fix(web): resolve npm audit high-severity advisories

[kanywst]

Why

All open PRs were failing the audit/npm-vuln CI gate (npm audit --prefix web --omit=dev --audit-level=high). The failure is not PR-specific — it stems from high-severity advisories in main's web dependency tree:

• undici 7.0.0–7.27.2 (high) — TLS bypass, cache poisoning, header injection, etc.
• vite 7.0.0–7.3.3 (high) — server.fs.deny bypass, NTLMv2 hash disclosure
• plus moderate/low: js-yaml, dompurify, @babel/core

What

npm audit fix in web/ — transitive bumps only, lockfile-only change, package.json untouched.

Verification

• npm audit --omit=dev --audit-level=high → found 0 vulnerabilities
• npm run build → 102 pages built, Complete

Once merged to main, the dependabot PRs (#35–#39) will pass npm-vuln on rebase.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• web/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 47618e76-1d28-474a-8739-c87aba9f711c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/web-npm-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request updates several npm dependencies in web/package-lock.json. Specifically, it bumps multiple @babel packages (such as @babel/core, @babel/traverse, and @babel/parser) to version 7.29.7, and updates other packages including vite, undici, dompurify, js-yaml, and browser-related mapping libraries like browserslist and caniuse-lite. Since there are no review comments provided, I have no additional feedback to offer.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.