fix(security): resolve Dependabot and CodeQL vulnerabilities

[cl-efornaciari]

Summary

This PR addresses security vulnerabilities reported by Dependabot and CodeQL.

Dependabot (1 alert fixed)

• ajv (CVE-2025-69873): Updated from 8.17.1 to 8.18.0 to fix ReDoS vulnerability with $data option
• ajv is a direct dependency; lockfile was regenerated via rm yarn.lock && yarn install --ignore-engines

CodeQL (11 alerts addressed)

Command injection (2 alerts) – scripts/adapter-generator.ts:

• Replaced execSync with execFileSync to prevent shell command injection from process.argv[2]
• Arguments are now passed as an array instead of string interpolation, eliminating indirect command line injection

Workflow permissions (9 alerts):

• main.yaml: Added permissions: contents: read at workflow level; code-coverage job overrides with contents: write (pushes coverage branch)
• pinned-dependencies.yaml: Added permissions: contents: read
• open-version-bump-pr.yaml: Added permissions: contents: read, pull-requests: write, issues: write; createVersionBumpPR job overrides with contents: write, pull-requests: write
• add-or-validate-labels.yaml: Added permissions: contents: read, pull-requests: read, issues: write

What remains

• Dependabot may still show 1 open alert until the PR is merged and the default branch is updated
• Local yarn build may fail due to Node version (generator-adapter expects Node 20+); CI uses ubuntu-latest and should pass

How changes were made

1. Bumped ajv in package.json, deleted yarn.lock, reinstalled to refresh transitive deps
2. Swapped execSync for execFileSync with array arguments in adapter-generator.ts
3. Added explicit permissions blocks to all workflow files per CodeQL least-privilege guidance

Made with Cursor

[mxiao-cll]

Please run this locally on the main EA repo to test out a new adapter generation