Drive dep-audit accept-list to zero — drizzle major bump + transitive cleanup

[chitcommit]

Tracking issue for the audit accept-list installed by PR #124 (.github/workflows/security-gates.yml).

The accept-list contains ~32 pre-existing high+ advisories in transitive deps that were hidden by the previously-broken pnpm audit --ignore flag. Each entry is tech-debt that must be driven to zero.

Approach

• Group by upstream module; resolve via a sequence of focused PRs (one module family per PR).
• Highest-leverage first: drizzle-orm major bump (covers CVE-2026-39356).
• Where direct bump is blocked by API breaks, evaluate pnpm.overrides for transitives.

Module-level workstreams

• drizzle-orm — major bump (separate PR)
• path-to-regexp — overrides already in main, confirm graph
• esbuild, micromatch, semver, tar, ws, postcss, json5, etc. — bump consumers
• Re-run pnpm audit --prod --json after each PR and shrink IGNORED_IDS

Done when

• IGNORED_IDS array in security-gates.yml is empty
• pnpm audit --prod --audit-level=high exits 0 with no --ignore shim

[chitcommit]

Housekeeping note (unrelated to this issue's main thread, parked here for discoverability):

PR #124 landed via a two-parent merge commit (e296809) instead of a squash, bringing 4 intermediate fixup commits (dffee13, 8b245d1, 63393ee, ff4ee76) onto main's linear history. Content is correct; only the topology is non-canonical.

Decision: accept as-is. A revert+resquash PR would add a revert commit plus a re-application commit (net +2 commits of pure noise on top of the existing 5) and would have to clear the same dep-audit gate #124 itself was fixing. Not worth it.

Prevention: allowed_merge_methods on the repo is being locked to ["squash"] in a parallel change so this can't recur.