chore(deps): aggregate weekly dependency updates (api, ui, docs, ci)

.github/workflows/apps-api-security-deps.yml

@@ -93,4 +93,8 @@ jobs:
 
       - name: bun audit
         if: steps.filter.outputs.code == 'true'
-        run: bun audit --audit-level=high
+        # GHSA-p6gq-j5cr-w38f (nodemailer raw-option file-read/SSRF) is ignored:
+        # our only nodemailer usage (src/lib/email/providers/smtp.ts) builds a
+        # standard SMTP transport via createTransport and never passes the
+        # vulnerable `raw` message option. Mirrors apps/api/osv-scanner.toml.
+        run: bun audit --audit-level=high --ignore=GHSA-p6gq-j5cr-w38f

.github/workflows/infra-k3s-validate.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Install kubectl (bundles kustomize)
         if: steps.filter.outputs.code == 'true'
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
 
       # `kubectl kustomize` renders base + prod overlay offline. Catches the
       # realistic breakage: bad resource refs, malformed YAML, broken patches,

apps/api/bunfig.toml

@@ -42,6 +42,11 @@ minimumReleaseAgeExcludes = [
   "@typescript-eslint/visitor-keys",
   "@typescript-eslint/project-service",
   "@typescript-eslint/tsconfig-utils",
+  # form-data 4.0.6 patches GHSA-hmw2-7cc7-3qxx (CRLF injection via unescaped
+  # multipart field names). Pulled in transitively via @sendgrid/mail -> axios;
+  # we override `form-data` directly to clear `bun audit`. The patched release
+  # is <7 days old, so exempt it from the quarantine window.
+  "form-data",
 ]
 
 [test]

apps/api/osv-scanner.toml

@@ -24,3 +24,43 @@ micromatch; our usage is internal build-time tooling (vite, tsconfig
 resolution). No path from user input to micromatch in api source. Awaiting
 upstream patch via vite/jest transitive deps.
 """
+
+[[IgnoredVulns]]
+id = "GHSA-p6gq-j5cr-w38f"
+ignoreUntil = "2026-09-19T00:00:00Z"
+reason = """
+nodemailer raw-option file-read/SSRF. The advisory affects nodemailer's
+message-level `raw` option, which bypasses disableFileAccess/disableUrlAccess.
+Our only nodemailer usage is src/lib/email/providers/smtp.ts, which builds a
+standard SMTP transport via createTransport and never passes the `raw` option,
+so the vulnerable code path is unreachable. Upstream fix is in 9.0.1 (a major
+bump, currently inside our 7-day install quarantine). Re-evaluate when bumping
+nodemailer to 9.x.
+"""
+
+[[IgnoredVulns]]
+id = "GHSA-8988-4f7v-96qf"
+ignoreUntil = "2026-09-19T00:00:00Z"
+reason = """
+@opentelemetry/core 2.7.1 advisory; fixed in 2.8.0. Transitive via the
+OpenTelemetry SDK (telemetry only, server-side). Low severity; re-evaluate when
+the auto-instrumentations pull 2.8.0 transitively.
+"""
+
+[[IgnoredVulns]]
+id = "GHSA-g7r4-m6w7-qqqr"
+ignoreUntil = "2026-09-19T00:00:00Z"
+reason = """
+esbuild advisory; fixed in 0.28.1. Build-time bundler only — production runs the
+bundled artifact, not esbuild. Multiple esbuild versions live in the transitive
+tree (vite/tsx); awaiting upstream bumps rather than force-pinning one copy.
+"""
+
+[[IgnoredVulns]]
+id = "GHSA-f38q-mgvj-vph7"
+ignoreUntil = "2026-09-19T00:00:00Z"
+reason = """
+protobufjs 7.6.1 advisory; fixed in 7.6.3. Transitive via the OpenTelemetry OTLP
+exporter (build/telemetry path); no user-controlled input reaches protobuf
+decoding in api source. Re-evaluate when the exporter pulls 7.6.3.
+"""

apps/api/package.json

@@ -50,7 +50,7 @@
     "prepare": "husky 2>/dev/null || true"
   },
   "dependencies": {
-    "@anthropic-ai/sdk": "0.100.1",
+    "@anthropic-ai/sdk": "0.102.0",
     "@casl/ability": "7.0.0",
     "@elysiajs/cors": "1.4.2",
     "@elysiajs/jwt": "1.4.2",
@@ -62,10 +62,10 @@
     "@opentelemetry/sdk-node": "0.218.0",
     "@opentelemetry/semantic-conventions": "1.41.1",
     "@sendgrid/mail": "8.1.6",
-    "@sentry/bun": "10.55.0",
+    "@sentry/bun": "10.56.0",
     "@sinclair/typebox": "0.34.49",
     "arctic": "3.7.0",
-    "bullmq": "5.77.6",
+    "bullmq": "5.78.0",
     "dotenv": "17.4.2",
     "drizzle-orm": "0.45.2",
     "elysia": "1.4.28",
@@ -74,7 +74,7 @@
     "handlebars": "4.7.9",
     "ioredis": "5.10.1",
     "nodemailer": "8.0.10",
-    "openai": "6.41.0",
+    "openai": "6.42.0",
     "otpauth": "9.5.1",
     "pg": "8.21.0",
     "pino": "10.3.1",
@@ -90,9 +90,9 @@
     "@boring-stack-pkg/eslint-plugin-cache-keys": "0.1.2",
     "@boring-stack-pkg/eslint-plugin-code-flow": "0.2.0",
     "@boring-stack-pkg/eslint-plugin-comment-hygiene": "0.2.0",
-    "@boring-stack-pkg/eslint-plugin-db-transactions": "0.1.1",
-    "@boring-stack-pkg/eslint-plugin-drizzle-conventions": "0.1.1",
-    "@boring-stack-pkg/eslint-plugin-elysia": "0.1.1",
+    "@boring-stack-pkg/eslint-plugin-db-transactions": "0.1.2",
+    "@boring-stack-pkg/eslint-plugin-drizzle-conventions": "0.1.2",
+    "@boring-stack-pkg/eslint-plugin-elysia": "0.1.2",
     "@boring-stack-pkg/eslint-plugin-env-access": "0.1.3",
     "@boring-stack-pkg/eslint-plugin-jwt-cookies": "0.1.2",
     "@boring-stack-pkg/eslint-plugin-module-boundaries": "0.1.2",
@@ -101,7 +101,7 @@
     "@boring-stack-pkg/eslint-plugin-stripe-webhooks": "0.1.1",
     "@boring-stack-pkg/eslint-plugin-structured-logging": "0.1.2",
     "@boring-stack-pkg/eslint-plugin-test-conventions": "0.1.2",
-    "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
+    "@eslint-community/eslint-plugin-eslint-comments": "4.7.2",
     "@eslint/js": "10.0.1",
     "@types/fs-extra": "11.0.4",
     "@types/nodemailer": "8.0.0",
@@ -116,7 +116,7 @@
     "eslint-plugin-prettier": "5.5.6",
     "eslint-plugin-promise": "7.3.0",
     "eslint-plugin-sonarjs": "4.0.3",
-    "eslint-plugin-unicorn": "64.0.0",
+    "eslint-plugin-unicorn": "65.0.0",
     "globals": "17.6.0",
     "husky": "9.1.7",
     "knip": "6.14.2",
@@ -126,9 +126,11 @@
   },
   "//overrides": {
     "_": "Why these transitive deps are pinned. Keep each entry in sync with the matching `overrides` key — enforced by the package-override-parity lint-meta rule.",
-    "@typescript-eslint/utils": "Single @typescript-eslint/utils resolution across the workspace so the shared @boring-stack-pkg ESLint plugins all load the same utils version. The UI and docs apps mirror this exact pin; a mismatch makes the custom plugins resolve divergent utils copies and fail to load."
+    "@typescript-eslint/utils": "Single @typescript-eslint/utils resolution across the workspace so the shared @boring-stack-pkg ESLint plugins all load the same utils version. The UI and docs apps mirror this exact pin; a mismatch makes the custom plugins resolve divergent utils copies and fail to load.",
+    "form-data": "Pin patched form-data (GHSA-hmw2-7cc7-3qxx CRLF injection via unescaped multipart field names); 4.0.5 is vulnerable, 4.0.6 patches it. Pulled in transitively via @sendgrid/mail -> @sendgrid/client -> axios. Excluded from the install quarantine while <7 days old."
   },
   "overrides": {
-    "@typescript-eslint/utils": "8.60.1"
+    "@typescript-eslint/utils": "8.60.1",
+    "form-data": "4.0.6"
   }
 }