Renovate-driven updates of direct deps could not clear the audit
gate: 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside
transitive chains pinned by upstream tooling — `nx > axios`,
`nx > yaml`, `nx > follow-redirects`, `@nx/devkit > minimatch >
brace-expansion`, `nestjs-prisma > @angular-devkit/core > ajv`,
`@angular/cli > @modelcontextprotocol/sdk > express-rate-limit >
ip-address`, `@lhci/cli > tmp`. Upstream releases that bump those
transitives have not landed (or never will, in some cases).
Use `pnpm.overrides` with the upper-bound form (`pkg@<x.y.z`):
forces patched versions even when a parent specifies a tighter
range, and the rule expires on its own once a parent legitimately
resolves to a patched version (it stops matching).
Result: `pnpm audit --audit-level=moderate` reports zero
vulnerabilities. Remaining peer-dep warnings (`chokidar`,
`typescript`) are pre-existing mismatches inside nestjs-prisma /
@nestjs/schematics and out of scope for this PR.
Also fix a lint-staged trap surfaced while preparing this PR: the
glob `*.yaml` was matching `pnpm-lock.yaml`, so prettier reformatted
the entire lockfile on every dep-change commit (~9000 lines of
diff churn, with a non-zero risk of pnpm rejecting the rewritten
file). Tighten the glob to `!(pnpm-lock).{...,yaml}` so the
lockfile is left to pnpm's own formatter.