chore(deps): update dependencies and resolve all Dependabot security alerts (#1117)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: krusche

.github/workflows/pullrequest_linting.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+        uses: pnpm/action-setup@v6
         with:
           version: 11.4.0
       - name: Setup Node.js
@@ -44,7 +44,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+        uses: pnpm/action-setup@v6
         with:
           version: 11.4.0
       - name: Setup Node.js

.github/workflows/test.yml

@@ -20,7 +20,7 @@ jobs:
         steps:
         - uses: actions/checkout@v6
         - name: Setup pnpm
-          uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+          uses: pnpm/action-setup@v6
           with:
             version: 11.4.0
         - name: Setup Node.js

client/package.json

@@ -22,17 +22,17 @@
   "dependencies": {
     "@angular/animations": "21.2.17",
     "@angular/cdk": "21.2.14",
-    "@angular/common": "21.2.14",
-    "@angular/compiler": "21.2.14",
-    "@angular/core": "21.2.14",
+    "@angular/common": "21.2.17",
+    "@angular/compiler": "21.2.17",
+    "@angular/core": "21.2.17",
     "@angular/forms": "21.2.17",
     "@angular/platform-browser": "21.2.17",
     "@angular/platform-browser-dynamic": "21.2.17",
     "@angular/router": "21.2.17",
     "@hey-api/client-fetch": "0.13.1",
     "@primeng/themes": "21.0.4",
     "@sentry/angular": "10.59.0",
-    "@sentry/cli": "2.58.6",
+    "@sentry/cli": "3.5.1",
     "@tanstack/angular-query-experimental": "5.101.0",
     "angular-tabler-icons": "3.26.0",
     "canvas-confetti": "1.9.4",
@@ -75,7 +75,7 @@
     "tailwindcss": "3.4.19",
     "tailwindcss-primeui": "0.6.1",
     "typescript": "5.9.3",
-    "vite": "8.0.14",
+    "vite": "8.0.16",
     "vitest": "4.1.9"
   },
   "packageManager": "pnpm@11.8.0"

client/pnpm-lock.yaml

@@ -22,14 +22,40 @@ allowBuilds:
   lmdb: true
   msgpackr-extract: true
 
-# Force patched versions of transitive, dev-only dependencies flagged by
-# Dependabot. Both are pulled in solely via the Angular dev-server chain
-# (@angular-devkit/build-angular -> webpack-dev-server -> sockjs -> uuid):
-#  - webpack-dev-server <=5.2.3: cross-origin source exposure on non-HTTPS
-#    origins (GHSA fixed in 5.2.4). build-webpack requires ^5.0.2, so 5.2.4 fits.
-#  - uuid <11.1.1: missing buffer bounds check in v3/v5/v6 when `buf` is passed.
-#    sockjs only calls uuid.v4() with no buffer, so it isn't actually exploitable,
-#    but bumping clears the alert; v11 keeps the .v4 CJS export sockjs uses.
+# Force patched versions of transitive dependencies flagged by Dependabot.
+# All of these are pulled in solely through the build/dev toolchain (Angular
+# build + dev-server chain, vite, hey-api), never by application runtime code.
+# Each is pinned to the lowest release that clears the corresponding advisory
+# while staying within the consumer's major (so the build/test pipeline that
+# uses the esbuild `application` builder + Vitest is unaffected):
+#  - webpack-dev-server <5.2.4: cross-origin source exposure on non-HTTPS origins.
+#  - uuid <11.1.1: missing buffer bounds check; sockjs only calls uuid.v4().
+#  - undici 6.x <6.27.0 / 7.x <7.28.0: Set-Cookie/Host-header/SOCKS5/cache CVEs.
+#  - hono <4.12.25: CORS wildcard reflection + several adapter/path CVEs.
+#  - tar <7.5.16: PAX size-override parser differential (file smuggling).
+#  - piscina 5.0.0-5.1.4: prototype-pollution gadget -> RCE via options.filename.
+#  - http-proxy-middleware <3.0.7: CRLF field injection + Host-header routing
+#    bypass. The esbuild builder pulls 3.0.5; the unused webpack dev-server pulls
+#    2.0.9, so forcing 3.0.7 globally clears both (webpack serve is not used —
+#    the `application` builder serves via Vite).
+#  - launch-editor <2.14.1: NTLMv2 hash disclosure via UNC paths on Windows.
+#  - js-yaml <4.2.0: quadratic-complexity DoS in merge-key handling.
+#  - @babel/core <=7.29.0: arbitrary file read via sourceMappingURL comment.
+#  - esbuild 0.27.3-0.28.0: arbitrary file read via the dev server on Windows.
+#  - vite 7.x <7.3.5: `server.fs.deny` bypass + launch-editor UNC disclosure.
+#    The direct devDependency vite is 8.0.16 (used by Vitest); @angular/build
+#    pins its own vite 7.3.2, so the override is scoped to the 7.x line only.
 overrides:
-  webpack-dev-server: 5.2.4
+  webpack-dev-server: 5.2.5
   uuid: 14.0.0
+  undici@6: 6.27.0
+  undici@7: 7.28.0
+  hono: 4.12.26
+  tar: 7.5.16
+  piscina: 5.2.0
+  http-proxy-middleware: 3.0.7
+  launch-editor: 2.14.1
+  js-yaml: 4.2.0
+  '@babel/core': 7.29.7
+  esbuild: 0.28.1
+  vite@7: 7.3.5

client/pnpm-workspace.yaml

@@ -1,13 +1,13 @@
 alabaster==1.0.0
-certifi==2026.5.20
+certifi==2026.6.17
 docutils==0.21.2
 Jinja2==3.1.6
 requests==2.34.2
 sphinx-autobuild==2025.8.25
 sphinx-rtd-theme==3.1.0
 Sphinx==8.2.3
 sphinxcontrib-bibtex==2.7.0
-starlette==1.1.0
+starlette==1.3.1
 urllib3==2.7.0
-uvicorn==0.48.0
+uvicorn==0.49.0
 zipp==4.1.0

docs/requirements.txt

@@ -21,42 +21,42 @@
   "license": "MIT",
   "keywords": [],
   "dependencies": {
-    "@fortawesome/fontawesome-svg-core": "6.7.2",
-    "@fortawesome/free-brands-svg-icons": "6.7.2",
-    "@fortawesome/react-fontawesome": "0.2.6",
-    "@radix-ui/react-label": "2.1.8",
-    "@radix-ui/react-slot": "1.2.4",
+    "@fortawesome/fontawesome-svg-core": "7.2.0",
+    "@fortawesome/free-brands-svg-icons": "7.2.0",
+    "@fortawesome/react-fontawesome": "3.3.1",
+    "@radix-ui/react-label": "2.1.10",
+    "@radix-ui/react-slot": "1.3.0",
     "class-variance-authority": "0.7.1",
     "clsx": "2.1.1",
-    "keycloakify": "11.15.3",
-    "lucide-react": "0.577.0",
-    "react": "19.2.6",
-    "react-dom": "19.2.6",
+    "keycloakify": "11.15.9",
+    "lucide-react": "1.21.0",
+    "react": "19.2.7",
+    "react-dom": "19.2.7",
     "tailwind-merge": "2.6.1",
     "tailwindcss-animate": "1.0.7"
   },
   "devDependencies": {
-    "@storybook/react": "10.4.1",
-    "@storybook/react-vite": "10.4.1",
-    "@types/node": "24.12.4",
-    "@types/react": "19.2.15",
+    "@storybook/react": "10.4.6",
+    "@storybook/react-vite": "10.4.6",
+    "@types/node": "24.13.2",
+    "@types/react": "19.2.17",
     "@types/react-dom": "19.2.3",
-    "@typescript-eslint/eslint-plugin": "8.60.0",
-    "@typescript-eslint/parser": "8.60.0",
+    "@typescript-eslint/eslint-plugin": "8.61.1",
+    "@typescript-eslint/parser": "8.61.1",
     "@vitejs/plugin-react": "4.7.0",
     "autoprefixer": "10.5.0",
-    "eslint": "10.4.0",
-    "eslint-plugin-prettier": "5.5.5",
+    "eslint": "10.5.0",
+    "eslint-plugin-prettier": "5.5.6",
     "eslint-plugin-react-hooks": "7.1.1",
     "eslint-plugin-react-refresh": "0.5.2",
-    "eslint-plugin-storybook": "10.4.1",
+    "eslint-plugin-storybook": "10.4.6",
     "eslint-plugin-tss-unused-classes": "1.0.4",
     "postcss": "8.5.15",
-    "prettier": "3.8.3",
-    "storybook": "10.4.1",
+    "prettier": "3.8.4",
+    "storybook": "10.4.6",
     "tailwindcss": "3.4.19",
     "typescript": "5.9.3",
-    "vite": "8.0.14"
+    "vite": "8.0.16"
   },
   "engines": {
     "node": ">=24.0.0"