chore: resolve dependabot security alerts

[MarshallOfSound]

Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only (yarn up -R) within existing semver ranges — no package.json edits, no resolutions entries.

Resolved

Package	Strategy	Version change
brace-expansion	yarn up -R	2.0.2 → 2.0.3
minimatch (5.x)	yarn up -R	5.1.6 → 5.1.9
minimatch (9.x)	yarn up -R	9.0.5 → 9.0.9
glob (10.x)	yarn up -R	10.4.5 → 10.5.0
tar (7.x)	yarn up -R	7.5.1 → 7.5.13
cmake-js → tar	yarn up -R node-llama-cpp (within ^3.7.0)	node-llama-cpp 3.14.0 → 3.18.1, pulling cmake-js 7.3.1 → 8.0.0 which drops tar@6

Also refreshed alongside: brace-expansion@1 1.1.12 → 1.1.13, minimatch@3 3.1.4 → 3.1.5.

Verified with yarn install --immutable.

Flagged (not changed)

Package	Why it was left alone
tar@6.2.1	Remaining instances all come through @electron/rebuild@3.7.2 (directly and via its pinned @electron/node-gyp git dep → make-fetch-happen@10 → cacache@16). No tar@6.x release carries the fix, so clearing this needs @electron/rebuild@^4 — a major devDep bump, out of scope for a safe-only sweep.
@tootallnate/once@2.0.0	Pulled in via the same @electron/node-gyp → make-fetch-happen@10 → http-proxy-agent@5 chain. Fix is 3.0.1 (new major); goes away entirely with @electron/rebuild@^4.

Bumping @electron/rebuild to ^4.0.3 would clear both of the above in one go — leaving that for a separate, reviewed PR.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	node-llama-cpp@​3.14.0 ⏵ 3.18.1	+4			+2

View full report