chore(deps): consolidated dep bumps + fast-uri security fix (CVE-2026-6321, CVE-2026-6322)

[thewrz]

Summary

• github/codeql-action v3: 0daab03 → 68bde55 (3.35.3 → 3.35.4) — closes PR chore(deps): bump github/codeql-action from 3.35.3 to 4.35.4 #105
• actions/dependency-review-action v4: 2031cfc → a1d282b (4.9.0 → 5.0.0) — closes PR chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 #106
• @types/node: 25.6.0 → 25.6.2 — closes PR chore(deps-dev): bump @types/node from 25.6.0 to 25.6.2 in /server #107
• fast-uri: 3.1.0 → 3.1.2 — addresses CVE-2026-6321 (path traversal, CVSS 7.5) and CVE-2026-6322 (host confusion, CVSS 7.5) via transitive update through fastify → @fastify/ajv-compiler and fastify → fast-json-stringify

Test plan

• npm test — 1641 passing, 0 failures
• npx tsc --noEmit — clean
• npm audit — 0 vulnerabilities after update

Summary by CodeRabbit

• Chores
  • Updated pinned commit references for GitHub Actions workflows related to CodeQL analysis and dependency review processes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: abeb9527-32de-4347-8baf-af15c3205d9d

📥 Commits

Reviewing files that changed from the base of the PR and between d06e0c2 and ee0c6ad.

⛔ Files ignored due to path filters (1)

• server/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml

---

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions workflow pins in two workflow files. The CodeQL workflow pins the codeql-action steps to new v3 commit SHAs, and the dependency-review workflow pins actions/dependency-review-action to a new v4 commit SHA. No functional configuration, logic, or triggers are modified.

Changes

Workflow Configuration Updates

Layer / File(s)	Summary
CodeQL Action Pins .github/workflows/codeql.yml	CodeQL init, autobuild, and analyze steps are pinned to new v3 commit SHAs.
Dependency Review Action Pin .github/workflows/dependency-review.yml	Dependency review action is pinned to a new v4 commit SHA; fail-on-severity: high configuration persists.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 With whiskers twitching, pins we update,
GitHub Actions dance to a faster gait,
CodeQL's v3 shines so bright,
Dependencies reviewed with all their might,
Security workflows hop through the night! 🌙

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: dependency version bumps and a critical fast-uri security fix addressing CVE-2026-6321 and CVE-2026-6322, which directly align with the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dep-bumps-may-2026

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}