createTransport()/sendMail() callback API unchanged between majors - smoke
tested the transport directly (confirmed correct error type, not an API
shape error) since the test suite doesn't exercise the email-sending path
(EMAIL_VERIFICATION off in tests). Full build + 179-test suite still pass.
3 unique vulnerable packages remain (aws-sdk's own advisory + its nested
uuid, vite/esbuild dev-server issue needing a major v5->v8 bump) - left
deliberately, all lower practical risk or need a dedicated upgrade pass.
- Removed @types/request (unused devDependency, no "request" import anywhere
in the codebase) - it was the actual source of the critical form-data
vulnerability via its own outdated nested dependency.
- Bumped uuid v3 -> v11 (patched version) across all 8 call sites, migrating
from the old default-import "uuid.v4()"/"uuid()" style to the named-export
"v4 as uuidv4" style the new major requires. Tried v14 first - it broke the
Jest test suite entirely (ships ESM-only, Node's CJS require() choked on
it) - v11 is the oldest patched version that still works under Jest/CJS.
Removed 2 more unused "import uuid" lines with no actual usage.
- Picked up brace-expansion via a follow-up non-breaking npm audit fix.
Verified full build (frontend+backend) and full test suite (179 tests)
after each step. 45 -> 4 unique vulnerable packages remaining: aws-sdk
(its own advisory, "fix" would downgrade it - not worth it), aws-sdk's
own nested uuid (same reason), esbuild/vite (major version bump to vite 8,
needs its own dedicated upgrade pass), and nodemailer (breaking API change,
only exercised when EMAIL_VERIFICATION is enabled) - all left for a
deliberate separate decision rather than forced through here.
Non-breaking transitive dependency bumps only (npm audit fix, no --force).
Verified build (frontend+backend) and full test suite (179 tests) still pass.
Remaining 7 (vite/esbuild, form-data, nodemailer, uuid) all require
--force major version bumps that could break existing code - left for a
deliberate separate decision rather than bundled in here.
Was gitignored, so npm install (including inside the Docker build) floated
to whatever versions were latest at install time - which is exactly what
caused the moveMultipleFiles build failure last commit. Locking versions
so CI/Docker/local all resolve the same dependency tree.