fix(deps): resolve remaining Dependabot vulnerabilities in demo app

[citypaul]

Summary

• Resolve final 3 Dependabot security alerts in demo/payflow-with-scenarist
• No overrides needed — all fixes via lockfile refresh within existing semver ranges
• Add pnpm-workspace.yaml to enable proper standalone lockfile management

Vulnerabilities Fixed

Package	From	To	Severity	Fix Method
minimatch	3.1.2	3.1.4	High	Lockfile refresh
minimatch	9.0.5	10.2.3	High	Lockfile refresh
ajv	6.12.6	6.14.0	Medium	Lockfile refresh

Root Cause

The demo/payflow-with-scenarist directory lacked a pnpm-workspace.yaml, which meant pnpm update would find the parent workspace instead of treating it as standalone. This prevented proper lockfile regeneration. Added the workspace config (matching the existing demo/payflow pattern) to fix this.

Test plan

• All 560 core tests passing
• Verified no vulnerable versions remain in lockfile (grep confirms 0 matches)
• Verified resolved versions: minimatch 3.1.4/10.2.3, ajv 6.14.0
• CI passes

🤖 Generated with Claude Code

[claude]

PR Review: fix(deps): resolve remaining Dependabot vulnerabilities in demo app

Verdict: Approve

This is a focused, well-scoped dependency security fix. Here's my assessment:

---

What's happening

The PR has two changes to demo/payflow-with-scenarist/:

1. New pnpm-workspace.yaml — declares the directory as a standalone pnpm workspace root with packages: []
2. Regenerated pnpm-lock.yaml — resolves three vulnerabilities:
   • minimatch@3.1.2 → 3.1.4 (High)
   • minimatch@9.0.5 → 10.2.3 (High)
   • ajv@6.12.6 → 6.14.0 (Medium)

---

Root cause diagnosis is correct

Without a pnpm-workspace.yaml, running pnpm inside demo/payflow-with-scenarist/ causes pnpm to traverse upward and find the monorepo root workspace. This means pnpm update would operate against the root workspace rather than the demo's own lockfile — preventing the lockfile from being regenerated independently. The fix correctly mirrors the pattern from demo/payflow.

---

The packages: [] approach is correct

An empty packages array is the right declaration for a single-package workspace root with no sub-packages. This anchors pnpm to this directory as the workspace root without pulling in any additional workspaces.

---

Scope check: demo/ rules apply

Per CLAUDE.md, demo/ apps:

• Install Scenarist from npm (not workspace links) — validates published packages
• Are excluded from pnpm-workspace.yaml at the monorepo root
• Are not subject to strict TDD requirements or hexagonal architecture rules

There's nothing to flag here from an architecture or testing perspective. This is purely dependency maintenance.

---

Minor observation (non-blocking)

The minimatch major version bump (9.0.5 → 10.2.3) is worth noting — this is a transitive dependency upgrade, so there's no direct usage to audit, but the lockfile regeneration handles it correctly as a resolution override.

---

No issues. Clean fix.