fix(build): remediate CVEs, enforce equality pinning, repair Dependabot config

[WilliamBerryiii]

Description

Resolved 5 open CVEs, enforced strict equality (==) pinning across all 6 Python workspaces and exact semver pinning across all 3 npm workspaces, and repaired the Dependabot configuration to reflect current repository structure. Hardened the dependency pinning CI scanner to correctly validate pip ecosystems and fixed its dot-source guard that prevented standalone execution.

Closes #390

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Changes

CVE Remediation

Addressed 5 CVEs across Python and npm ecosystems:

• Overrode lodash to 4.17.21 in root package-lock.json to resolve prototype pollution (CVE-2024-28863)
• Pinned next to 15.2.4, prismjs to 1.30.0, nanoid to 3.3.9 via exact versions in docs/docusaurus/package.json
• Pinned numpy to ==2.4.x and azure-identity to ==1.23.0+ across affected pyproject.toml files
• Added qs override (6.14.2) in root package.json to resolve request smuggling vulnerability

Equality Pinning Enforcement

Converted all dependency version specifiers to strict equality:

• 6 pyproject.toml files: replaced >=, ~=, and range operators with == across 28+ dependencies in data-management/viewer/backend/pyproject.toml alone, plus evaluation/, training/il/lerobot/, training/rl/, root, and data-management/viewer/
• 3 package.json files: removed ^ and ~ range operators in data-management/viewer/frontend/, docs/docusaurus/, and root
• Regenerated all 6 lockfiles (uv.lock × 3, package-lock.json × 3) to reflect pinned versions

Dependabot Configuration Repair

Rewrote .github/dependabot.yml from 12 entries (several invalid) to 14 valid entries:

• Replaced pip ecosystem references with uv for all Python workspaces
• Fixed stale directory paths that no longer matched repository structure
• Added root npm ecosystem entry that was missing
• Removed invalid docker ecosystem entry

CI Scanner Hardening

Updated shared/ci/security/Test-DependencyPinning.ps1 with 4 fixes:

• Changed the dot-source guard from Write-Error + exit 1 to return, which prevented the script from being sourced by Pester
• Added Get-PipDependencyViolations function for validating pip equality pinning in pyproject.toml and requirements.txt files
• Updated Test-SHAPinning to apply ecosystem-specific validation patterns
• Changed npm validation from SHA-based checks to exact semver matching

Added 4 new test fixtures in shared/ci/tests/Fixtures/Pip/ and updated the dot-source guard expectation in the Pester test file.

Workflow Update

Expanded the default dependency_types in .github/workflows/dependency-pinning-scan.yml to include github-actions,npm,pip,shell-downloads.

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Additional testing performed:

• npm audit (root): 0 vulnerabilities
• npm audit (frontend): 0 vulnerabilities
• npm audit (docusaurus): 25 remaining — all lodash transitive dependencies with no upstream fix available
• uv lock --check across all 3 Python workspaces: locked and consistent
• Pester dependency pinning scanner: 79/79 tests passing

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

• Linked to issue being fixed
• Regression test included, OR
• Justification for no regression test:

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

Additional Notes

25 lodash vulnerabilities remain in docs/docusaurus/package-lock.json. These are transitive dependencies of Docusaurus plugins with no safe lodash 4.x resolution available upstream. Tracked for future resolution when upstream packages update.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 2 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 34 package(s) with unknown licenses.
• ⚠️ 5 packages with OpenSSF Scorecard issues.

View full job summary

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.58%. Comparing base (27129d9) to head (f7b3bcf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #391   +/-   ##
=======================================
  Coverage   43.58%   43.58%           
=======================================
  Files         242      242           
  Lines       14840    14840           
  Branches     1855     1903   +48     
=======================================
  Hits         6468     6468           
  Misses       8082     8082           
  Partials      290      290           

Flag	Coverage Δ		*Carryforward flag
pester	79.87% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from 0947d69
pytest-dataviewer	61.98% <ø> (ø)
vitest	50.72% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.