security: pin all dependencies to exact versions

Removes caret (^) ranges from all 74 dependencies in package.json,
locking each to the exact version resolved in bun.lock.

Motivation: the axios supply chain attack of March 31 2026 demonstrated
that caret ranges are a live attack vector. axios@^1.14.0 would have
resolved to the trojanized 1.14.1 (bundled plain-crypto-js RAT, C2
sfrclak.com). Both 1.14.1 and 0.30.4 were unpublished within 24h.

Key pins:
  axios      ^1.14.0  → 1.14.0   (trojanized 1.14.1 blocked)
  undici     ^7.3.0   → 7.24.6   (7 CVEs between 7.3 and 7.24)
  yaml       ^2.7.0   → 2.8.3    (CVE-2026-33532 fix)
  ajv        ^8.17.0  → 8.18.0   (ReDoS fix)
  lodash-es  ^4.17.21 → 4.17.23  (prototype pollution fix)
  zod        ^3.24.0  → 3.25.76  (large range locked)

All 74 deps verified: integrity hashes match npm registry, no known
supply chain incidents, no postinstall scripts in lockfile.

bun.lock

@@ -5,82 +5,82 @@
     "": {
       "name": "openclaude",
       "dependencies": {
-        "@alcalzone/ansi-tokenize": "^0.3.0",
-        "@anthropic-ai/bedrock-sdk": "^0.26.0",
-        "@anthropic-ai/foundry-sdk": "^0.2.0",
-        "@anthropic-ai/sandbox-runtime": "^0.0.46",
-        "@anthropic-ai/sdk": "^0.81.0",
-        "@anthropic-ai/vertex-sdk": "^0.14.0",
-        "@commander-js/extra-typings": "^12.0.0",
-        "@growthbook/growthbook": "^1.3.0",
-        "@modelcontextprotocol/sdk": "^1.12.0",
-        "@opentelemetry/api": "^1.9.1",
-        "@opentelemetry/api-logs": "^0.214.0",
-        "@opentelemetry/core": "^2.6.1",
-        "@opentelemetry/exporter-logs-otlp-http": "^0.214.0",
-        "@opentelemetry/exporter-trace-otlp-grpc": "^0.57.0",
-        "@opentelemetry/resources": "^2.6.1",
-        "@opentelemetry/sdk-logs": "^0.214.0",
-        "@opentelemetry/sdk-metrics": "^2.6.1",
-        "@opentelemetry/sdk-trace-base": "^2.6.1",
-        "@opentelemetry/sdk-trace-node": "^2.6.1",
-        "@opentelemetry/semantic-conventions": "^1.40.0",
-        "ajv": "^8.17.0",
-        "auto-bind": "^5.0.1",
-        "axios": "^1.14.0",
-        "bidi-js": "^1.0.3",
-        "chalk": "^5.4.0",
-        "chokidar": "^4.0.0",
-        "cli-boxes": "^3.0.0",
-        "cli-highlight": "^2.1.0",
-        "code-excerpt": "^4.0.0",
-        "commander": "^12.0.0",
-        "diff": "^7.0.0",
-        "emoji-regex": "^10.4.0",
-        "env-paths": "^3.0.0",
-        "execa": "^9.5.0",
-        "fflate": "^0.8.2",
-        "figures": "^6.1.0",
-        "fuse.js": "^7.1.0",
-        "get-east-asian-width": "^1.3.0",
-        "google-auth-library": "^9.15.0",
-        "https-proxy-agent": "^7.0.6",
-        "ignore": "^7.0.0",
-        "indent-string": "^5.0.0",
-        "jsonc-parser": "^3.3.1",
-        "lodash-es": "^4.17.21",
-        "lru-cache": "^11.0.0",
-        "marked": "^15.0.0",
-        "p-map": "^7.0.3",
-        "picomatch": "^4.0.0",
-        "proper-lockfile": "^4.1.2",
-        "qrcode": "^1.5.4",
-        "react": "^19.2.4",
-        "react-compiler-runtime": "^1.0.0",
-        "react-reconciler": "^0.33.0",
-        "semver": "^7.6.3",
-        "shell-quote": "^1.8.2",
-        "signal-exit": "^4.1.0",
-        "stack-utils": "^2.0.6",
-        "strip-ansi": "^7.1.0",
-        "supports-hyperlinks": "^3.1.0",
-        "tree-kill": "^1.2.2",
-        "turndown": "^7.2.0",
-        "type-fest": "^4.30.0",
-        "undici": "^7.3.0",
-        "usehooks-ts": "^3.1.1",
-        "vscode-languageserver-protocol": "^3.17.5",
-        "wrap-ansi": "^9.0.0",
-        "ws": "^8.18.0",
-        "xss": "^1.0.15",
-        "yaml": "^2.7.0",
-        "zod": "^3.24.0",
+        "@alcalzone/ansi-tokenize": "0.3.0",
+        "@anthropic-ai/bedrock-sdk": "0.26.4",
+        "@anthropic-ai/foundry-sdk": "0.2.3",
+        "@anthropic-ai/sandbox-runtime": "0.0.46",
+        "@anthropic-ai/sdk": "0.81.0",
+        "@anthropic-ai/vertex-sdk": "0.14.4",
+        "@commander-js/extra-typings": "12.1.0",
+        "@growthbook/growthbook": "1.6.5",
+        "@modelcontextprotocol/sdk": "1.29.0",
+        "@opentelemetry/api": "1.9.1",
+        "@opentelemetry/api-logs": "0.214.0",
+        "@opentelemetry/core": "2.6.1",
+        "@opentelemetry/exporter-logs-otlp-http": "0.214.0",
+        "@opentelemetry/exporter-trace-otlp-grpc": "0.57.2",
+        "@opentelemetry/resources": "2.6.1",
+        "@opentelemetry/sdk-logs": "0.214.0",
+        "@opentelemetry/sdk-metrics": "2.6.1",
+        "@opentelemetry/sdk-trace-base": "2.6.1",
+        "@opentelemetry/sdk-trace-node": "2.6.1",
+        "@opentelemetry/semantic-conventions": "1.40.0",
+        "ajv": "8.18.0",
+        "auto-bind": "5.0.1",
+        "axios": "1.14.0",
+        "bidi-js": "1.0.3",
+        "chalk": "5.6.2",
+        "chokidar": "4.0.3",
+        "cli-boxes": "3.0.0",
+        "cli-highlight": "2.1.11",
+        "code-excerpt": "4.0.0",
+        "commander": "12.1.0",
+        "diff": "7.0.0",
+        "emoji-regex": "10.6.0",
+        "env-paths": "3.0.0",
+        "execa": "9.6.1",
+        "fflate": "0.8.2",
+        "figures": "6.1.0",
+        "fuse.js": "7.1.0",
+        "get-east-asian-width": "1.5.0",
+        "google-auth-library": "9.15.1",
+        "https-proxy-agent": "7.0.6",
+        "ignore": "7.0.5",
+        "indent-string": "5.0.0",
+        "jsonc-parser": "3.3.1",
+        "lodash-es": "4.17.23",
+        "lru-cache": "11.2.7",
+        "marked": "15.0.12",
+        "p-map": "7.0.4",
+        "picomatch": "4.0.4",
+        "proper-lockfile": "4.1.2",
+        "qrcode": "1.5.4",
+        "react": "19.2.4",
+        "react-compiler-runtime": "1.0.0",
+        "react-reconciler": "0.33.0",
+        "semver": "7.7.4",
+        "shell-quote": "1.8.3",
+        "signal-exit": "4.1.0",
+        "stack-utils": "2.0.6",
+        "strip-ansi": "7.2.0",
+        "supports-hyperlinks": "3.2.0",
+        "tree-kill": "1.2.2",
+        "turndown": "7.2.2",
+        "type-fest": "4.41.0",
+        "undici": "7.24.6",
+        "usehooks-ts": "3.1.1",
+        "vscode-languageserver-protocol": "3.17.5",
+        "wrap-ansi": "9.0.2",
+        "ws": "8.20.0",
+        "xss": "1.0.15",
+        "yaml": "2.8.3",
+        "zod": "3.25.76",
       },
       "devDependencies": {
-        "@types/bun": "^1.2.0",
-        "@types/node": "^25.5.0",
-        "@types/react": "^19.2.14",
-        "typescript": "^5.7.0",
+        "@types/bun": "1.3.11",
+        "@types/node": "25.5.0",
+        "@types/react": "19.2.14",
+        "typescript": "5.9.3",
       },
     },
   },