chore(deps): npm audit fix in website (uuid, brace-expansion, next patch)

[ascender1729]

Summary

Output of npm audit fix --legacy-peer-deps in website/:

• uuid 11.1.0 → 11.1.1 - fixes GHSA-w5hq-g745-h8pq buffer bounds check (Dependabot alert chore: prepare v0.2.5 release #30)
• brace-expansion 5.0.3 → 5.0.6 and 1.1.12 → 1.1.14 - fixes GHSA-f886-m6hf-6m8v ReDoS via zero-step sequence
• next 15.5.15 → 15.5.18 - cascading patch bump, picked up automatically

Lockfile-only change. package.json untouched.

Remaining advisory (not fixed in this PR)

postcss < 8.5.10 bundled inside node_modules/next/node_modules/postcss. The only fix npm proposes is downgrading next to 9.3.3 (major break), which we are not applying. The XSS path requires CSS coming from untrusted user input, which is not present in our static-site build pipeline. Will re-evaluate when Next.js bumps its internal postcss pin or after we add a package.json overrides entry.

Test plan

• CI green (pytest, lint, ruff, bandit, pip-audit, safety, CodeQL, Cloudflare Pages)
• npm install --legacy-peer-deps from clean checkout produces same lockfile
• npm run build succeeds against next 15.5.18

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• website/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4d49e937-acc3-44a6-b32f-11f4279c6e8e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'ignore'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/uuid-vuln-bounds-check

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying attestix with    Cloudflare Pages

Latest commit:	14b53a9
Status:	✅  Deploy successful!
Preview URL:	https://cf14ed0e.attestix.pages.dev
Branch Preview URL:	https://fix-uuid-vuln-bounds-check.attestix.pages.dev

View logs