eb21092f46
- Removed @types/request (unused devDependency, no "request" import anywhere in the codebase) - it was the actual source of the critical form-data vulnerability via its own outdated nested dependency. - Bumped uuid v3 -> v11 (patched version) across all 8 call sites, migrating from the old default-import "uuid.v4()"/"uuid()" style to the named-export "v4 as uuidv4" style the new major requires. Tried v14 first - it broke the Jest test suite entirely (ships ESM-only, Node's CJS require() choked on it) - v11 is the oldest patched version that still works under Jest/CJS. Removed 2 more unused "import uuid" lines with no actual usage. - Picked up brace-expansion via a follow-up non-breaking npm audit fix. Verified full build (frontend+backend) and full test suite (179 tests) after each step. 45 -> 4 unique vulnerable packages remaining: aws-sdk (its own advisory, "fix" would downgrade it - not worth it), aws-sdk's own nested uuid (same reason), esbuild/vite (major version bump to vite 8, needs its own dedicated upgrade pass), and nodemailer (breaking API change, only exercised when EMAIL_VERIFICATION is enabled) - all left for a deliberate separate decision rather than forced through here.