Fix vulnerable transitive dependencies

[dannyhw]

Issue:

Fixes Dependabot security alerts for vulnerable transitive dependencies in the pnpm lockfile:

• shell-quote (GHSA-w7jw-789q-3m8p / CVE-2026-9277)
• undici (GHSA-vxpw-j846-p89q / CVE-2026-12151)
• http-proxy-middleware (GHSA-gcq2-9pq2-cxqm / CVE-2026-55603)

What I did

• Added a pnpm override for shell-quote@1.8.4 because the affected parents resolve shell-quote@1.8.3 directly.
• Updated pnpm-lock.yaml to resolve undici@6.27.0 through the existing @expo/server semver range.
• Updated pnpm-lock.yaml to resolve http-proxy-middleware@3.0.7 through the existing @callstack/repack-dev-server semver range.
• Left the Docusaurus http-proxy-middleware@2.0.9 path unchanged because this alert only affects the 3.x and 4.x vulnerable ranges.

How to test

Validated with:

• pnpm install
• pnpm why shell-quote --recursive
• pnpm why undici --recursive
• pnpm why http-proxy-middleware --recursive
• targeted pnpm audit --json parsing for the three GHSA IDs

This does not need a new example in examples/expo-example.
This does not need a documentation update.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 09092f0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR