chore(oss): regenerate public lockfiles against public PyPI/npm

[omnigent-ci]

Automated: regenerated uv.lock + ap-web/package-lock.json against public PyPI/npm, validated by a Docker build + omnigent --help smoke (run 27769748982). Merge to keep the public lockfiles current and buildable.

[omnigent-ci]

Polly AI Review

Review: chore(oss): regenerate public lockfiles against public PyPI/npm

---

1. Blocking Issues

None identified. All changes are confined to package-lock.json (no uv.lock changes appear in the diff despite the description mentioning one). No source code is altered.

---

2. Security Analysis

• dompurify 3.4.8 → 3.4.9: This is the most security-sensitive library in the set. It's a patch bump; keeping it current is correct practice. No regressions expected — patch releases in DOMPurify are typically targeted XSS/bypass fixes. ✅
• semver 7.8.3 → 7.8.4: Patch bump on a security-adjacent utility. No known CVE addressed here, low risk. ✅
• No new packages with network-access, shell-execution, or credential-handling surface area are introduced.
• @shikijs/stream@4.2.0 is a new transitive package (pulled in by the updated shiki-stream@0.1.5). It is a code-highlighting utility with no privileged access surface. ✅
• Overall, no injection, authentication, SSRF, or secret-exposure concerns are present in a lockfile-only update.

---

3. Non-Blocking Observations

• @rc-component/async-validator 5.1.1 → 6.0.0 (major bump): This is the only major-version increment in the set. It is pulled in transitively by @rc-component/form@1.8.3, which explicitly declares "@rc-component/async-validator": "^6.0.0" in its own manifest — so the lockfile correctly reflects the upstream's own range resolution. Regression risk exists if form validation behavior changed between major versions; the Docker smoke test (omnigent --help) would not exercise form validation. Low risk in practice (this is a form validation utility, not a core runtime path), but worth flagging for awareness if form-heavy UI flows are not covered by integration tests.

• shiki-stream@0.1.5 is now deprecated: The package itself marks itself deprecated in favour of @shikijs/stream. The 0.1.5 release is a shim: it re-exports @shikijs/stream. This means a new transitive package (@shikijs/stream@4.2.0) enters the tree, and the old bundled @shikijs/core@3.23.0 + @shikijs/types@3.23.0 copies are correctly removed (net savings). The shim approach is safe short-term, but @lobehub/ui or the project should migrate to @shikijs/stream directly in a follow-up.

• @pierre/diffs range → exact pin (^1.1.19 → 1.2.8): This is in @lobehub/ui's own manifest (upstream), not the project's package.json. The lockfile simply reflects that resolution. No action needed.

• prosemirror-view tightens prosemirror-model peer to ^1.25.8 (was ^1.20.0): The resolved version in the lock is 1.25.8, so this is satisfied. No conflict visible.

• PR description mentions uv.lock regeneration, but no Python lockfile changes appear in the diff. Either uv.lock was unchanged (valid), or it was accidentally omitted. Worth confirming the description is accurate.

---

4. Summary

This is a low-risk, automated dependency refresh touching only package-lock.json. The overwhelming majority of bumps are patch or minor version updates with no API surface changes. The single major-version bump (@rc-component/async-validator 5→6) is correctly resolved via the upstream component's own updated peer range and poses negligible runtime risk in the absence of user-facing form validation in the smoke test. The shiki-stream deprecation shim consolidates two old @shikijs/core v3 copies into a single v4 package (a net improvement). No security concerns are identified. The Docker build + smoke test described in the PR provides reasonable confidence for a lockfile-only change. Recommend merging after confirming whether uv.lock was intentionally unchanged.

---

_{Automated review by Polly · workflow run}