fix: resolve Dependabot security alerts in example lockfiles and bump esbuild

[kparkinson-ld]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues

Resolves 22 of 28 open Dependabot alerts.

Describe the solution you've provided

• Regenerated yarn.lock for examples/async-provider and examples/hoc to pull patched transitive dependencies (fixes lodash, picomatch, brace-expansion, follow-redirects, @babel/plugin-transform-modules-systemjs)
• Added yarn resolutions for node-forge (>=1.4.0) and tmp (>=0.2.6) to override deeply pinned vulnerable versions
• Bumped esbuild from ^0.24.0 to ^0.25.0 in root package.json to resolve GHSA-67mh-4wv8-2f99

Describe alternatives you've considered

The remaining 6 Dependabot alerts (path-to-regexp, uuid, webpack-dev-server) are structurally pinned by react-router-dom v5 and universal-hot-reload's webpack-dev-server v3. Fixing these would require major dependency upgrades that are out of scope for this change, especially given this SDK is deprecated in favor of @launchdarkly/react-sdk.

Additional context

Build and all 93 tests pass locally after these changes.

Link to Devin session: https://app.devin.ai/sessions/381e0dd095a446e49ba0e8a9c9022c0c
Requested by: @kparkinson-ld

---

Note

Low Risk
Dependency and lockfile-only changes for examples and dev tooling; no production SDK API or auth/data-path changes.

Overview
Addresses Dependabot security alerts across the repo without changing SDK runtime behavior.

Example apps (async-provider, hoc): adds Yarn resolutions for node-forge (^1.4.0) and tmp (^0.2.6) so deeply nested transitive deps resolve to patched versions; lockfiles were regenerated so other vulnerable transitives (e.g. lodash, picomatch, brace-expansion, follow-redirects, Babel plugin) pick up fixes.

Root package: bumps esbuild from ^0.24.0 to ^0.25.0 (GHSA-67mh-4wv8-2f99).

Some alerts remain tied to react-router-dom v5 and universal-hot-reload / webpack-dev-server v3, called out as out of scope.

^{Reviewed by Cursor Bugbot for commit 644a75c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[joker23]

which dep(s) are these transitive to? wondering why we can't just update a base level dependency.

[devin-ai-integration]

node-forge@0.10.0 is transitive via universal-hot-reload → webpack-dev-server@3.11.0 → selfsigned → node-forge. The root cause is webpack-dev-server v3 which pins selfsigned@^1.10.0, and that version of selfsigned requires node-forge@^0.10.0. Upgrading universal-hot-reload or webpack-dev-server to a version that doesn't pull in old selfsigned would require jumping to webpack-dev-server v5 (breaking).

tmp@0.0.33 is transitive via eslint@5.16.0 → inquirer → external-editor → tmp. The root cause is the very old eslint@^5.10.0 pinned in the example's devDependencies — eslint 5.x is EOL and its dep chain pulls in ancient tmp. Upgrading eslint in these examples would require reworking the eslint config.

Both are cases where the direct dependency is too old to resolve the transitive vuln through a normal version bump, so resolutions are the pragmatic fix without a larger rewrite of these deprecated examples.