Resolve all 14 npm security vulnerabilities

[Copilot]

Summary

Eliminated all npm security vulnerabilities (14 → 0) using audit fixes and dependency overrides. No breaking changes. Also clarified the status of 2 previously tracked development-only vulnerabilities that were resolved separately.

What changed

• Applied npm audit fix for direct dependency updates (diff, tar, undici, next)
• Added npm overrides for transitive vulnerabilities in Prisma's dev dependencies:

  "overrides": {
    "hono": "^4.11.7",    // fixes 3 CVEs: cache bypass, IP spoofing, path traversal
    "lodash": "^4.17.23"  // fixes prototype pollution
  }

• Fixed lint:security script to remove non-existent .eslintrc.json reference
• Updated vulnerability tracking documentation with clarification about previously tracked vulnerabilities (cross-zip and esbuild)

Vulnerabilities resolved in this PR:

• High (2): tar file overwrite/symlink poisoning
• Moderate (11): hono middleware/validation issues, lodash prototype pollution, undici decompression chain, next.js DoS
• Low (1): diff DoS

Previously tracked vulnerabilities (not part of the 14):

• cross-zip (GHSA-gj5f-73vh-wpf7): No longer present - Electron dependencies removed
• esbuild (GHSA-67mh-4wv8-2f99): Resolved by Vite 7.3.1 upgrade

Testing

• npm ci succeeds with 0 vulnerabilities
• npm audit reports clean
• Dependency overrides verified in lockfile
• Documentation updated to clarify all vulnerability resolutions

Security/Compliance

• No secrets committed
• Logging avoids PHI (unless PHI_ENABLED + private endpoints + KV configured)

Screenshots

N/A - dependency updates only

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR resolves all 14 npm security vulnerabilities by applying automated fixes and strategic dependency overrides, bringing the project to zero known vulnerabilities.

Changes:

• Applied npm audit fix to update direct dependencies (diff, tar, undici via @azure/functions, next.js)
• Added npm overrides for transitive Prisma dev dependencies (hono ^4.11.7, lodash ^4.17.23)
• Fixed lint:security script to remove reference to non-existent .eslintrc.json file
• Updated vulnerability tracking documentation to reflect zero vulnerabilities status

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
package.json	Added npm overrides for hono and lodash; fixed lint:security script to match lint script
package-lock.json	Updated dependency versions: diff (4.0.2→4.0.4), tar (6.2.1→7.5.7), next.js (16.1.4→16.1.6), @azure/functions (4.10.0→4.11.0, removed undici), hono (4.11.4→4.11.7), lodash (4.17.21→4.17.23); removed outdated nested dependencies
VULNERABILITY_ASSESSMENT.md	Updated to document zero vulnerabilities status, listed all 8 vulnerability types resolved, added security verification commands and monitoring procedures
SECURITY.md	Added security posture section confirming zero vulnerabilities, updated last review date and next review date
.npm-audit-known-issues.json	Cleared all tracked advisories and updated metadata to reflect zero vulnerabilities status

[Copilot]

The .npm-audit-known-issues.json file previously tracked 2 known development vulnerabilities (cross-zip GHSA-gj5f-73vh-wpf7 and esbuild GHSA-67mh-4wv8-2f99) and is now being cleared to show zero vulnerabilities. However, the PR description focuses on resolving 14 npm security vulnerabilities without explicitly mentioning whether these 2 previously-tracked issues were included in that count or resolved separately. Consider clarifying in the PR description or documentation whether:

1. The cross-zip and esbuild vulnerabilities were part of the 14 resolved, or
2. They were resolved separately (cross-zip removed with Electron dependencies, esbuild fixed via Vite 7 upgrade), or
3. They are genuinely no longer present/relevant

This would provide complete transparency about what security issues have been addressed in this PR.

Suggested change

	"Fixed using npm overrides for transitive dependencies (hono, lodash)",
	"Fixed using npm overrides for transitive dependencies (hono, lodash)",
	"Previously tracked development-only vulnerabilities: cross-zip (GHSA-gj5f-73vh-wpf7) and esbuild (GHSA-67mh-4wv8-2f99)",
	"cross-zip (GHSA-gj5f-73vh-wpf7) is no longer present because Electron-related dependencies that required it were removed from this project",
	"esbuild (GHSA-67mh-4wv8-2f99) was resolved by upgrading the build tooling to Vite 7, which removed/updated the vulnerable esbuild version",
	"These previously tracked vulnerabilities are therefore no longer present or relevant in the current dependency graph and are not counted toward the 14 npm vulnerabilities resolved in this PR",

[Copilot]

Updated the documentation to clarify the status of previously tracked vulnerabilities. Both cross-zip and esbuild are no longer present in the dependency tree and were not part of the 14 vulnerabilities resolved in this PR. See commit 4c83dcc.

[aurelianware]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied the suggested changes to clarify what happened to the previously tracked vulnerabilities (cross-zip and esbuild). Updated .npm-audit-known-issues.json to document that these were resolved separately from the 14 vulnerabilities fixed in this PR. See commit 4c83dcc.