chore: clear residual pnpm audit advisories

[bntvllnt]

Summary

• Adds pnpm overrides for the residual vulnerable audit clusters after PR chore(deps): bump flatted to 3.4.2 #11: handlebars/picomatch via eslint-plugin-boundaries, lodash, brace-expansion, postcss, ws, turbo, and vite.
• Regenerates pnpm-lock.yaml from the PR chore(deps): bump flatted to 3.4.2 #11 head so pnpm audit --audit-level=moderate reports zero vulnerabilities.
• Removes now-unnecessary tutorial tracking property casts that the updated lint graph flags as unnecessary.

Relationship to PR #11

This is intentionally stacked on chore/flatted-3-4-2-remediation / PR #11 to preserve PR #11 as the narrow flatted-only remediation. Merge order should be PR #11 first, then this residual-audit follow-up after review.

Validation

• pnpm install --frozen-lockfile — pass
• pnpm audit --audit-level=moderate --json — pass, 0 critical / 0 high / 0 moderate / 0 low
• pnpm lint — pass
• pnpm exec tsc --noEmit — pass
• pnpm test:once — pass, 5 files passed, 118 passed + 1 expected fail

GitHub checks

• Current head: e5ec4a7c9d0896653ddcaaaf693555d1ef1645e0
• GitHub reports no checks on this stacked PR because .github/workflows/ci.yml only runs pull_request for branches: [main], and this PR targets the PR chore(deps): bump flatted to 3.4.2 #11 branch.
• Local commands above mirror the CI quality gates plus the required audit gate.

Safety

No merge, approval, release, force-push, credential disclosure, or external outreach performed.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[bntvllnt]

Review — 0 blocking findings, 1 warning

BLOCKING

None.

WARN

• W1 — stacked PR has no GitHub check signal until the merge target changes
  • Evidence: PR #12 targets chore/flatted-3-4-2-remediation (PR #11), while .github/workflows/ci.yml runs pull_request only for branches: [main]; gh pr checks reports no checks on chore/residual-pnpm-audit-remediation.
  • Why it matters: the local validation is good evidence for this head, but GitHub branch protection/check visibility will not cover the stacked PR until PR #11 is merged and this PR is retargeted or otherwise re-run against main.
  • Suggested next step: merge/order PR #11 first, then let this PR retarget/main-run normally before final merge if repository policy requires GitHub-hosted checks.

VERIFIED CLEAN

• Live head checked before review: e5ec4a7c9d0896653ddcaaaf693555d1ef1645e0; it matches the task head.
• Live PR state: OPEN, non-draft, MERGEABLE/CLEAN, base chore/flatted-3-4-2-remediation, no status checks reported.
• PR body claims match the live diff: changed files are exactly package.json, pnpm-lock.yaml, and src/analytics.ts; the PR is stacked on PR #11 (chore/flatted-3-4-2-remediation) and PR #11 is also OPEN/non-draft/MERGEABLE/CLEAN at 51521b1daa0c28e7133c4070d19f752fa715407a.
• package.json: the added pnpm.overrides are scoped to the claimed residual audit packages/clusters (@boundaries/elements, eslint-plugin-boundaries, brace-expansion, lodash, picomatch, postcss, turbo, vite, ws) and do not alter runtime package exports or scripts.
• pnpm-lock.yaml: lockfile is consistent with the overrides; targeted resolved versions include flatted@3.4.2, handlebars@4.7.9, picomatch@4.0.4, lodash@4.18.1, brace-expansion@5.0.6, postcss@8.5.15, ws@8.20.1, turbo@2.9.14, and vite@8.0.13.
• src/analytics.ts: the removed as Record<string, unknown> casts are type-clean; the typed tutorial helper properties still flow into track(..., properties?: Record<string, unknown>) without changing runtime behavior.

VALIDATION

• Ran: pnpm install --frozen-lockfile — pass.
• Ran: pnpm audit --audit-level=moderate --json — pass; audit metadata reports 0 info / 0 low / 0 moderate / 0 high / 0 critical vulnerabilities and 0 advisory keys.
• Ran: pnpm lint — pass.
• Ran: pnpm exec tsc --noEmit — pass.
• Ran: pnpm test:once — pass; 5 files passed, 118 passed + 1 expected fail.
• Local checkout status after validation: clean.

Next action: approval is recommended after the PR #11 stack dependency is handled, but final APPROVE is reserved for bntvllnt/human review.