# Dependency Audit Log

Tracks monthly dependency updates per MAINT-01.

---

## 2026-03-11 — Initial Audit

### npm (neode-ui)

**Updated packages** (semver-compatible):
- `@types/node`: 24.10.9 → 24.12.0
- `@vitejs/plugin-vue`: 6.0.3 → 6.0.4
- `autoprefixer`: 10.4.23 → 10.4.27
- `postcss`: 8.5.6 → 8.5.8
- `vue`: 3.5.27 → 3.5.30
- `vue-tsc`: 3.2.3 → 3.2.5
- Net result: added 35 packages, removed 53, changed 63 (overall reduction)

**Audit results after update**: 4 high-severity vulnerabilities remaining
- All in `serialize-javascript` ≤7.0.2 (RCE via RegExp.flags)
- Dependency chain: `serialize-javascript` → `@rollup/plugin-terser` → `workbox-build` → `vite-plugin-pwa`
- **Risk**: Low — dev-only dependency, not shipped to users, not exploitable at build time
- **Action**: Monitor for `vite-plugin-pwa` update that pulls `serialize-javascript` ≥7.0.3

**Major versions available (not upgraded — breaking changes)**:
- `@types/node`: 25.x (Node 22+ types — we target Node 20)
- `@vitest/coverage-v8`: 4.x (needs vitest 4.x)
- `express`: 5.x (dev mock server only)
- `jsdom`: 28.x (test env only)
- `tailwindcss`: 4.x (major migration — defer to v1.1)
- `vitest`: 4.x (defer — 3.x working well)
- `vue-router`: 5.x (major migration — defer to v1.1)

### Cargo (core/)

**Status**: Deferred — `cargo update` must run on Linux dev server (not macOS). Will be run during next deploy cycle.

### Test results
- Type-check: 0 errors
- Build: success (2.67s)
- Tests: 515/515 pass (6.83s)