ci: re-trigger checks

The override "elliptic": ">=6.6.1" was added in PR #26 to address
GHSA-848j-6mx2-7j84 (CVE-2025-14505), but it is a no-op because
elliptic@6.6.1 IS the vulnerable version and no patched version exists.
No upstream fix is available — elliptic@6.6.1 is the latest release.

CTO decision: remove the no-op override, accept residual build-time risk.
Dependency is build-time only and not shipped to production.

Ref: PRI-1758, PRI-923

.github/workflows/dual-approval.yaml

@@ -94,14 +94,14 @@ jobs:
             exit 1
           fi
 
-          REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
+          REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
             '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
 
           echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
 
           # Fallback: check if CTO approved as alternative for uat→main
           if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
-            REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
+            REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
               '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
             if [ "${REVIEWER_APPROVED}" = "true" ]; then
               echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."

package.json

@@ -33,8 +33,7 @@
     "overrides": {
       "tar": "^7.5.11",
       "undici": "^7.24.3",
-      "flatted": "^3.4.2",
-      "elliptic": ">=6.6.1"
+      "flatted": "^3.4.2"
     }
   },
   "devDependencies": {

pnpm-lock.yaml

@@ -8,7 +8,6 @@ overrides:
   tar: ^7.5.11
   undici: ^7.24.3
   flatted: ^3.4.2
-  elliptic: '>=6.6.1'
 
 importers: