GitHub Actions Deprecation
NONE — no .github/workflows/ directory exists in this repo; there is no CI pipeline to evaluate for Node20/Node24.
npm Dependencies
npm audit --omit=dev against the committed package-lock.json found 11 advisories (7 high, 3 moderate, 1 low), rooted in one direct dependency:
astro@^5.17.2 (locked at 5.17.2) — 2 major versions behind latest (7.0.6). Advisories include reflected XSS via unescaped slot name (GHSA-8hv8-536x-4wqp), Host-header SSRF in the prerendered error page (GHSA-2pvr-wf23-7pc7), an SSR allowlist bypass, XSS via define:vars and spread props, and a server-island replay issue. All are fixed only by the major bump to astro@7.0.6.
- Transitive advisories pulled in via astro/vite that resolve with the same bump:
vite (dev-server path traversal/file read), h3 (path traversal, SSE injection), devalue/defu (prototype pollution/DoS), js-yaml (DoS via merge-key aliases), picomatch (method injection/ReDoS), postcss (XSS), smol-toml (DoS), svgo (billion-laughs DoS).
Recommend npm audit fix --force to move to astro@7.0.6 and pull in patched transitive versions; test afterward given the 5→7 major jump carries breaking changes.
Go Module CVEs
NONE — no go.mod in this repo (Astro/TypeScript frontend).
Terraform Providers
NONE — no *.tf files in this repo.
GitHub Actions Deprecation
NONE — no
.github/workflows/directory exists in this repo; there is no CI pipeline to evaluate for Node20/Node24.npm Dependencies
npm audit --omit=devagainst the committedpackage-lock.jsonfound 11 advisories (7 high, 3 moderate, 1 low), rooted in one direct dependency:astro@^5.17.2(locked at 5.17.2) — 2 major versions behind latest (7.0.6). Advisories include reflected XSS via unescaped slot name (GHSA-8hv8-536x-4wqp), Host-header SSRF in the prerendered error page (GHSA-2pvr-wf23-7pc7), an SSR allowlist bypass, XSS viadefine:varsand spread props, and a server-island replay issue. All are fixed only by the major bump toastro@7.0.6.vite(dev-server path traversal/file read),h3(path traversal, SSE injection),devalue/defu(prototype pollution/DoS),js-yaml(DoS via merge-key aliases),picomatch(method injection/ReDoS),postcss(XSS),smol-toml(DoS),svgo(billion-laughs DoS).Recommend
npm audit fix --forceto move toastro@7.0.6and pull in patched transitive versions; test afterward given the 5→7 major jump carries breaking changes.Go Module CVEs
NONE — no
go.modin this repo (Astro/TypeScript frontend).Terraform Providers
NONE — no
*.tffiles in this repo.