> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Dependency and vulnerability hygiene

> Purpose: How we track and fix vulnerable npm dependencies, what CI enforces, and gaps (Deno edge functions).

**Purpose:** How we track and fix vulnerable npm dependencies, what CI enforces, and gaps (Deno edge functions).

## npm audit (root app)

After changing dependencies or the lockfile, run from the repository root:

```bash theme={null}
npm install --legacy-peer-deps
npm audit
```

CI runs `npm audit --audit-level=high` after `npm ci --legacy-peer-deps` (see `.github/workflows/build.yml`). High and critical advisories fail the build until resolved.

## npm audit (Docusaurus package)

The docs site is a separate workspace:

```bash theme={null}
cd packages/docs
npm install --legacy-peer-deps
npm audit
```

## Overrides (`package.json`)

Root `overrides` are used only when a patched transitive version is available and upstream has not yet updated. **Standard `package.json` cannot include comments**, so this document is the canonical record for why each override exists—reference `docs/development/DEPENDENCY_SECURITY.md` in PRs or commits instead of a non-existent root-level file.

| Package                    | Minimum / override | Advisory / reason                                                                                                                                                                        |
| -------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `flatted`                  | `^3.4.2`           | [GHSA-rf6f-7fwh-wjgh](https://github.com/advisories/GHSA-rf6f-7fwh-wjgh) — prototype pollution in `parse()`; required for Vitest UI’s dependency tree until fully aligned upstream.      |
| `defu`                     | `^6.1.5`           | [GHSA-737v-mqg7-c878](https://github.com/advisories/GHSA-737v-mqg7-c878) — prototype pollution via `__proto__` in `unconfig` → `defu`; pinned until upstream bumps `unconfig` consumers. |
| `vite-plugin-pwa` (nested) | `vite: ^8.0.5`     | Keeps PWA plugin’s peer resolution aligned with root `vite` (patched dev-server advisories).                                                                                             |

Prefer bumping direct dependencies first; use overrides when that is insufficient.

### `packages/docs` overrides

[`packages/docs/package.json`](../../packages/docs/package.json) uses `overrides` for Docusaurus/webpack transitive packages where Dependabot flagged CVEs. Canonical list (see that file for exact semver floors): `lodash`, `lodash-es`, `node-forge`, `brace-expansion`, `serialize-javascript`, `smol-toml`, `express` → `path-to-regexp`, `picomatch` (with `tinyglobby` nested override for the 4.x line), plus existing `dompurify`, `svgo`, `minimatch`, `undici`. Bump **`markdownlint-cli`** when dev-tool transitives lag.

## Supabase Edge Functions (Deno)

Edge functions import npm packages via `npm:` specifiers in `supabase/functions/deno.json` (and per-function `deno.json` where present). **`npm audit` does not analyze that graph.** Treat Deno `npm:` dependencies as a separate review surface from the root lockfile.

### Recurring checklist (Deno `npm:` specifiers)

Run on a **quarterly** cadence, after major edge-function refactors, or when a high-profile advisory affects a listed package. Optionally track via a **scheduled GitHub issue** (e.g. “Q1 Deno edge dependency review”) so gaps are not forgotten.

1. **Enumerate `npm:` imports:** Read [`supabase/functions/deno.json`](../../supabase/functions/deno.json) and any `supabase/functions/*/deno.json`. From the repo root you can use: `rg "npm:" supabase/functions`.
2. **Review risk:** For packages such as `@anthropic-ai/sdk`, `@sentry/deno`, `postgres`, and other `npm:` entries, check release notes and security advisories (vendor/GitHub Security) before bumping.
3. **Verify after changes:** Run `npm run test:functions` after version or import changes.
4. **Record decisions:** Note material bumps or accepted risk in PR description or this file’s table below if you establish a standing pattern.

| Area              | npm / Node (root)     | Deno edge (`npm:`)         |
| ----------------- | --------------------- | -------------------------- |
| Automated audit   | `npm audit` (CI)      | Not covered by `npm audit` |
| Primary checklist | This doc + Dependabot | Section above (manual)     |

## Ongoing review

* **Dependabot:** Version updates for root `npm`, `packages/docs`, and GitHub Actions (`.github/dependabot.yml`). Enable Dependabot security alerts in the GitHub repo settings.
* **Lighter alternatives / weight:** `npm run check:deps` runs `@e18e/cli` analysis; use on a cadence for dependency health beyond CVEs.
* **Favicon ICO (dev tooling):** `scripts/generate-pwa-icons.mjs` uses **`png-to-ico`** (maintained) for multi-size `favicon.ico`; the former **`to-ico`** dependency was removed.

## Related

* [SUPABASE\_CLI\_LOCAL\_WORKFLOW.md](./supabase/SUPABASE_CLI_LOCAL_WORKFLOW.md) — local DB and migrations
* [MCP\_USAGE.md](./MCP_USAGE.md) — Supabase MCP vs CLI boundaries