npm audit (root app)
After changing dependencies or the lockfile, run from the repository root:npm audit --audit-level=high after npm ci --legacy-peer-deps (see .github/workflows/build.yml). High and critical advisories fail the build until resolved.
npm audit (Docusaurus package)
The docs site is a separate workspace:Overrides (package.json)
Root overrides are used only when a patched transitive version is available and upstream has not yet updated. Standard package.json cannot include comments, so this document is the canonical record for why each override exists—reference docs/development/DEPENDENCY_SECURITY.md in PRs or commits instead of a non-existent root-level file.
Prefer bumping direct dependencies first; use overrides when that is insufficient.
packages/docs overrides
packages/docs/package.json (now removed) historically used overrides for Docusaurus/webpack transitive packages where Dependabot flagged CVEs. Canonical list (see that file for exact semver floors): lodash, lodash-es, node-forge, brace-expansion, serialize-javascript, smol-toml, express → path-to-regexp, picomatch (with tinyglobby nested override for the 4.x line), plus existing dompurify, svgo, minimatch, undici. Bump markdownlint-cli when dev-tool transitives lag.
Supabase Edge Functions (Deno)
Edge functions import npm packages vianpm: specifiers in supabase/functions/deno.json (and per-function deno.json where present). npm audit does not analyze that graph. Treat Deno npm: dependencies as a separate review surface from the root lockfile.
Recurring checklist (Deno npm: specifiers)
Run on a quarterly cadence, after major edge-function refactors, or when a high-profile advisory affects a listed package. Optionally track via a scheduled GitHub issue (e.g. “Q1 Deno edge dependency review”) so gaps are not forgotten.
- Enumerate
npm:imports: Readsupabase/functions/deno.jsonand anysupabase/functions/*/deno.json. From the repo root you can use:rg "npm:" supabase/functions. - Review risk: For packages such as
@anthropic-ai/sdk,@sentry/deno,postgres, and othernpm:entries, check release notes and security advisories (vendor/GitHub Security) before bumping. - Verify after changes: Run
npm run test:functionsafter version or import changes. - Record decisions: Note material bumps or accepted risk in PR description or this file’s table below if you establish a standing pattern.
Ongoing review
- Dependabot: Version updates for root
npm,packages/docs, and GitHub Actions (.github/dependabot.yml). Enable Dependabot security alerts in the GitHub repo settings. - Lighter alternatives / weight: the
check:deps(e18e) advisory script was removed (the CLI produced no usable output). Usenpm auditand Dependabot for dependency health; revisit a weight/alternatives tool if a maintained one is adopted. - Favicon ICO (dev tooling):
scripts/generate-pwa-icons.mjsusespng-to-ico(maintained) for multi-sizefavicon.ico; the formerto-icodependency was removed.
Related
- SUPABASE_CLI_LOCAL_WORKFLOW.md — local DB and migrations
- MCP_USAGE.md — Supabase MCP vs CLI boundaries