🛡 Dependabot triage: 3 alerts → 0 alerts via stale lockfile removal

All 3 open dependabot alerts on main trace to a single stale file: pnpm-lock.yaml (2026-05-07), which lists outdated transitive versions. The repo doesn't use pnpm — no workflow, husky hook, package script, or packageManager field references it.

📋 The alerts

#SeverityPackageLockedPatchedLockfile
105HIGHfast-uri3.1.0≥ 3.1.2pnpm-lock.yaml
100HIGHfast-uri3.1.0≥ 3.1.1pnpm-lock.yaml
91MEDip-address10.1.0≥ 10.1.1pnpm-lock.yaml

✅ The npm lockfile is already secure

package-lock.json (npm, recently modified) has: fast-uri 3.1.2 and ip-address 10.2.0 — both above the patched floors. The actual node_modules/ shipped to dev machines and CI runners is fine.

Dependabot scans both lockfiles independently. The dead pnpm-lock.yaml is the only thing keeping the alerts open.

🔍 Cross-references checked

SurfaceReferences pnpm?
.github/workflows/*.yml✅ no matches
.husky/*✅ no matches
scripts/*, bin/*✅ no matches
package.json (packageManager field)✅ absent
.npmrc, .pnpmrc✅ absent

🎯 Fix

git rm pnpm-lock.yaml → all 3 alerts auto-close on next dependabot scan. No code change. No build change. No CI change.