fix: Dependency bumps in transitive dependencies

[shortstacked]

Summary

Bumps multiple transitive dependencies to their latest stable versions via pnpm overrides. All packages are transitive (not direct dependencies) so overrides are the appropriate fix per our process.

Safe bumps (patch/minor)

Package	From	To	Notes
tar	7.5.7	^7.5.8	Patch bump
hono	4.11.7	4.11.10	Patch bump, timing comparison hardening
fast-xml-parser	5.3.4	5.3.6	Patch bump (5.x instances)
bn.js	5.2.2	5.2.3	Patch bump
ajv	8.17.1	8.18.0	Minor bump
ajv	6.12.6	6.14.0	Minor bump within same major line
minimatch	10.1.x	10.2.1	Minor bump
minimatch	9.0.5	10.2.1	Major bump, Node 20+ required (we're on 24)

Major version overrides (transitive only)

These packages had no backport fix in their current major line, so the override forces a newer major version. Since these are deep transitive dependencies consumed by other libraries, the risk is contained.

Package	From	To	Consumer	Breaking changes
fast-xml-parser	4.4.1	5.3.6	@aws-sdk/core 3.808	No API changes — v5 is ESM module format only. AWS SDK already handles v5 in newer releases
bn.js	4.12.2	5.2.3	asn1.js (snowflake-sdk)	.modn() renamed to .modrn(), .strip() internalized. Low risk for ASN.1 integer operations
ajv	7.2.4	8.18.0	@kafkajs/confluent-schema-registry	dataPath → instancePath in error objects, error message wording changes ("should" → "must")

Not overridden

Package	Version	Why
minimatch	3.1.2	Used by eslint and jest (via [email protected]) which call minimatch() as a default export — removed in v10. Dev-only, not in production image
minimatch 10.1.2 / tar 7.5.7 (Node-bundled)	Bundled with Node.js npm	Requires upstream Node.js release with newer npm

Also added ajv, bn.js, fast-xml-parser, hono, and minimatch to minimumReleaseAgeExclude in pnpm-workspace.yaml to allow recently-published versions.

Verification

• pnpm install — clean
• pnpm build — 48/48 tasks successful
• pnpm typecheck (cli, nodes-base) — clean
• pnpm test:affected — no regressions

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[codecov]

Bundle Report

Bundle size has no change ✅

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Git push to origin failed for 1.x with exitcode 1

[n8n-assistant]

Got released with [email protected]

[github-actions]

Git push to origin failed for 1.x with exitcode 1