[agent] chore(deps): bump brace-expansion to fix CVE-2026-33750 and CVE-2025-5889

[github-actions]

Summary

Adds npm overrides to the root package.json to force safe versions of the transitive brace-expansion dependency across all packages in this monorepo, addressing two CVEs.

Vulnerabilities Fixed

Alert	GHSA	CVE	Severity	Vulnerable Range	Fixed
#198	GHSA-f886-m6hf-6m8v	CVE-2026-33750	Medium	brace-expansion < 1.1.13	1.1.13
#188	GHSA-f886-m6hf-6m8v	CVE-2026-33750	Medium	brace-expansion >= 2.0.0 < 2.0.3	2.0.3
#187	GHSA-f886-m6hf-6m8v	CVE-2026-33750	Medium	brace-expansion >= 4.0.0 < 5.0.5	5.0.5
#70	GHSA-v6h2-p8h4-qcjw	CVE-2025-5889	Low	brace-expansion >= 1.0.0 <= 1.1.11	1.1.12+
#69	GHSA-v6h2-p8h4-qcjw	CVE-2025-5889	Low	brace-expansion >= 2.0.0 <= 2.0.1	2.0.2+

Why overrides

All affected brace-expansion instances are transitive dependencies (pulled in via minimatch). The direct dependencies (lerna, depcheck, @mongodb-js/monorepo-tools) have not shipped releases that include the fixed brace-expansion versions within their existing minor/patch ranges, making a manifest-level direct-dependency bump insufficient. npm overrides is the correct mechanism to pin transitive versions in this case.

Changes

package.json — added overrides block:

"overrides": {
  "brace-expansion@1": "1.1.13",
  "brace-expansion@2": "2.0.3",
  "brace-expansion@5": "5.0.5"
}

package-lock.json — updated to reflect the overridden versions:

• node_modules/brace-expansion: 1.1.11 → 1.1.13
• node_modules/depcheck/node_modules/brace-expansion: 2.0.1 → 2.0.3
• node_modules/@typescript-eslint/rule-tester/node_modules/brace-expansion: 2.0.2 → 2.0.3
• node_modules/@npmcli/package-json/node_modules/brace-expansion: 5.0.2 → 5.0.5
• node_modules/cacache/node_modules/brace-expansion: 5.0.2 → 5.0.5
• node_modules/ignore-walk/node_modules/brace-expansion: 5.0.2 → 5.0.5
• packages/monorepo-tools/node_modules/brace-expansion: 2.0.1 → 2.1.0

Generated by Dependabot remediation agent · ● 1.4M · ◷