fix(deps): patch 68 security vulnerabilities and update packages

[jacksonkasi1]

Summary

• Patched 82 → 14 vulnerabilities via direct bumps + root overrides in package.json
• Bumped all safe non-major packages across the monorepo
• Added comprehensive bun overrides block to root package.json to address transitive vulnerabilities that can't be fixed by bumping direct deps alone

Security Fixes

Package	Advisory	Before	After	Method
hono	GHSA-r5rp-j6wh-rvv4, GHSA-wmmm-f939-6g9c, GHSA-92pp-h63x-v22m, GHSA-458j-xx4x-4375, GHSA-xpcf-pg52-r92g	^4.11.4	^4.12.16	direct + override
@hono/node-server	GHSA-wc8c-qw6v-h7f6, GHSA-92pp-h63x-v22m	transitive	^1.19.10	root override
fast-xml-parser	GHSA-m7jm-9gc2-mpf2 (critical), GHSA-jmr7-xgp7-cmfj, GHSA-37qj-frw5-hhjh, GHSA-8gc5-j5rx-235r, GHSA-jp2q-39xq-3w4g, GHSA-gh4j-gqv2-49f6	^5.0.9 via AWS SDK	^5.3.4	@aws-sdk bump to 3.1039.0 + root override
axios / follow-redirects	GHSA-r4q5-vmmm-2653	^1.13.2	^1.15.2	direct + override
seroval	GHSA-66fc-rw6m-c2q6, GHSA-3rxj-6cgf-8cfw, GHSA-hj76-42vx-jwp4, GHSA-3j22-8qj3-26mx, GHSA-hx9m-jf43-8ffr	<=1.4.0	^1.5.0	root override
path-to-regexp	GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7	<8.4.0	^8.4.0	root override
picomatch	GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p	<2.3.2	^4.0.4	root override
undici	GHSA-f269-vfmq-vjvj, GHSA-2mjp-6q6p-2qxm, GHSA-vrm6-8vpv-qv8q, GHSA-v9p9-hfj2-hcw8, GHSA-4992-7rv2-5pvq, GHSA-phc3-fgpg-7m6h	<7.24.0	^7.24.0	root override
rollup / vite	GHSA-mw96-cpmx-2vgc	<4.59.0	^4.59.0	vite bump + override
flatted	GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh	<3.4.0	^3.4.0	root override
kysely	GHSA-wmrf-hv6w-mr66, GHSA-8cpq-38p9-67gx	<=0.28.11	^0.28.16	root override
socket.io-parser	GHSA-677m-j7p3-52f9	<4.2.6	^4.2.6	root override
srvx	GHSA-p36q-q72m-gchr	<0.11.13	^0.11.13	root override
postcss	(moderate)	<8.5.10	^8.5.10	root override
esbuild	GHSA-67mh-4wv8-2f99	<=0.24.2	^0.25.10	root override
minimatch	GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74	<3.1.3	^10.0.3	root override
brace-expansion	GHSA-f886-m6hf-6m8v	<1.1.13	^2.0.3	root override
uuid	GHSA-w5hq-g745-h8pq	<14.0.0	^14.0.0	root override
qs	GHSA-w7fw-mjwx-w883	>=6.7.0	^6.15.0	root override

Package Updates

• Root: prettier ^3.7.4→^3.8.3, turbo ^2.6.3→^2.9.6
• apps/server: hono ^4.11.4→^4.12.16, @t3-oss/env-core ^0.13.10→^0.13.11, zod ^4.3.5→^4.4.1
• apps/web: axios ^1.13.2→^1.15.2, better-auth ^1.4.14→^1.6.9, vite ^7.1.7→^7.3.2
• packages/auth: better-auth ^1.4.12→^1.6.9, @react-email/render ^2.0.2→^2.0.8
• packages/db: drizzle-orm ^0.38.4→^0.45.2, drizzle-zod ^0.7.1→^0.8.3, nanoid ^5.1.5→^5.1.9
• packages/storage: @aws-sdk/client-s3 + presigner ^3.967.0→^3.1039.0, nanoid →^5.1.9
• packages/email-templates: @react-email/components →^1.0.12, react-email →^5.2.11, react/react-dom →^19.2.5

Residual Vulnerabilities (14 remaining)

These are locked-in transitives inside apps/tanstack workspace (nitro, @tanstack/react-start, better-auth's internal h3 dep) and tooling deps where upstream packages haven't released compatible patched versions yet:

• h3 >=2.0.0 <=2.0.1-rc.14 — pulled by nitro + @tanstack/react-start (pre-release only available)
• ajv <6.14.0 — pulled by shadcn + react-email build tools
• defu <=6.1.4 — pulled by better-auth internal
• @modelcontextprotocol/sdk — pulled by shadcn tooling
• minimatch >=10.0.0 <10.2.1 — new advisory range on 10.x series (different from the 3.x advisory we fixed)
• @isaacs/brace-expansion <=5.0.0 — pulled by eslint-config tooling

These are all in dev/build tooling or experimental workspace, none in the production request path.

Test Plan

• bun run check-types passes ✅ (verified before this PR)
• bun audit shows 14 remaining (down from 82)
• Auth, session, org creation flow works as expected
• S3 upload/presign works (aws-sdk bump)
• Email sending works (@react-email bump)

Summary by Sourcery

Reduce security vulnerabilities across the monorepo by updating dependencies and enforcing secure versions via root overrides.

Bug Fixes:

• Patch numerous direct and transitive dependency vulnerabilities, including critical issues in server, web, and tooling packages via version bumps and overrides.

Enhancements:

• Upgrade core dependencies in server, web app, auth, DB, storage, and email-template packages to the latest compatible non-major versions.
• Introduce a centralized overrides block in the root package.json to keep key transitive dependencies on secure, audited versions.

Summary by CodeRabbit

• Chores
  • Updated dependencies across applications and packages to the latest compatible versions.
  • Added a vulnerability baseline report documenting identified dependency issues.

[sourcery-ai]

Reviewer's Guide

Monorepo-wide dependency maintenance PR that adds a root-level overrides block to enforce patched versions of vulnerable transitives, bumps direct dependencies (including hono, axios, vite, AWS SDK, drizzle, better-auth, react-email stack), and updates dev tooling (prettier, turbo), bringing Bun audit vulnerabilities from 82 down to 14 residual issues confined to non-production/tooling paths.

Flow diagram for Bun dependency resolution with root overrides and audit outcome

flowchart TD
  A["bun_install or bun_update"] --> B["read root package_json"]
  B --> C["detect workspaces apps_and_packages"]
  C --> D["resolve direct_dependencies"]
  D --> E["apply root_overrides block"]

  subgraph overrides
    O1["@hono_node-server ^1_19_10"]
    O2["axios ^1_15_2"]
    O3["fast-xml-parser ^5_3_4"]
    O4["follow-redirects ^1_15_12"]
    O5["undici ^7_24_0"]
    O6["rollup ^4_59_0"]
    O7["vite ^7_3_2"]
    O8["esbuild ^0_25_10"]
    O9["postcss ^8_5_10"]
    O10["minimatch ^10_0_3"]
    O11["brace-expansion ^2_0_3"]
    O12["uuid ^14_0_0"]
    O13["seroval ^1_5_0"]
    O14["kysely ^0_28_16"]
    O15["socket_io-parser ^4_2_6"]
    O16["srvx ^0_11_13"]
    O17["path-to-regexp ^8_4_0"]
    O18["picomatch ^4_0_4"]
    O19["flatted ^3_4_0"]
    O20["qs ^6_15_0"]
  end

  E --> F["lock patched transitive_versions"]
  F --> G["write bun_lock"]
  G --> H["bun_audit before_overrides 82_vulnerabilities"]
  H --> I["apply overrides and direct_bumps"]
  I --> J["bun_audit after_changes 14_vulnerabilities"]
  J --> K["residual_issues confined to tooling_and_experimental_paths"]

Loading

File-Level Changes

Change	Details	Files
Introduce centralized root-level overrides to force patched versions of vulnerable transitive dependencies across the monorepo.	Add an overrides section to the root package.json to pin patched versions of key libraries with known security advisories (e.g., @hono/node-server, axios/follow-redirects, fast-xml-parser, postcss, minimatch, esbuild, rollup/vite, undici, qs, uuid, etc.). Configure overrides to ensure security fixes apply even when underlying workspaces or tooling depend on older ranges. Align direct dependency bumps (e.g., axios, vite, hono) with the override versions to avoid version conflicts.	package.json bun.lock
Update direct runtime dependencies in app and package workspaces to patched or latest compatible non-major versions.	apps/server: bump hono and @t3-oss/env-core, and zod to latest compatible versions, addressing multiple GHSA advisories via hono. apps/web: bump axios and better-auth, and align vite to a patched version compatible with root overrides. packages/auth: bump better-auth and @react-email/render to newer versions that align with security and email stack updates. packages/db: bump drizzle-orm, drizzle-zod, and nanoid to newer non-major versions, ensuring compatibility with the rest of the stack. packages/storage: bump @aws-sdk/client-s3 and @aws-sdk/s3-request-presigner to a newer major patch range and nanoid to latest non-major, picking up the secured fast-xml-parser transitively. packages/email-templates: bump @react-email/components, @react-email/tailwind, react, react-dom, and react-email to newer compatible versions.	apps/server/package.json apps/web/package.json packages/auth/package.json packages/db/package.json packages/storage/package.json packages/email-templates/package.json bun.lock
Refresh root dev tooling to latest safe versions and document remaining unavoidable vulnerabilities for future tracking.	Update root devDependencies prettier and turbo to their latest compatible non-major releases to keep tooling current and compatible with updated ecosystem. Add an audit baseline file capturing the 14 remaining vulnerabilities that are currently unavoidable due to upstream constraints (e.g., h3 via nitro/@TanStack, ajv via tooling, newer minimatch/brace-expansion ranges). Ensure residual issues are limited to dev/build tooling or experimental tanstack workspace and do not affect the production request path.	package.json .audit-baseline.txt bun.lock

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Rate limit exceeded

@jacksonkasi1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 28 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e062b901-2b2d-4a35-a2bc-8627ea77358b

📥 Commits

Reviewing files that changed from the base of the PR and between d6fea09 and 443d30d.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (12)

• apps/server/src/routes/storage/delete.ts
• apps/server/src/routes/storage/upload.ts
• apps/web/src/components/auth/ProtectedRoute.tsx
• apps/web/src/config/axios.ts
• apps/web/src/lib/auth-client.ts
• apps/web/src/main.tsx
• apps/web/src/pages/Dashboard.tsx
• apps/web/src/rest-api/storage/delete-file.ts
• package.json
• packages/auth/src/auth.ts
• packages/auth/src/client.ts
• packages/auth/src/types.ts

📝 Walkthrough

Walkthrough

The pull request updates dependencies across the monorepo, including bumping versions for packages like hono, zod, axios, better-auth, drizzle-orm, and various React-related libraries. Additionally, a .audit-baseline.txt file is introduced documenting 82 identified vulnerabilities with severity levels and GHSA advisory references. A new overrides section is added to the root package.json to enforce specific transitive dependency versions.

Changes

Cohort / File(s)	Summary
Audit Baseline .audit-baseline.txt	New file documenting 82 dependency vulnerabilities with severity levels, workspace associations, GHSA references, and guidance for updates.
Root Workspace Configuration package.json	Upgraded prettier and turbo in devDependencies; added new overrides section to enforce versions for transitive dependencies (vite, esbuild, rollup, undici, and others).
Application Packages apps/server/package.json, apps/web/package.json	Bumped runtime dependency versions: server updated @t3-oss/env-core, hono, zod; web updated axios, better-auth, vite.
Workspace Packages packages/auth/package.json, packages/db/package.json, packages/email-templates/package.json, packages/storage/package.json	Updated dependency versions across authentication, database ORM, email rendering, and storage packages (including better-auth, drizzle-orm, @react-email/*, @aws-sdk/*, nanoid).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Twitching whiskers with glee,
Dependencies fresh as can be,
From audit to app, we've bumped every track,
New overrides guard our monorepo's back,
Hono hops faster, zod's locks are tight—
Our bunny approves of this upgrade night! 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly describes the main change: patching security vulnerabilities and updating packages across the monorepo.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/security-and-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 51 minutes and 28 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've left some high level feedback:

• For the root overrides block, consider pinning exact versions instead of using ^ ranges so the security posture stays stable and future dependency releases don’t silently change what’s being installed.
• You might want to scope some of the more invasive overrides (e.g., minimatch, esbuild, vite) to the specific workspaces that require them rather than the monorepo root to reduce the risk of unexpected behavior in unrelated packages.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- For the root `overrides` block, consider pinning exact versions instead of using `^` ranges so the security posture stays stable and future dependency releases don’t silently change what’s being installed.
- You might want to scope some of the more invasive overrides (e.g., `minimatch`, `esbuild`, `vite`) to the specific workspaces that require them rather than the monorepo root to reduce the risk of unexpected behavior in unrelated packages.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[jacksonkasi1]

Code-review fixes added (3 commits)

1. fix(web) — real bugs & dead code

File	Issue	Fix
apps/web/src/pages/Dashboard.tsx	Navigate imported but never used	Removed
apps/web/src/config/axios.ts	Three console.error debug calls left in production response interceptor	Removed all three
apps/web/src/config/axios.ts	VITE_API_URL env var mismatched VITE_API_BASE_URL used by auth-client.ts and urls.ts	Unified to VITE_API_BASE_URL
apps/web/src/rest-api/storage/delete-file.ts	catch (error) — error captured but never referenced	Changed to bare catch

2. style — import order per AGENT.md

File	Issue	Fix
apps/web/src/components/auth/ProtectedRoute.tsx	// ** import lib appeared before // ** import types	Reordered: types → lib
apps/web/src/main.tsx	App and Providers placed under non-standard // ** import utils section	Moved into // ** import lib
apps/server/src/routes/storage/upload.ts	Hono import labelled // ** import lib	Changed to // ** import core packages (consistent with all other route files)
apps/server/src/routes/storage/delete.ts	Same Hono comment inconsistency	Fixed

3. fix(auth) — TypeScript quality

File	Issue	Fix
packages/auth/src/types.ts	interface Bindings extends Env {} — empty interface is a TypeScript anti-pattern and triggers @typescript-eslint/no-empty-object-type	Replaced with type Bindings = Env

Type-check status

bun run check-types has two pre-existing failures unrelated to these changes:

• @repo/auth: better-auth internal type mismatch (banned field) — existed before this PR
• web: auth-client.ts TS2742 portable type error — existed before this PR

No new type errors introduced.