chore(security): update vulnerable transitive dependencies

[jrossi]

Summary

Updates transitive npm dependencies to address known security vulnerabilities (CVEs) found via Trivy image scanning.

Dependency Updates

Package	From	To	CVE(s)
semver	7.5.0	7.7.4	CVE-2022-25883 (ReDoS)
ws	8.11.0	8.19.0	CVE-2024-37890 (DoS via headers)
minimatch	10.0.1	10.2.4	Multiple ReDoS CVEs
tar	7.5.4	7.5.11	Multiple path traversal CVEs

Packages affected

• apps/webapp: semver, ws
• packages/cli-v3: minimatch, semver, tar, ws
• packages/trigger-sdk: ws

How it was found

Running Trivy and Grype container image scans against the v4.4.3 Docker images flagged 109 CRITICAL/HIGH CVEs in the webapp image. All are in npm transitive dependencies — the OS base has zero CVEs (using Docker Hardened Images).

Test plan

• @trigger.dev/core: 412/412 tests passed
• @trigger.dev/sdk: 10/10 tests passed
• 7/8 package test suites passed (redis-worker failures are testcontainers/Docker environment issues unrelated to these changes)
• CI will run full test matrix

Notes

• No breaking changes — all updates are within semver-compatible ranges
• Only pnpm-lock.yaml and 3 package.json files changed
• Consider adding Renovate or Dependabot to catch these automatically going forward

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9463a57

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Hi @jrossi, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e5927b48-01e1-4ab7-9f78-db8d00f6c2a3

📥 Commits

Reviewing files that changed from the base of the PR and between 35298ac and 9463a57.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• apps/webapp/package.json
• packages/cli-v3/package.json
• packages/trigger-sdk/package.json

---

Walkthrough

This change updates dependency versions across three package configuration files in the repository. The apps/webapp/package.json file updates semver and ws dependencies while repositioning one entry. The packages/cli-v3/package.json file updates four dependencies: minimatch, semver, tar, and ws. The packages/trigger-sdk/package.json file updates the ws dependency and reorders entries in the peerDependencies section. No functional code changes are present in this change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.