chore(release): v0.1.9 — security and dependency updates

Closes 6 GitHub Dependabot security alerts and 8 dependency PRs.

Security
- Bump vite to 8.0.6+ in root and dashboard (resolves GHSA-v2wj-q39q-566r,
  GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 — all dev-server-only)
- Bump recharts 2.15.4 → 3.8.1 in dashboard, eliminating lodash from the
  shipped bundle (resolves GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh).
  Bundle size dropped 47KB (655KB → 608KB).

Dependencies
- @modelcontextprotocol/sdk 1.28.0 → 1.29.0
- express-rate-limit 8.3.1 → 8.3.2
- react-router-dom 7.13.2 → 7.14.0 (dashboard)
- eslint 10.1.0 → 10.2.0, @typescript-eslint/* 8.57.2 → 8.58.0 (dev)
- @types/node 25.5.0 → 25.5.2 (dev)

Fixed
- EvalTrendChart Tooltip formatter type updated for recharts 3.x

Verification
- Root: 18 test files, 120 tests passing, 0 vulnerabilities
- Dashboard: build succeeds, 0 vulnerabilities
- Website: build succeeds, 0 vulnerabilities
- Lockfile cross-platform integrity: 350 integrity hashes, 15 rolldown
  platform bindings, 3 @emnapi top-level entries (matches pre-bump shape)
- All version-carrying files synced to 0.1.9

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: irparent

CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.9] - 2026-04-07
+
+### Security
+- **Vite dev server vulnerabilities** — bumped vite to 8.0.6 across root and dashboard, resolving 6 GitHub Dependabot alerts:
+  - GHSA-v2wj-q39q-566r: `server.fs.deny` bypassed with queries (high)
+  - GHSA-p9ff-h696-f583: arbitrary file read via Vite Dev Server WebSocket (high)
+  - GHSA-4w7w-66w2-5vf9: path traversal in optimized deps `.map` handling (moderate)
+  - All three are dev-server-only (no impact on shipped artifacts), but worth eliminating
+- **Lodash removal from dashboard bundle** — bumped recharts 2.15.4 → 3.8.1, which drops the lodash dependency in favor of `es-toolkit`. Eliminates GHSA-r5fr-rjxr-66jc (`_.template` code injection) and GHSA-f23m-r3pf-42rh (prototype pollution) from the published dashboard. Bundle size dropped 47 KB (655 KB → 608 KB).
+
+### Changed
+- Bumped `@modelcontextprotocol/sdk` 1.28.0 → 1.29.0 (typings exports, ResourceSchema size field, `windowsHide` on Windows, capability extensions)
+- Bumped `express-rate-limit` 8.3.1 → 8.3.2
+- Bumped `react-router-dom` 7.13.2 → 7.14.0 (dashboard)
+- Bumped dev dependencies: `eslint` 10.1.0 → 10.2.0, `@typescript-eslint/*` 8.57.2 → 8.58.0, `@types/node` 25.5.0 → 25.5.2
+
+### Fixed
+- Recharts 3.x type compatibility: `EvalTrendChart` Tooltip formatter signature updated to match the new generic `Formatter<ValueType, NameType>` shape
+
 ## [0.1.8] - 2026-03-25
 
 ### Fixed

dashboard/package-lock.json

@@ -11,14 +11,14 @@
   "dependencies": {
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
-    "react-router-dom": "^7.13.2",
-    "recharts": "^2.15.0"
+    "react-router-dom": "^7.14.0",
+    "recharts": "^3.8.1"
   },
   "devDependencies": {
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
     "@vitejs/plugin-react": "^6.0.1",
     "typescript": "^6.0.2",
-    "vite": "^8.0.3"
+    "vite": "^8.0.6"
   }
 }

dashboard/package.json

@@ -105,7 +105,7 @@ export function EvalTrendChart({ data, period, onPeriodChange }: Props) {
               color: '#fafafa',
               fontSize: '13px',
             }}
-            formatter={(value: number, name: string) => [
+            formatter={(value, name) => [
               `${value}%`,
               name === 'scorePercent' ? 'Avg Score' : 'Pass Rate',
             ]}