fix(deps): patch 68 security vulnerabilities and update packages

[jacksonkasi1]

Summary

• Patched 82 → 14 vulnerabilities via direct bumps + root overrides in package.json
• Bumped all safe non-major packages across the monorepo
• Added comprehensive bun overrides block to root package.json

Note: The onboarding cache-loop fix is in a separate PR — feature/fix-onboarding-cache-loop.

Security Fixes

Package	Advisory	Before	After	Method
hono	GHSA-r5rp-j6wh-rvv4, GHSA-wmmm-f939-6g9c, GHSA-92pp-h63x-v22m, and others	^4.11.4	^4.12.16	direct + override
@hono/node-server	GHSA-wc8c-qw6v-h7f6, GHSA-92pp-h63x-v22m	transitive	^1.19.10	root override
fast-xml-parser	GHSA-m7jm-9gc2-mpf2 (critical), GHSA-jmr7-xgp7-cmfj, GHSA-37qj-frw5-hhjh, GHSA-8gc5-j5rx-235r, others	^5.0.9 via AWS SDK	^5.3.4	@aws-sdk bump + root override
axios / follow-redirects	GHSA-r4q5-vmmm-2653	^1.13.2	^1.15.2	direct + override
seroval	GHSA-66fc-rw6m-c2q6, GHSA-3rxj-6cgf-8cfw, GHSA-hj76-42vx-jwp4, GHSA-3j22-8qj3-26mx, GHSA-hx9m-jf43-8ffr	<=1.4.0	^1.5.0	root override
path-to-regexp	GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7	<8.4.0	^8.4.0	root override
picomatch	GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p	<2.3.2	^4.0.4	root override
undici	GHSA-f269-vfmq-vjvj, GHSA-vrm6-8vpv-qv8q, GHSA-v9p9-hfj2-hcw8, others	<7.24.0	^7.24.0	root override
rollup / vite	GHSA-mw96-cpmx-2vgc	<4.59.0	^4.59.0	vite bump + override
flatted	GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh	<3.4.0	^3.4.0	root override
kysely	GHSA-wmrf-hv6w-mr66, GHSA-8cpq-38p9-67gx	<=0.28.11	^0.28.16	root override
@modelcontextprotocol/sdk	GHSA-345p-7cg4-v4c7	>=1.10.0	^1.26.0	root override
socket.io-parser	GHSA-677m-j7p3-52f9	<4.2.6	^4.2.6	root override
srvx	GHSA-p36q-q72m-gchr	<0.11.13	^0.11.13	root override
esbuild	GHSA-67mh-4wv8-2f99	<=0.24.2	^0.25.10	root override
minimatch	GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74	<3.1.3	^10.0.3	root override
brace-expansion	GHSA-f886-m6hf-6m8v	<1.1.13	^2.0.3	root override
uuid	GHSA-w5hq-g745-h8pq	<14.0.0	^14.0.0	root override
qs	GHSA-w7fw-mjwx-w883	>=6.7.0	^6.15.0	root override
postcss	(moderate)	<8.5.10	^8.5.10	root override

Package Updates

• Root: prettier ^3.7.4→^3.8.3, turbo ^2.6.3→^2.9.6
• apps/server: hono →^4.12.16, @t3-oss/env-core →^0.13.11, zod →^4.4.1, prettier →^3.8.3
• apps/tanstack: axios ^1.13.2→^1.15.2
• apps/web: axios →^1.15.2, react/react-dom →^19.2.5, react-router-dom →^7.14.2, prettier →^3.8.3
• packages/auth: @react-email/render →^2.0.8, zod →^4.4.1
• packages/db: drizzle-orm →^0.45.2, drizzle-zod →^0.8.3, nanoid →^5.1.9
• packages/storage: @aws-sdk/client-s3 + presigner →^3.1039.0, nanoid →^5.1.9
• packages/email-templates: @react-email/components →^1.0.12, @react-email/tailwind →^2.0.7, react-email →^5.2.11, react/react-dom →^19.2.5
• packages/onboarding: zod →^4.4.1

Residual Vulnerabilities (14 remaining)

Locked-in transitives in apps/tanstack/nitro/better-auth ecosystem where upstream hasn't released compatible patched versions:

• h3 >=2.0.0 <=2.0.1-rc.14 (nitro + @tanstack/react-start)
• ajv <6.14.0 (shadcn + react-email build tools)
• defu <=6.1.4 (better-auth internal)
• minimatch >=10.0.0 <10.2.1 (new 10.x advisory range)
• @isaacs/brace-expansion <=5.0.0 (eslint-config tooling)

All in dev/build tooling, none in the production request path.

Test Plan

• bun run check-types passes ✅ (verified before this PR)
• bun audit shows 14 remaining (down from 82)
• Auth flows work (login, signup, org creation)
• S3 upload/presign works (aws-sdk bump)
• Email sending works (@react-email bump)
• Onboarding flow works (see companion PR for cache-loop fix)

Summary by Sourcery

Reduce security vulnerabilities across the monorepo by upgrading dependencies and enforcing patched versions via root overrides.

Bug Fixes:

• Patch multiple security vulnerabilities in core runtime, HTTP, XML parsing, build, and tooling dependencies via direct upgrades and overrides.

Enhancements:

• Upgrade React, React Router, axios, AWS SDK, database, validation, email, and utility libraries across apps and packages to current non-major versions.
• Add a centralized overrides block in the root package.json to pin vulnerable transitive dependencies to secure versions.
• Refresh prettier and turbo versions in the root and app packages to align tooling across the monorepo.
• Introduce an audit baseline file to document and track the remaining known vulnerabilities.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d41ca288-2037-42c5-85ce-51c0e3fa9192

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/security-and-improvements-orgv2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's Guide

Monorepo-wide dependency refresh focused on resolving security advisories by adding a centralized overrides block at the root, bumping vulnerable and adjacent packages across apps and packages, updating the Bun lockfile, and introducing an audit baseline to track the remaining non-prod vulnerabilities.

Flow diagram for bun audit using the new audit baseline

flowchart LR
  A["Developer runs bun audit"] --> B["bun audit scans dependencies
using bun_lock and overrides"]
  B --> C["bun audit outputs current vulnerabilities list"]
  C --> D{"Audit baseline present? (.audit-baseline_txt)"}

  D -- Yes --> E["Load baseline vulnerabilities
(14 known non-prod issues)"]
  E --> F["Compare current vulnerabilities
against baseline"]
  F --> G{"New or regressed vulnerabilities?"}
  G -- No --> H["Exit 0
(acceptable risk level)"]
  G -- Yes --> I["Exit with failure
block merge or deployment"]

  D -- No --> J["Treat all vulnerabilities as new"]
  J --> I

Loading

File-Level Changes

Change	Details	Files
Introduce centralized dependency overrides to force secure versions of vulnerable packages across the monorepo.	Add a root-level overrides section in package.json that pins patched versions for key vulnerable dependencies (e.g., hono, axios/follow-redirects, fast-xml-parser, minimatch, postcss, undici, vite, esbuild, qs, uuid, etc.) Override certain transitive-only dependencies to patched versions even when not directly declared in workspace package.json files Use overrides to bump nitro/@tanstack-related and tooling dependencies (e.g., h3, ajv, defu, @isaacs/brace-expansion) while keeping app code changes minimal	package.json bun.lock
Align workspace packages to patched dependency ranges and latest non-breaking versions.	Update axios, react, react-dom, react-router-dom, and prettier in the web app to current non-major versions compatible with overrides Bump server-side dependencies such as hono, @t3-oss/env-core, and zod in the server app Refresh shared package dependencies including react-email libraries, drizzle-orm/drizzle-zod, zod, nanoid, and AWS SDK S3 clients/presigner to latest compatible versions Ensure onboarding, auth, storage, db, and tanstack apps all reference the newer safe versions of shared libraries (e.g., zod, axios, nanoid)	apps/web/package.json apps/server/package.json apps/tanstack/package.json packages/auth/package.json packages/db/package.json packages/storage/package.json packages/email-templates/package.json packages/onboarding/package.json bun.lock
Upgrade root tooling dependencies to latest safe versions and capture remaining audit state.	Update root devDependencies for prettier and turbo to newer minor versions Regenerate bun.lock to reflect all version bumps and overrides application Add an audit baseline file documenting the residual 14 vulnerabilities confined to dev/build tooling for future tracking	package.json bun.lock .audit-baseline.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The root overrides block centralizes a lot of major-version forcing (e.g., ajv, minimatch, h3 rc, esbuild); consider constraining these to the minimal compatible versions and/or only where needed to reduce the risk of subtle breakage in tools that still expect older major ranges.
• Given that security fixes are now encoded in overrides, it may be helpful to group or annotate them (e.g., by ecosystem or vulnerability driver) so future dependency updates can more easily determine which overrides are still necessary and which can be removed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The root `overrides` block centralizes a lot of major-version forcing (e.g., `ajv`, `minimatch`, `h3` rc, `esbuild`); consider constraining these to the minimal compatible versions and/or only where needed to reduce the risk of subtle breakage in tools that still expect older major ranges.
- Given that security fixes are now encoded in `overrides`, it may be helpful to group or annotate them (e.g., by ecosystem or vulnerability driver) so future dependency updates can more easily determine which overrides are still necessary and which can be removed.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[jacksonkasi1]

Code review fixes — feature/security-and-improvements-orgv2

Commit: 96d69fd

Changes applied

packages/logs/src/index.ts

• Added debug level to the logger (needed to support log-level demotion)

packages/auth/src/auth.ts (hot-path spam fix — primary ask)

• Demoted 4 logger.info calls inside the hooks.after /get-session middleware to logger.debug. These fire on every session check and were writing to production logs for no operational value (context exists, activeOrg already set, user has N orgs). Kept the two important info-level logs: single-org auto-activate and re-enable-onboarding.
• Merged duplicate @repo/db imports (two separate import … from "@repo/db" statements) into one.

apps/web/src/config/axios.ts · apps/tanstack/src/config/axios.ts

• Removed console.error calls from axios response interceptors (Unauthorized request, Forbidden request, Server error). These were context-free and duplicated noise — the error is re-thrown to callers regardless.

apps/web/src/pages/Onboarding.tsx · apps/tanstack/src/routes/onboarding/onboarding-page.tsx

• Removed console.error from all catch blocks in onboarding handlers. User-facing toast.error already surfaces the message; raw object dumps in the console add no value in production.

packages/config/src/index.ts

• Removed the unused sharedUtility export placeholder — nothing in the codebase imports it.

Type checks

bun run check-types --force — 11/11 passed, 0 errors.

Not touched (per constraints)

• packages/auth-ui/src/guards/ — handled separately
• packages/auth/src/auth.ts cookieCache / onboarding hooks logic — PR fix(auth): resolve onboarding redirect loop without disabling cookieCache #7