chore: fix security vulnerabilities found by yarn audit

[brendan-kellam]

Summary

• Upgrades direct dependencies (nodemailer, posthog-js, @posthog/ai) to resolve known security vulnerabilities
• Adds scoped resolutions for transitive dependency vulnerabilities (next, hono, @hono/node-server, langsmith, markdown-it, yaml, ajv, smol-toml, teeny-request)
• Adds audit script to root package.json with --no-deprecations flag for clean security-only auditing

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated dependencies (mail, protocol, analytics, and others) to newer stable versions.
  • Added an automated dependency audit command for improved security monitoring.
  • Pinned multiple transitive dependencies to ensure compatibility across the project.

• Documentation

  • Expanded unreleased notes to cover JavaScript dependency remediation and running yarn audit to address security findings.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77785511-f2bd-4c5c-a444-845849784ccb

📥 Commits

Reviewing files that changed from the base of the PR and between 55b607a and 4dd5610.

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

Adds a root audit script and multiple yarn resolutions entries to pin transitive dependencies; bumps four direct dependencies in packages/web/package.json; updates CHANGELOG to include JS dependency remediation and PR reference.

Changes

Cohort / File(s)	Summary
Root package config package.json	Added "scripts.audit": "yarn npm audit --all --recursive --no-deprecations" and appended multiple resolutions entries to pin transitive packages (e.g., @react-email/preview-server/next, @modelcontextprotocol/sdk/*, langsmith, markdown-it, yaml, ajv@^6, smol-toml, teeny-request).
Web package dependencies packages/web/package.json	Bumped direct dependencies: @modelcontextprotocol/sdk ^1.27.1 → ^1.29.0, @posthog/ai ^7.8.10 → ^7.15.0, nodemailer ^7.0.11 → ^8.0.5, posthog-js ^1.345.5 → ^1.369.0.
Changelog CHANGELOG.md	Expanded Unreleased → Fixed entry to include JS dependency remediation and added PR reference #1121.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): bump @react-email/preview-server to 5.2.8 #961: Related change touching @react-email/preview-server resolution/pinning.
• chore: update posthog packages to latest versions #881: Related dependency updates for posthog-js in packages/web.
• chore(deps): bump transitive dependencies #1092: Related modifications to top-level resolutions for transitive dependency pinning.

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main objective of the PR: fixing security vulnerabilities found by yarn audit, which is confirmed by the file changes (dependency upgrades and audit script addition) and PR description.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/fix-audit-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2057
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	31

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — root LICENSE file confirms MIT; individual package.json omits license field but inherits repo-level MIT
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — root LICENSE file confirms MIT; individual package.json omits license field but inherits repo-level MIT
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab — root LICENSE file confirms MIT; packages/mcp/package.json confirmed to be part of same monorepo
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — FSL-1.1-MIT is a valid SPDX identifier (Functional Source License v1.1 with MIT future grant); confirmed via getsentry/sentry-cli GitHub repo. Note: this is a source-available license, not OSI-approved open source.
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	npm registry — valid SPDX identifier; same license as @sentry/cli (getsentry/sentry-cli repo). Source-available, not OSI-approved open source.
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/codemirror-lang-elixir — LICENSE file contains Apache License Version 2.0
element-source	0.0.3	UNKNOWN	MIT	GitHub repo aidenybai/element-source — LICENSE file contains MIT License (maintainer email aiden.bai05@gmail.com matches Aiden Bai / aidenybai GitHub account)
json-schema	0.4.0	(AFL-2.1 OR BSD-3-Clause)	AFL-2.1 OR BSD-3-Clause	npm registry — parenthesised compound SPDX expression; both AFL-2.1 (Academic Free License 2.1) and BSD-3-Clause are valid SPDX identifiers. This is a standard dual-license offering.
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/lezer-elixir — LICENSE file contains Apache License Version 2.0
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo dominictarr/map-stream — LICENCE file contains MIT License
memorystream	0.3.1	{"type":"MIT","url":"http://github.com/JSBizon/node-memorystream/raw/master/LICENSE"}	MIT	Extracted from object license field — type field is MIT; confirmed by npm registry manifest returning license object with type=MIT
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js — LICENSE file is Apache License Version 2.0 (primary governing license; some third-party components are MIT)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url — LICENSE file contains MIT License