fix(root): resolve dependency advisories (DOC-320, DOC-321, DOC-322)

[cursor]

Summary

This pull request adds targeted pnpm.overrides for three audited vulnerabilities (highest-severity items first), updates the lockfile, and confirms a clean pnpm build.

Changes

DOC-320 — picomatch (high)

• Advisory: GHSA-c2c7-rcm5-vvqj
• Issue: ReDoS when processing crafted extglob patterns in untrusted glob inputs.
• Strategy: B — pnpm override forcing picomatch@^2.3.2 for the eslint-config-next → fast-glob → micromatch chain.

DOC-321 — liquidjs (high; also addresses related moderate advisory)

• Advisories: GHSA-4rc3-7j7w-m548 (high), GHSA-v273-448j-v4qj (moderate)
• Issues: Denial of service via circular block references in layout; prior path handling concern addressed in the patched line.
• Strategy: B — override forcing liquidjs@^10.25.7 for the @novu/framework dependency chain.

DOC-322 — estree-util-value-to-estree (moderate)

• Advisory: GHSA-f7f6-9jq7-3rqj
• Issue: Prototype pollution when generating ESTree from values with a __proto__ property.
• Strategy: B — override forcing estree-util-value-to-estree@^3.3.3 for the fumadocs-docgen chain.

Verification

• pnpm audit no longer reports advisory IDs 1115552, 1118680, or 1103822 for the overridden packages.
• pnpm build completed successfully.

Linear

• https://linear.app/novu/issue/DOC-320
• https://linear.app/novu/issue/DOC-321
• https://linear.app/novu/issue/DOC-322

  

[linear-code]

DOC-320

DOC-321

DOC-322

[netlify]

✅ Deploy Preview for docs-novu ready!

Name	Link
🔨 Latest commit	f76a7b2
🔍 Latest deploy log	https://app.netlify.com/projects/docs-novu/deploys/6a05678dd3405500084b1c72
😎 Deploy Preview	https://deploy-preview-1094--docs-novu.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.