chore(deps): resolve high audit advisories

[AkaraChen]

Plan 012: Triage high dependency advisories before release

Executor instructions: Follow steps. Update plans/README.md when done.

Drift check (run first): git diff --stat 3ee5b79..HEAD -- package.json bun.lock website/package.json website/bun.lock e2e-tests/package.json e2e-tests/bun.lock .github/dependabot.yml

Status

• Priority: P2
• Effort: S/M
• Risk: MED
• Depends on: none
• Category: security
• Planned at: commit 3ee5b79, 2026-06-13

Why this matters

bun audit --audit-level high currently reports high-severity advisories in app, website, and e2e dependency trees. Release CI does not gate on audit status. Dependencies should be updated or documented with a narrow exception before tightening CI gates.

Current state

Resolved in this checkout:

• Root, website, and e2e bun audit --audit-level high exit 0.
• Root direct vulnerable dependency updates include react-router; website direct updates include next.
• Remaining root/e2e transitive advisories are resolved with narrow Bun overrides for flatted, kysely, picomatch, serialize-javascript, and tmp.
• No exception document was needed.

Relevant files:

• root package.json/bun.lock — app dependencies include react-router and transitive packages.
• website/package.json/lock — Next.js static export site.
• e2e-tests/package.json/lock — Mocha/Selenium/Tauri smoke tooling.
• .github/dependabot.yml — existing Dependabot config.

Known audit signal at planning time:

• root high advisories included react-router, flatted, picomatch, transitive kysely.
• website high advisory included next.

Commands you will need

Purpose	Command	Expected on success
Root audit	bun audit --audit-level high	exit 0 after fixes, or documented non-exploitable exception
Website audit	cd website && bun audit --audit-level high	exit 0 or exception
E2E audit	cd e2e-tests && bun audit --audit-level high	exit 0 or exception
App checks	bun run lint:check && ./node_modules/.bin/tsc --noEmit && bun run test	exit 0
Website checks	cd website && bun run lint && bun run build	exit 0

Scope

In scope:

• Safe dependency updates that resolve high advisories.
• Lockfile refreshes.
• Short docs/security-dependency-exceptions.md only if a high advisory cannot be fixed safely now.

Out of scope:

• Major framework migrations unrelated to advisories.
• Replacing package managers.

Git workflow

Branch advisor/012-triage-dependency-advisories; commit chore(deps): resolve high audit advisories.

Steps

Step 1: Capture current audit output

Run audits in root, website, and e2e. Save a short summary in the PR description or a temporary note; do not commit raw noisy logs unless creating an exception doc.

Verify: audit commands reproduce the advisories.

Step 2: Update direct vulnerable dependencies first

Use Bun-compatible update commands to update direct dependencies such as react-router and next to patched versions. Then refresh lockfiles and rerun audits. For transitive advisories, update parent packages or use supported overrides only if needed.

Verify: relevant audit count decreases and install/check commands still pass.

Step 3: Document any remaining high advisory exception

If an advisory remains and cannot be patched without a large migration, create docs/security-dependency-exceptions.md with:

• package/advisory;
• why current app usage is not exploitable or why deferral is accepted;
• owner/date to revisit.

Verify: audit still fails only for documented exception, or all audits exit 0.

Step 4: Full validation

Run app and website checks.

Verify: all listed checks pass.

Done criteria

• High advisories are fixed or explicitly documented with rationale.
• Lockfiles are updated consistently.
• App and website checks pass.

STOP conditions

• Fixing an advisory requires a major app router/framework migration.
• Bun audit output conflicts with upstream advisory status; report exact IDs.

Maintenance notes

Plan 013 should add CI gates once this plan leaves the repo in a clean audit state.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d77d2c6a-94d6-496e-911b-b25f0b2e5fe7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch advisor/012-triage-dependency-advisories

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AkaraChen]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• test(e2e): cover desktop mutation smoke flow #329
• ci: check website and node tooling #328
• chore(deps): resolve high audit advisories #327 👈 (View in Graphite)
• perf(db): index profile and pty lookup columns #326
• fix(notes): serialize profile autosaves #325
• fix(settings): retry cached ipc after failure #324
• perf(git): rely on watcher invalidation for refresh #323
• perf(profiles): pause hidden file tree queries #322
• fix(migrations): preserve pty output chunks #321
• fix(git): store binary previews in app cache #320
• fix(watcher): refresh worktrees and open file caches #319
• fix(files): scope file commands to profile worktrees #318
• fix(profile): preserve delete records until cleanup succeeds #317
• fix(profile): preserve conflicting branches during worktree add #316
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4a3166c4d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate the website lockfile workspace stanza

When installing the website from a clean checkout, Bun sees the new direct ranges here but website/bun.lock still records the old workspace ranges (next ^16.2.2, react ^19.2.4, etc. at lines 10-22). In this state it re-resolves the direct dependencies instead of using the committed lock, so frozen/offline installs fail and normal installs can silently rewrite the lockfile; regenerate website/bun.lock so the workspaces stanza matches these bumps.

Useful? React with 👍 / 👎.

[AkaraChen]

Merge activity

• Jun 14, 8:45 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• Jun 14, 8:45 AM UTC: Graphite couldn't merge this pull request because a downstack PR fix(migrations): preserve pty output chunks #321 failed to merge.

[AkaraChen]

Merged as part of the stack in #331.