Commit Graph

3 Commits

Author SHA1 Message Date
oxmc eb21092f46 chore: resolve remaining audit vulnerabilities (uuid, @types/request, brace-expansion)
Release Please / release-please (push) Has been cancelled
Docker Build and Push (Development) / build-and-push-dev (push) Has been cancelled
- Removed @types/request (unused devDependency, no "request" import anywhere
  in the codebase) - it was the actual source of the critical form-data
  vulnerability via its own outdated nested dependency.
- Bumped uuid v3 -> v11 (patched version) across all 8 call sites, migrating
  from the old default-import "uuid.v4()"/"uuid()" style to the named-export
  "v4 as uuidv4" style the new major requires. Tried v14 first - it broke the
  Jest test suite entirely (ships ESM-only, Node's CJS require() choked on
  it) - v11 is the oldest patched version that still works under Jest/CJS.
  Removed 2 more unused "import uuid" lines with no actual usage.
- Picked up brace-expansion via a follow-up non-breaking npm audit fix.

Verified full build (frontend+backend) and full test suite (179 tests)
after each step. 45 -> 4 unique vulnerable packages remaining: aws-sdk
(its own advisory, "fix" would downgrade it - not worth it), aws-sdk's
own nested uuid (same reason), esbuild/vite (major version bump to vite 8,
needs its own dedicated upgrade pass), and nodemailer (breaking API change,
only exercised when EMAIL_VERIFICATION is enabled) - all left for a
deliberate separate decision rather than forced through here.
2026-07-05 06:16:19 -07:00
oxmc e4cc93220f chore: npm audit fix - resolve 38 of 45 dependency vulnerabilities
Release Please / release-please (push) Has been cancelled
Docker Build and Push (Development) / build-and-push-dev (push) Has been cancelled
Non-breaking transitive dependency bumps only (npm audit fix, no --force).
Verified build (frontend+backend) and full test suite (179 tests) still pass.

Remaining 7 (vite/esbuild, form-data, nodemailer, uuid) all require
--force major version bumps that could break existing code - left for a
deliberate separate decision rather than bundled in here.
2026-07-05 06:05:19 -07:00
oxmc c177785026 chore: commit package-lock.json for reproducible installs
Release Please / release-please (push) Has been cancelled
Docker Build and Push (Development) / build-and-push-dev (push) Has been cancelled
Was gitignored, so npm install (including inside the Docker build) floated
to whatever versions were latest at install time - which is exactly what
caused the moveMultipleFiles build failure last commit. Locking versions
so CI/Docker/local all resolve the same dependency tree.
2026-07-05 05:27:37 -07:00