chore(security): update vulnerable transitive dependencies

Update transitive dependencies to address known CVEs:

- semver 7.5.0 → 7.7.4 (CVE-2022-25883 ReDoS)
- ws 8.11.0 → 8.19.0 (CVE-2024-37890 DoS via headers)
- minimatch 10.0.1 → 10.2.4 (multiple ReDoS CVEs)
- tar 7.5.4 → 7.5.11 (multiple path traversal CVEs)

Packages updated:
- apps/webapp: semver, ws
- packages/cli-v3: minimatch, semver, tar, ws
- packages/trigger-sdk: ws

Test results:
- @trigger.dev/core: 412/412 passed
- @trigger.dev/sdk: 10/10 passed
- 7/8 package test suites passed (redis-worker requires
  testcontainers/Docker environment, not affected by these changes)

Author: jrossi

apps/webapp/package.json

@@ -54,7 +54,6 @@
     "@electric-sql/react": "^0.3.5",
     "@headlessui/react": "^1.7.8",
     "@heroicons/react": "^2.0.12",
-    "@jsonhero/schema-infer": "^0.1.5",
     "@internal/cache": "workspace:*",
     "@internal/redis": "workspace:*",
     "@internal/run-engine": "workspace:*",
@@ -63,6 +62,7 @@
     "@internal/tsql": "workspace:*",
     "@internal/zod-worker": "workspace:*",
     "@internationalized/date": "^3.5.1",
+    "@jsonhero/schema-infer": "^0.1.5",
     "@kapaai/react-sdk": "^0.1.3",
     "@lezer/highlight": "^1.1.6",
     "@opentelemetry/api": "1.9.0",
@@ -204,7 +204,7 @@
     "remix-typedjson": "0.3.1",
     "remix-utils": "^7.7.0",
     "seedrandom": "^3.0.5",
-    "semver": "^7.5.0",
+    "semver": "^7.7.4",
     "simple-oauth2": "^5.0.0",
     "simplur": "^3.0.1",
     "slug": "^6.0.0",
@@ -223,7 +223,7 @@
     "ulid": "^2.3.0",
     "ulidx": "^2.2.1",
     "uuid": "^9.0.0",
-    "ws": "^8.11.0",
+    "ws": "^8.19.0",
     "zod": "3.25.76",
     "zod-error": "1.5.0",
     "zod-validation-error": "^1.5.0"

packages/cli-v3/package.json

@@ -120,7 +120,7 @@
     "json-stable-stringify": "^1.3.0",
     "jsonc-parser": "3.2.1",
     "magicast": "^0.3.4",
-    "minimatch": "^10.0.1",
+    "minimatch": "^10.2.4",
     "mlly": "^1.7.1",
     "nypm": "^0.5.4",
     "object-hash": "^3.0.0",
@@ -131,18 +131,18 @@
     "pkg-types": "^1.1.3",
     "polka": "^0.5.2",
     "resolve": "^1.22.8",
-    "semver": "^7.5.0",
+    "semver": "^7.7.4",
     "signal-exit": "^4.1.0",
     "socket.io-client": "4.7.5",
     "source-map-support": "0.5.21",
     "std-env": "^3.7.0",
     "strip-ansi": "^7.1.0",
     "supports-color": "^10.0.0",
-    "tar": "^7.5.4",
+    "tar": "^7.5.11",
     "tiny-invariant": "^1.2.0",
     "tinyexec": "^0.3.1",
     "tinyglobby": "^0.2.10",
-    "ws": "^8.18.0",
+    "ws": "^8.19.0",
     "xdg-app-paths": "^8.3.0",
     "zod": "3.25.76",
     "zod-validation-error": "^1.5.0"

packages/trigger-sdk/package.json

@@ -61,7 +61,7 @@
     "ulid": "^2.3.0",
     "uncrypto": "^0.1.3",
     "uuid": "^9.0.0",
-    "ws": "^8.11.0"
+    "ws": "^8.19.0"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.15.4",
@@ -78,8 +78,8 @@
     "zod": "3.25.76"
   },
   "peerDependencies": {
-    "zod": "^3.0.0 || ^4.0.0",
-    "ai": "^4.2.0 || ^5.0.0 || ^6.0.0"
+    "ai": "^4.2.0 || ^5.0.0 || ^6.0.0",
+    "zod": "^3.0.0 || ^4.0.0"
   },
   "peerDependenciesMeta": {
     "ai": {