feat: added lavamoat

[andreabadesso]

Acceptance Criteria

• We should run the headless with lavamoat-node to protect it against supply chain attacks
• We should create a policy and an overridie disallowing what we don't use
• We should force axios to be loaded in commonjs mode to make it compatible with lavamoat's runtime
• We should patch depd so it doesn't crash on sandboxed environments

Patches:

• axios+1.7.7: LavaMoat's runtime doesn't resolve the exports map in package.json, falling back to main + type instead. The default values point to an ESM entry, which LavaMoat can't handle. This patch changes main and type to point to the existing CJS build (./dist/node/axios.cjs), which LavaMoat can consume. No behavioral change -- the CJS build was already used by require() consumers via the exports map.

• depd+2.0.0: LavaMoat's sandbox restricts V8's CallSite API, which depd uses for stack trace introspection. Without this patch, depd crashes when calling methods like getFileName() on restricted objects. The patch adds defensive guards that check if each CallSite method exists before calling it, falling back to safe defaults (, 0). In non-sandboxed environments the methods always exist, so the code path is unchanged.

The only effect under LavaMoat is that deprecation warnings show instead of actual file/line info, which is negligible since these are developer-facing diagnostics only.

Security Checklist

• Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.93%. Comparing base (725d782) to head (e50aa6b).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
src/plugins/hathor_rabbitmq.js	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #572      +/-   ##
==========================================
+ Coverage   89.43%   89.93%   +0.50%     
==========================================
  Files          56       56              
  Lines        2460     2455       -5     
  Branches      455      454       -1     
==========================================
+ Hits         2200     2208       +8     
+ Misses        239      229      -10     
+ Partials       21       18       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.