Vouch request: security dependency updates #3246
Description
What I'd like to work on
I'd like to submit a PR updating vulnerable transitive npm dependencies (semver, ws, minimatch, tar) to address known CVEs found via Trivy/Grype container image scanning.
Background
I run trigger.dev in a hardened Kubernetes environment and perform regular security scans on all container images. The v4.4.3 webapp image has 109 CRITICAL/HIGH CVEs, all from npm transitive dependencies (the OS base is clean). I've already prepared a minimal PR that bumps 4 packages within their semver-compatible ranges — all tests pass.
PR ready at: #3245
Relevant experience
Platform engineer working on multi-tenant Kubernetes infrastructure. Familiar with monorepo tooling (pnpm, turbo) and container security scanning.