[agent] chore(deps): bump flatted to ^3.4.2 via overrides

[github-actions]

Fixes prototype pollution vulnerability in flatted (GHSA-rf6f-7fwh-wjgh / CVE-2026-33228, severity high, CVSS v4: 8.9).

What

Adds an overrides entry in the root package.json to force flatted >= 3.4.2 across the dependency tree.

Why overrides

The dependency chain is:

eslint@8.57.1 → file-entry-cache@6.0.1 → flat-cache@3.0.4 → flatted@3.2.6 (vulnerable)

flat-cache@3.x (the latest 3.x is 3.2.0) has no release that pins flatted >= 3.4.2. Upgrading to flat-cache@6.x would also require upgrading file-entry-cache to v11 and eslint to a compatible major — a much larger change. Using overrides is the appropriate fallback per the remediation policy when no direct-dependency bump resolves the advisory on a supported range.

Alert

• Dependabot alert chore(ci): bump packages #179: https://github.com/mongodb-js/devtools-shared/security/dependabot/179

Generated by Dependabot remediation agent · ● 1.1M · ◷

[nirinchev]

@copilot can you instead upgrade to latest eslint?

[Copilot]

@copilot can you instead upgrade to latest eslint?

Done in commit 130a0e9. Upgraded ESLint to ^9.0.0 across the entire monorepo and migrated all configs to the ESLint 9 flat config format:

• Replaced @typescript-eslint/eslint-plugin + @typescript-eslint/parser v5 with typescript-eslint: ^8.0.0 in eslint-config-devtools
• Upgraded eslint-plugin-mocha to ^11.0.0 and eslint-config-prettier to ^10.0.0
• Rewrote eslint-config-devtools/index.js as a flat config factory function
• Converted all 30 .eslintrc.js files to eslint.config.js flat config format
• Migrated devtools-connect away from eslint-config-semistandard (which doesn't support ESLint 9) to @mongodb-js/eslint-config-devtools
• Removed the flatted override from root package.json (no longer needed since ESLint 9 pulls in a non-vulnerable flatted through its updated dependency chain)