which still requests ^4.9.3; the checked-in lockfile therefore still contains node-sass@^4.9.3 resolved to 4.12.0 at react_app/yarn.lock:5096. In install paths that use the app's direct dev dependency, the security bundle leaves the older node-sass installed while adding a separate 4.14.1 lock entry, so this patch does not actually remove the vulnerable direct dependency unless the devDependency range is bumped too.

Useful? React with 👍 / 👎.