chore: resolve open dependabot security alerts

[jonathannorris]

Summary

Resolves the cleanly patchable open Dependabot security alerts.

• Bumped github.com/containerd/containerd/v2 to v2.2.4 in test/integration (resolves the containerd alert).
• Added a js-cookie override (>=3.0.7) in playground-app to patch the transitive react-use dependency.

Dependabot Alerts Resolved

Alert	Package	Severity	Fix
#189	github.com/containerd/containerd/v2	high	Bumped to v2.2.4 via go get
#190	js-cookie	high	Forced >=3.0.7 via npm override

Unresolvable / not fixed here

esbuild (#191, high) in playground-app. The fix requires esbuild >=0.28.1, but vite 6/7 cannot build against esbuild 0.28 (transform-target error), and the only vite line that drops esbuild is vite 8, which pulls in lightningcss (MPL-2.0) and trips the FOSSA License Compliance check. The playground app is a dev-only tool that is not built in CI, and the advisory is a dev-server issue. Leaving esbuild at 0.25.x pending an upstream vite path that does not introduce a copyleft dependency.

github.com/docker/docker (#152, #151, #184, #185, #186) in test/integration. The legacy docker/docker module path is end-of-life at v28.5.2+incompatible; the patch lives in github.com/moby/moby/v2. It remains a transitive dependency of testcontainers/buildx/compose and cannot be patched on our side until those upstreams fully migrate off docker/docker. (Bumping testcontainers to v0.42 to drop it breaks the pinned go-sdk-contrib/tests/flagd/v2 test framework, which uses the older nat.Port API.)

Alert	Package	Severity
#191	esbuild	high
#186	github.com/docker/docker	high
#185	github.com/docker/docker	medium
#184	github.com/docker/docker	high
#152	github.com/docker/docker	high
#151	github.com/docker/docker	medium

Verification

• test/integration: go build ./... and go vet ./... pass.
• playground-app: npm run build succeeds; js-cookie resolves to 3.0.8.

[netlify]

✅ Deploy Preview for polite-licorice-3db33c canceled.

Name	Link
🔨 Latest commit	cbc8680
🔍 Latest deploy log	https://app.netlify.com/projects/polite-licorice-3db33c/deploys/6a300ca077886c0007773529

[gemini-code-assist]

Code Review

This pull request updates various dependencies, including upgrading Go modules in the integration tests and updating frontend packages in the playground application. However, critical issues were identified in the frontend dependency updates: the specified versions for @vitejs/plugin-react (^6.0.2) and vite (^8.0.16) do not exist on the public npm registry, which will cause build and installation failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud