Skip to content

Dependency hardening: deferred npm and pip advisories #4

Description

@codethor0

Current state

  • npm audit reports known advisories, including Next.js/postcss class issues
  • pip-audit has known deferred advisories documented in docs/dependency-audit.md
  • No dependency upgrades should happen casually

Required approach

  1. Plan dependency upgrade batch separately with full frontend/backend validation
  2. Document any accepted deferred advisories with rationale
  3. Do not upgrade dependencies in contributor first-PR lanes without approval

Launch impact

  • Public launch should not claim dependency advisories are remediated until this issue is completed or explicitly documented as accepted risk

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions