chore(deps): Force basic-ftp >=5.3.0 to fix GHSA-rp42-5vxx-qpwr

[antonis]

📢 Type of change

• Bugfix
• New feature
• Enhancement
• Refactoring

📜 Description

Adds a yarn resolution forcing basic-ftp to ^5.3.0 in place of the vulnerable 5.2.2 currently pulled in transitively. Uses the same resolutions pattern already in use for axios, tar-fs, lodash, and others.

Dependency chain:
@puppeteer/browsers / @wdio/utils → proxy-agent → pac-proxy-agent → get-uri → basic-ftp

Both consumers are dev-only (e2e tooling). get-uri requires basic-ftp: ^5.0.2, so 5.3.0 satisfies the existing constraint without API changes.

💡 Motivation and Context

GHSA-rp42-5vxx-qpwr — high-severity (CVSS 7.5) denial-of-service in basic-ftp <= 5.2.2 via unbounded memory growth in Client.list(). The StringWriter used to buffer the directory listing grows without limit, so a malicious or compromised FTP server can exhaust memory and crash the process.

Patched in basic-ftp@5.3.0.

Closes the Dependabot alert: https://github.com/getsentry/sentry-react-native/security/dependabot/500

💚 How did you test it?

• yarn install succeeds; yarn.lock now resolves basic-ftp@5.3.0 (old 5.2.2 artifact removed).
• No production runtime code touches basic-ftp — it is dev-only via puppeteer/webdriverio.

📝 Checklist

• I added tests to verify changes
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
• I updated the docs if needed.
• I updated the wizard if needed.
• All tests passing
• No breaking changes

🔮 Next steps

🤖 Generated with Claude Code

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

• chore(deps): Force basic-ftp >=5.3.0 to fix GHSA-rp42-5vxx-qpwr by antonis in #6024

• chore(deps): bump getsentry/craft from 2.25.2 to 2.25.4 by dependabot in #6019
• chore(deps): bump getsentry/craft/.github/workflows/changelog-preview.yml from 2.25.2 to 2.25.4 by dependabot in #6021
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by dependabot in #6022
• chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by dependabot in #6020
• ci(danger): Demote Android SDK version mismatch from fail to warn by antonis in #6018
• chore(deps): update Android SDK to v8.39.1 by github-actions in #6010
• chore(deps): update JavaScript SDK to v10.49.0 by github-actions in #6011
• ci: Integrate Warden for AI-powered PR code review by antonis in #6003
• chore(lint): Fixes lint issue on main by antonis in #6013
• feat(expo): Warn when prebuilt native projects are missing Sentry config by alwx in #5984

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

	Fails
🚫	Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against 3f994ca