Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Purpose: How we track and fix vulnerable npm dependencies, what CI enforces, and gaps (Deno edge functions).

npm audit (root app)

After changing dependencies or the lockfile, run from the repository root: 
npm install --legacy-peer-deps
npm audit
CI runs npm audit --audit-level=high after npm ci --legacy-peer-deps (see .github/workflows/build.yml). High and critical advisories fail the build until resolved.

npm audit (Docusaurus package)

The docs site is a separate workspace: 
cd packages/docs
npm install --legacy-peer-deps
npm audit

Overrides (package.json)

Root overrides are used only when a patched transitive version is available and upstream has not yet updated. Standard package.json cannot include comments, so this document is the canonical record for why each override exists—reference docs/development/DEPENDENCY_SECURITY.md in PRs or commits instead of a non-existent root-level file.
PackageMinimum / overrideAdvisory / reason
flatted^3.4.2GHSA-rf6f-7fwh-wjgh — prototype pollution in parse(); required for Vitest UI’s dependency tree until fully aligned upstream.
defu^6.1.5GHSA-737v-mqg7-c878 — prototype pollution via __proto__ in unconfigdefu; pinned until upstream bumps unconfig consumers.
vite-plugin-pwa (nested)vite: ^8.0.5Keeps PWA plugin’s peer resolution aligned with root vite (patched dev-server advisories).
Prefer bumping direct dependencies first; use overrides when that is insufficient.

packages/docs overrides

packages/docs/package.json uses overrides for Docusaurus/webpack transitive packages where Dependabot flagged CVEs. Canonical list (see that file for exact semver floors): lodash, lodash-es, node-forge, brace-expansion, serialize-javascript, smol-toml, expresspath-to-regexp, picomatch (with tinyglobby nested override for the 4.x line), plus existing dompurify, svgo, minimatch, undici. Bump markdownlint-cli when dev-tool transitives lag.

Supabase Edge Functions (Deno)

Edge functions import npm packages via npm: specifiers in supabase/functions/deno.json (and per-function deno.json where present). npm audit does not analyze that graph. Treat Deno npm: dependencies as a separate review surface from the root lockfile.

Recurring checklist (Deno npm: specifiers)

Run on a quarterly cadence, after major edge-function refactors, or when a high-profile advisory affects a listed package. Optionally track via a scheduled GitHub issue (e.g. “Q1 Deno edge dependency review”) so gaps are not forgotten.
  1. Enumerate npm: imports: Read supabase/functions/deno.json and any supabase/functions/*/deno.json. From the repo root you can use: rg "npm:" supabase/functions.
  2. Review risk: For packages such as @anthropic-ai/sdk, @sentry/deno, postgres, and other npm: entries, check release notes and security advisories (vendor/GitHub Security) before bumping.
  3. Verify after changes: Run npm run test:functions after version or import changes.
  4. Record decisions: Note material bumps or accepted risk in PR description or this file’s table below if you establish a standing pattern.
Areanpm / Node (root)Deno edge (npm:)
Automated auditnpm audit (CI)Not covered by npm audit
Primary checklistThis doc + DependabotSection above (manual)

Ongoing review

  • Dependabot: Version updates for root npm, packages/docs, and GitHub Actions (.github/dependabot.yml). Enable Dependabot security alerts in the GitHub repo settings.
  • Lighter alternatives / weight: npm run check:deps runs @e18e/cli analysis; use on a cadence for dependency health beyond CVEs.
  • Favicon ICO (dev tooling): scripts/generate-pwa-icons.mjs uses png-to-ico (maintained) for multi-size favicon.ico; the former to-ico dependency was removed.