Parent umbrella issue: #308
Source audit: Weekly tech debt audit: dispatch - 2026-06-03
Source audit date: 2026-06-03
Original recommendation
P2 — Resolve production dependency advisories: assess Next/PostCSS and Prisma advisory paths, upgrade or document accepted risk, and pin/upgrade Trivy action off master.
Matched top finding
Runtime dependency audit found moderate advisories. CI pins most actions by SHA, but Trivy still tracks aquasecurity/trivy-action@master, which reduces reproducibility of security scanning.
Evidence:
npm audit --omit=dev --json reported 5 moderate advisories: next via bundled postcss, prisma via @prisma/dev / @hono/node-server..github/workflows/ci.yaml and .github/workflows/image.yaml pin checkout/setup/build actions by SHA..github/workflows/image.yaml uses aquasecurity/trivy-action@master with continue-on-error: true.
Parent umbrella issue: #308
Source audit: Weekly tech debt audit: dispatch - 2026-06-03
Source audit date: 2026-06-03
Original recommendation
P2 — Resolve production dependency advisories: assess Next/PostCSS and Prisma advisory paths, upgrade or document accepted risk, and pin/upgrade Trivy action off
master.Matched top finding
Runtime dependency audit found moderate advisories. CI pins most actions by SHA, but Trivy still tracks
aquasecurity/trivy-action@master, which reduces reproducibility of security scanning.Evidence:
npm audit --omit=dev --jsonreported 5 moderate advisories:nextvia bundledpostcss,prismavia@prisma/dev/@hono/node-server..github/workflows/ci.yamland.github/workflows/image.yamlpin checkout/setup/build actions by SHA..github/workflows/image.yamlusesaquasecurity/trivy-action@masterwithcontinue-on-error: true.