Skip to main content
Purpose: How we track and fix vulnerable npm dependencies, what CI enforces, and gaps (Deno edge functions).

npm audit (root app)

After changing dependencies or the lockfile, run from the repository root:
CI runs npm audit --audit-level=high after npm ci --legacy-peer-deps (see .github/workflows/build.yml). High and critical advisories fail the build until resolved.

npm audit (Docusaurus package)

The docs site is a separate workspace:

Overrides (package.json)

Root overrides are used only when a patched transitive version is available and upstream has not yet updated. Standard package.json cannot include comments, so this document is the canonical record for why each override exists—reference docs/development/DEPENDENCY_SECURITY.md in PRs or commits instead of a non-existent root-level file. Prefer bumping direct dependencies first; use overrides when that is insufficient.

packages/docs overrides

packages/docs/package.json (now removed) historically used overrides for Docusaurus/webpack transitive packages where Dependabot flagged CVEs. Canonical list (see that file for exact semver floors): lodash, lodash-es, node-forge, brace-expansion, serialize-javascript, smol-toml, expresspath-to-regexp, picomatch (with tinyglobby nested override for the 4.x line), plus existing dompurify, svgo, minimatch, undici. Bump markdownlint-cli when dev-tool transitives lag.

Supabase Edge Functions (Deno)

Edge functions import npm packages via npm: specifiers in supabase/functions/deno.json (and per-function deno.json where present). npm audit does not analyze that graph. Treat Deno npm: dependencies as a separate review surface from the root lockfile.

Recurring checklist (Deno npm: specifiers)

Run on a quarterly cadence, after major edge-function refactors, or when a high-profile advisory affects a listed package. Optionally track via a scheduled GitHub issue (e.g. “Q1 Deno edge dependency review”) so gaps are not forgotten.
  1. Enumerate npm: imports: Read supabase/functions/deno.json and any supabase/functions/*/deno.json. From the repo root you can use: rg "npm:" supabase/functions.
  2. Review risk: For packages such as @anthropic-ai/sdk, @sentry/deno, postgres, and other npm: entries, check release notes and security advisories (vendor/GitHub Security) before bumping.
  3. Verify after changes: Run npm run test:functions after version or import changes.
  4. Record decisions: Note material bumps or accepted risk in PR description or this file’s table below if you establish a standing pattern.

Ongoing review

  • Dependabot: Version updates for root npm, packages/docs, and GitHub Actions (.github/dependabot.yml). Enable Dependabot security alerts in the GitHub repo settings.
  • Lighter alternatives / weight: the check:deps (e18e) advisory script was removed (the CLI produced no usable output). Use npm audit and Dependabot for dependency health; revisit a weight/alternatives tool if a maintained one is adopted.
  • Favicon ICO (dev tooling): scripts/generate-pwa-icons.mjs uses png-to-ico (maintained) for multi-size favicon.ico; the former to-ico dependency was removed.