GitHub Actions Deprecation
NONE — all pinned actions (actions/checkout@v6, actions/setup-node@v6 with node-version: 24, actions/upload-artifact@v6, docker/login-action@v4, docker/setup-buildx-action@v4, docker/metadata-action@v6, docker/build-push-action@v7, peter-evans/repository-dispatch@v4) already run on the Node24 runtime, ahead of GitHub's Node20 phase-out (default Node24 since June 2, 2026, full removal September 16, 2026). Minor housekeeping note: actions/checkout@v6 and actions/upload-artifact@v6 are one major behind the newest v7, but neither is urgent since both already run Node24.
npm Dependencies
npm audit against the committed lockfiles in backend/, frontend/, and shared/ found real, currently-installed advisories on direct dependencies:
backend/package.json
nodemailer@^8.0.1 (locked at 8.0.1) — high-severity SSRF/arbitrary-file-read via the raw message option (GHSA-p6gq-j5cr-w38f), plus SMTP/CRLF injection issues. Fix requires a major bump to 9.0.3+ (the fix is outside the current ^8.0.1 range).
typeorm@^0.3.28 (locked at 0.3.28, the top of the vulnerable range) — SQL injection in UpdateQueryBuilder/SoftDeleteQueryBuilder.orderBy() on MySQL/MariaDB (GHSA-9ggv-8w38-r7pm). Fix: bump to 0.3.29/0.3.30.
@nestjs/core locked at 11.1.14 (vulnerable range ≤11.1.17) — moderate injection issue; a lockfile refresh to 11.1.27+ resolves it without a major bump.
- Several transitive advisories (
handlebars — critical AST-type-confusion JS injection, plus node-forge, multer, fast-xml-parser, lodash) also clear once the lockfile is refreshed.
frontend/package.json
react-router-dom@^7.13.1 (locked at 7.13.1) — GHSA-49rj-9fvp-4h2h, unauthenticated RCE via turbo-stream deserialization, plus XSS/CSRF/open-redirect advisories, all fixed at 7.15.1+. Fix: bump to 7.18.1.
axios@^1.13.6 (locked at 1.13.6) — prototype-pollution → credential/response hijacking, NO_PROXY SSRF bypass, and ReDoS advisories, fixed at 1.16.0+. Fix: bump to 1.18.1.
vitest/@vitest/ui@4.0.18 — critical: arbitrary file read/execute while the Vitest UI server is listening. Fix: bump to 4.1.9.
vite@7.3.1 (transitive via vitest) — dev-server file-read / server.fs.deny bypass, fixed at 7.3.4+.
2+ major versions behind latest (registry check):
| Package |
Location |
Pinned |
Latest |
jsdom |
frontend (devDep) |
^25.0.1 |
29.1.1 |
@types/node |
backend (devDep) |
^22.10.7 |
26.1.0 |
@types/node |
frontend (devDep) |
^24.10.1 |
26.1.0 |
stripe |
backend |
^20.4.1 |
22.3.0 |
Recommend prioritizing nodemailer, typeorm, react-router-dom, axios, and vitest/@vitest/ui first since they're direct production/test-runtime dependencies with confirmed advisories; most of the rest clears with a lockfile refresh alone.
Go Module CVEs
NONE — no go.mod in this repo (Node/TypeScript monorepo).
Terraform Providers
NONE — no *.tf files in this repo (infra is delegated to infra-int via repository_dispatch).
GitHub Actions Deprecation
NONE — all pinned actions (
actions/checkout@v6,actions/setup-node@v6withnode-version: 24,actions/upload-artifact@v6,docker/login-action@v4,docker/setup-buildx-action@v4,docker/metadata-action@v6,docker/build-push-action@v7,peter-evans/repository-dispatch@v4) already run on the Node24 runtime, ahead of GitHub's Node20 phase-out (default Node24 since June 2, 2026, full removal September 16, 2026). Minor housekeeping note:actions/checkout@v6andactions/upload-artifact@v6are one major behind the newestv7, but neither is urgent since both already run Node24.npm Dependencies
npm auditagainst the committed lockfiles inbackend/,frontend/, andshared/found real, currently-installed advisories on direct dependencies:backend/package.json
nodemailer@^8.0.1(locked at 8.0.1) — high-severity SSRF/arbitrary-file-read via therawmessage option (GHSA-p6gq-j5cr-w38f), plus SMTP/CRLF injection issues. Fix requires a major bump to9.0.3+(the fix is outside the current^8.0.1range).typeorm@^0.3.28(locked at 0.3.28, the top of the vulnerable range) — SQL injection inUpdateQueryBuilder/SoftDeleteQueryBuilder.orderBy()on MySQL/MariaDB (GHSA-9ggv-8w38-r7pm). Fix: bump to0.3.29/0.3.30.@nestjs/corelocked at 11.1.14 (vulnerable range ≤11.1.17) — moderate injection issue; a lockfile refresh to 11.1.27+ resolves it without a major bump.handlebars— critical AST-type-confusion JS injection, plusnode-forge,multer,fast-xml-parser,lodash) also clear once the lockfile is refreshed.frontend/package.json
react-router-dom@^7.13.1(locked at 7.13.1) — GHSA-49rj-9fvp-4h2h, unauthenticated RCE via turbo-stream deserialization, plus XSS/CSRF/open-redirect advisories, all fixed at 7.15.1+. Fix: bump to7.18.1.axios@^1.13.6(locked at 1.13.6) — prototype-pollution → credential/response hijacking, NO_PROXY SSRF bypass, and ReDoS advisories, fixed at 1.16.0+. Fix: bump to1.18.1.vitest/@vitest/ui@4.0.18— critical: arbitrary file read/execute while the Vitest UI server is listening. Fix: bump to4.1.9.vite@7.3.1(transitive via vitest) — dev-server file-read /server.fs.denybypass, fixed at 7.3.4+.2+ major versions behind latest (registry check):
jsdom@types/node@types/nodestripeRecommend prioritizing
nodemailer,typeorm,react-router-dom,axios, andvitest/@vitest/uifirst since they're direct production/test-runtime dependencies with confirmed advisories; most of the rest clears with a lockfile refresh alone.Go Module CVEs
NONE — no
go.modin this repo (Node/TypeScript monorepo).Terraform Providers
NONE — no
*.tffiles in this repo (infra is delegated toinfra-intviarepository_dispatch).