After merging #43 (ajv scope) and #44 (OTel + protobufjs), the
production audit is at found 0 vulnerabilities. The remaining
open Dependabot PRs are all major-version bumps that need
individual evaluation rather than auto-merge. Tracking them here
so the queue stays visible and intentional rather than red noise.
Backend production deps (highest blast radius)
Frontend production deps
Dev tooling — done together because they pair
Infrastructure
Notes
After merging #43 (ajv scope) and #44 (OTel + protobufjs), the
production audit is at
found 0 vulnerabilities. The remainingopen Dependabot PRs are all major-version bumps that need
individual evaluation rather than auto-merge. Tracking them here
so the queue stays visible and intentional rather than red noise.
Backend production deps (highest blast radius)
express 4 → 5— major rewrite. Async error handling,body-parsersplit, removedreq.param. Touch every routehandler. Should be its own day-long migration.
helmet 7 → 8— CSP defaults changed; the per-requestnonce middleware needs re-verification.
pino 9 → 10— transport API change. Checkpino-httpcompatibility (PR fix(deps): upgrade OpenTelemetry + override protobufjs to clear all production high-severity advisories #44 in nominal config).express-rate-limit 7 → 8— store API and headersbehavior shifted; the fail-open path in our middleware needs
re-checking.
puppeteer-core 23 → 24— verify the SSRF defensehooks (DNS rebinding checks) still apply unchanged.
Frontend production deps
next 15 → 16— RSC behavior and routing changes.Pair-required with
eslint-config-next(deps(frontend)(deps-dev): bump eslint-config-next from 15.5.18 to 16.2.6 in /frontend #32) and@next/bundle-analyzer(deps(frontend)(deps-dev): bump @next/bundle-analyzer from 15.5.18 to 16.2.6 in /frontend #27).Dev tooling — done together because they pair
tailwindcss 3 → 4— v4 is CSS-first config; affectsevery
globals.cssand@themeblock.eslint 8 → 10— flat config migration. This is theproper fix that obsoletes the
ajvscoped override added infix(deps): scope ajv override so ESLint keeps ajv 6.x #43. Backend already has
.eslintrc.cjs, frontend has.eslintrc.json; both convert toeslint.config.{js,mjs}.eslint-config-next 15 → 16— pair with deps(frontend)(deps): bump next from 15.5.18 to 16.2.6 in /frontend #37.@next/bundle-analyzer 15 → 16— pair with deps(frontend)(deps): bump next from 15.5.18 to 16.2.6 in /frontend #37.@stryker-mutator/jest-runner 8 → 9— bumps Jest 29to 30; check ts-jest compat.
@commitlint/config-conventional 19 → 21— low blastradius (commit message linting); safe-first candidate.
Infrastructure
actions group (10 updates)— currently failing CI.actions/checkout@v6andactions/setup-node@v6break theworkflows. Wait for upstream to stabilize or pin lower.
node 20 → 26(backend Docker) — six LTS versions inone jump. Re-verify Puppeteer worker behavior, BullMQ ESM
handling.
node 20 → 26(frontend Docker) — pair with deps(docker)(deps): bump node from 20-slim to 26-slim in /backend #26.Notes
axis worth a paragraph of testing or is paired with another item.
Q3 2026 batchlabel is a heuristic, not a deadline. Itemswith audit-clean equivalents (no security pressure) can stay
open for months.
(deps(deps-dev): bump @commitlint/config-conventional from 19.8.1 to 21.0.0 #39, then deps(backend)(deps-dev): bump @stryker-mutator/jest-runner from 8.7.1 to 9.6.1 in /backend #36), then the Next.js triad (deps(frontend)(deps): bump next from 15.5.18 to 16.2.6 in /frontend #37 + deps(frontend)(deps-dev): bump eslint-config-next from 15.5.18 to 16.2.6 in /frontend #32 + deps(frontend)(deps-dev): bump @next/bundle-analyzer from 15.5.18 to 16.2.6 in /frontend #27),
then the heavier rewrites (express 5, helmet 8, tailwind 4).