Parent umbrella issue: #408
Source audit: Weekly tech debt audit: dispatch - 2026-06-17
Source audit date: 2026-06-17
Original recommendation
P1 — Replace the .npmrc omit= line with include=dev (or delete the file) and verify CI is still clean.
Matched top finding
The accepted-risks file documents two moderate CVEs (postcss XSS, hono/node-server path bypass) with the rationale "no viable upgrade path." Both packages now have patched versions; the rationale may no longer be accurate. CI scan (aquasecurity/trivy-action@ed142fd) shows the current state but does not include npm audit output.
Evidence:
cat SECURITY-ACCEPTED-RISKS.md lists next@16.2.7 bundles postcss@8.4.31 and prisma@7.8.0 / @hono/node-server < 1.19.13.npm audit --omit=dev --json reports 0 vulnerabilities — confirming the underlying issues are no longer present at the installed version, but the accepted-risks doc has not been updated.
Parent umbrella issue: #408
Source audit: Weekly tech debt audit: dispatch - 2026-06-17
Source audit date: 2026-06-17
Original recommendation
P1 — Replace the
.npmrcomit=line withinclude=dev(or delete the file) and verify CI is still clean.Matched top finding
The accepted-risks file documents two moderate CVEs (postcss XSS, hono/node-server path bypass) with the rationale "no viable upgrade path." Both packages now have patched versions; the rationale may no longer be accurate. CI scan (
aquasecurity/trivy-action@ed142fd) shows the current state but does not include npm audit output.Evidence:
cat SECURITY-ACCEPTED-RISKS.mdlistsnext@16.2.7 bundles postcss@8.4.31andprisma@7.8.0 / @hono/node-server < 1.19.13.npm audit --omit=dev --jsonreports 0 vulnerabilities — confirming the underlying issues are no longer present at the installed version, but the accepted-risks doc has not been updated.