boringstack-xyz · agjs · Jun 19, 2026 · Jun 19, 2026
@@ -93,8 +93,4 @@ jobs:
 
       - name: bun audit
         if: steps.filter.outputs.code == 'true'
-        # GHSA-p6gq-j5cr-w38f (nodemailer raw-option file-read/SSRF) is ignored:
-        # our only nodemailer usage (src/lib/email/providers/smtp.ts) builds a
-        # standard SMTP transport via createTransport and never passes the
-        # vulnerable `raw` message option. Mirrors apps/api/osv-scanner.toml.
-        run: bun audit --audit-level=high --ignore=GHSA-p6gq-j5cr-w38f
+        run: bun audit --audit-level=high
@@ -47,6 +47,10 @@ minimumReleaseAgeExcludes = [
   # we override `form-data` directly to clear `bun audit`. The patched release
   # is <7 days old, so exempt it from the quarantine window.
   "form-data",
+  # nodemailer 9.0.1 patches GHSA-p6gq-j5cr-w38f (raw-option file-read/SSRF).
+  # Direct dep; the patched release is <7 days old, so exempt it from the
+  # quarantine window for this security upgrade.
+  "nodemailer",
 ]
 
 [test]

@@ -25,19 +25,6 @@ resolution). No path from user input to micromatch in api source. Awaiting
 upstream patch via vite/jest transitive deps.
 """
 
-[[IgnoredVulns]]
-id = "GHSA-p6gq-j5cr-w38f"
-ignoreUntil = "2026-09-19T00:00:00Z"
-reason = """
-nodemailer raw-option file-read/SSRF. The advisory affects nodemailer's
-message-level `raw` option, which bypasses disableFileAccess/disableUrlAccess.
-Our only nodemailer usage is src/lib/email/providers/smtp.ts, which builds a
-standard SMTP transport via createTransport and never passes the `raw` option,
-so the vulnerable code path is unreachable. Upstream fix is in 9.0.1 (a major
-bump, currently inside our 7-day install quarantine). Re-evaluate when bumping
-nodemailer to 9.x.
-"""
-
 [[IgnoredVulns]]
 id = "GHSA-8988-4f7v-96qf"
 ignoreUntil = "2026-09-19T00:00:00Z"

@@ -50,7 +50,7 @@
     "prepare": "husky 2>/dev/null || true"
   },
   "dependencies": {
-    "@anthropic-ai/sdk": "0.102.0",
+    "@anthropic-ai/sdk": "0.104.1",
     "@casl/ability": "7.0.0",
     "@elysiajs/cors": "1.4.2",
     "@elysiajs/jwt": "1.4.2",
@@ -73,7 +73,7 @@
     "fs-extra": "11.3.5",
     "handlebars": "4.7.9",
     "ioredis": "5.10.1",
-    "nodemailer": "8.0.10",
+    "nodemailer": "9.0.1",
     "openai": "6.42.0",
     "otpauth": "9.5.1",
     "pg": "8.21.0",
@@ -116,21 +116,21 @@
     "eslint-plugin-prettier": "5.5.6",
     "eslint-plugin-promise": "7.3.0",
     "eslint-plugin-sonarjs": "4.0.3",
-    "eslint-plugin-unicorn": "65.0.0",
+    "eslint-plugin-unicorn": "65.0.1",
     "globals": "17.6.0",
     "husky": "9.1.7",
     "knip": "6.14.2",
-    "prettier": "3.8.3",
+    "prettier": "3.8.4",
     "typescript": "6.0.3",
-    "typescript-eslint": "8.60.1"
+    "typescript-eslint": "8.61.0"
   },
   "//overrides": {
     "_": "Why these transitive deps are pinned. Keep each entry in sync with the matching `overrides` key — enforced by the package-override-parity lint-meta rule.",
     "@typescript-eslint/utils": "Single @typescript-eslint/utils resolution across the workspace so the shared @boring-stack-pkg ESLint plugins all load the same utils version. The UI and docs apps mirror this exact pin; a mismatch makes the custom plugins resolve divergent utils copies and fail to load.",
     "form-data": "Pin patched form-data (GHSA-hmw2-7cc7-3qxx CRLF injection via unescaped multipart field names); 4.0.5 is vulnerable, 4.0.6 patches it. Pulled in transitively via @sendgrid/mail -> @sendgrid/client -> axios. Excluded from the install quarantine while <7 days old."
   },
   "overrides": {
-    "@typescript-eslint/utils": "8.60.1",
+    "@typescript-eslint/utils": "8.61.0",
     "form-data": "4.0.6"
   }
 }
@@ -90,16 +90,6 @@ id = "GHSA-58qx-3vcg-4xpx"
 ignoreUntil = "2026-11-22T00:00:00Z"
 reason = "ws@8.18.0 via miniflare/wrangler dev tooling only. Static Cloudflare Pages output has no WebSocket server runtime. Override pending upstream miniflare bump."
 
-[[IgnoredVulns]]
-id = "GHSA-2pvr-wf23-7pc7"
-ignoreUntil = "2026-09-19T00:00:00Z"
-reason = "astro advisory; fixed in 6.4.6. Static-site build only — no Astro SSR/dev runtime ships to Cloudflare Pages. Awaiting an in-semver bump that keeps the @astrojs/markdown-remark pin valid."
-
-[[IgnoredVulns]]
-id = "GHSA-jrpj-wcv7-9fh9"
-ignoreUntil = "2026-09-19T00:00:00Z"
-reason = "astro advisory; fixed in 6.4.6. Same scope as above — static output has no runtime Astro surface."
-
 [[IgnoredVulns]]
 id = "GHSA-cmwh-pvxp-8882"
 ignoreUntil = "2026-09-19T00:00:00Z"

@@ -36,7 +36,7 @@
     "@astrojs/sitemap": "3.7.3",
     "@astrojs/starlight": "0.39.3",
     "@tailwindcss/vite": "4.3.0",
-    "astro": "6.4.4",
+    "astro": "6.4.6",
     "astro-mermaid": "2.0.1",
     "clsx": "2.1.1",
     "mermaid": "11.15.0",
@@ -64,7 +64,7 @@
     "undici": "Pin patched undici (GHSA-vmh5-mc38-953g TLS cert-validation bypass, GHSA-pr7r-676h-xcf6); 7.28.0 patches it. Build-time tooling only (wrangler/astro fetches). Mirrors the UI app pin. Excluded from the install quarantine while <7 days old.",
     "@types/react": "Match the UI app's @types/react pin so React types resolve identically across apps (@astrojs/react pulls them transitively here).",
     "@types/react-dom": "Match the UI app's @types/react-dom pin for the same cross-app type parity.",
-    "@astrojs/markdown-remark": "Pin to astro 6.4.4's exact dependency. Starlight depends on the 7.1.x range transitively, but only 7.2.0 exposes the `unified` subpath export that astro 6.4.4's prerender runtime imports; without this the hoisted 7.1.x copy shadows astro's nested 7.2.0 and `astro build` fails. Re-evaluate when Starlight requires >=7.2.0."
+    "@astrojs/markdown-remark": "Pin to astro 6.4.6's exact dependency. Starlight depends on the 7.1.x range transitively, but only 7.2.0 exposes the `unified` subpath export that astro 6.4.6's prerender runtime imports; without this the hoisted 7.1.x copy shadows astro's nested 7.2.0 and `astro build` fails. Re-evaluate when Starlight requires >=7.2.0."
   },
   "overrides": {
     "@astrojs/markdown-remark": "7.2.0",