Chore: Resolve vulnerabilities in transitive NPM dependencies

[imrraaj]

What

This PR adds overrides in package.json to address security vulnerabilities reported by Dependabot and npm audit.

Why

Fixes dependabot alerts

How

Testing Instructions

Screenshots

Additional Info

Checklist

• I have read the Contribution Guidelines.
• I have read the Development Guidelines.
• My code is tested to the best of my abilities.
• My code passes all lints (ESLint etc.).
• My code has detailed inline documentation.
• I have updated the project documentation as needed.

[Copilot]

Pull request overview

This PR addresses reported security vulnerabilities by adding package.json overrides for transitive NPM dependencies and updating the lockfile accordingly, along with a plugin patch-version bump to 1.1.2.

Changes:

• Add/extend package.json overrides to force patched versions of vulnerable transitive packages.
• Update package-lock.json to reflect the overridden/resolved dependency graph.
• Bump plugin version references to 1.1.2 and add a 1.1.2 changelog entry.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
readme.txt	Updates WordPress plugin “Stable tag” to 1.1.2.
oneupdate.php	Bumps plugin header version and ONEUPDATE_VERSION constant to 1.1.2.
CHANGELOG.md	Adds 1.1.2 entry documenting the security/dependency work.
package.json	Introduces additional NPM overrides (minimatch, serialize-javascript, ajv under wp-playground packages).
package-lock.json	Regenerates lockfile to capture the updated override resolutions and transitive bumps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new overrides use open-ended ranges (e.g. minimatch: ">=10.2.1", serialize-javascript: ">=7.0.3"). This can unintentionally allow future major releases (e.g. minimatch 11 / serialize-javascript 8) the next time the lockfile is regenerated, increasing the risk of breakage. Consider constraining these to a major-bound range (or a pinned version) so the security fix doesn’t also widen upgrade surface area.

Suggested change

	"minimatch": ">=10.2.1",
	"serialize-javascript": ">=7.0.3",
	"@wp-playground/blueprints": {
	"ajv": ">=8.18.0"
	},
	"@wp-playground/tools": {
	"ajv": ">=8.18.0"
	},
	"@wp-playground/cli": {
	"ajv": ">=8.18.0"
	"minimatch": "^10.2.1",
	"serialize-javascript": "^7.0.3",
	"@wp-playground/blueprints": {
	"ajv": "^8.18.0"
	},
	"@wp-playground/tools": {
	"ajv": "^8.18.0"
	},
	"@wp-playground/cli": {
	"ajv": "^8.18.0"

[Copilot]

minimatch and serialize-javascript are being overridden globally to new major versions. In the lockfile, some dependencies still declare older major ranges (e.g. @eslint/eslintrc depends on minimatch: ^3.1.2, and css-minimizer-webpack-plugin depends on serialize-javascript: ^6.0.2). Using overrides to bypass these semver constraints can break lint/build tooling at runtime. Prefer upgrading the parent packages to versions that officially support the patched majors, or scoping the overrides to only the vulnerable dependency paths if possible.

Suggested change

	"serialize-javascript": ">=7.0.3",
	"serialize-javascript": ">=6.0.2 <7",

[Copilot]

The nested ajv overrides for @wp-playground/* are specified as >=8.18.0, which can allow a future ajv v9+ upgrade when the lockfile is refreshed. To keep the security fix while avoiding unexpected breaking changes, consider constraining this to a v8-only range (or a pinned version).

Suggested change

	"ajv": ">=8.18.0"
	},
	"@wp-playground/tools": {
	"ajv": ">=8.18.0"
	},
	"@wp-playground/cli": {
	"ajv": ">=8.18.0"
	"ajv": ">=8.18.0 <9.0.0"
	},
	"@wp-playground/tools": {
	"ajv": ">=8.18.0 <9.0.0"
	},
	"@wp-playground/cli": {
	"ajv": ">=8.18.0 <9.0.0"