Security Audit Log
Dependency Vulnerabilities Assessment
Last Updated: 2026-02-16Current Status
Moderate Severity Issues (Dev Dependencies Only)
Package:lodash, chevrotain, hono
Source: Prisma dev tooling (@prisma/dev)
Severity: Moderate
Risk Level: LOW (Development dependencies, not exposed to production)
Details:
- Lodash: Prototype Pollution in
_.unsetand_.omit - Chevrotain: Transitive dependency via Prisma
- Hono: Multiple vulnerabilities (XSS, cache control bypass, IP validation)
- These packages are NOT included in production build
- Used only by Prisma CLI for migrations and code generation
- Production runtime uses
@prisma/client(no vulnerabilities) - Development environments are not exposed to external traffic
- ✅ Verified vulnerabilities are dev-only
- ✅ Documented in security audit log
- 🔄 Monitor for Prisma updates that resolve transitive dependencies
- 🔄 Schedule monthly dependency audits
Widget Dependencies
Status: ✅ No vulnerabilities detected Last Audit: 2026-02-16Continuous Monitoring
Automated Checks
- Set up GitHub Dependabot alerts
- Configure automated security scanning in CI/CD
- Enable npm audit in pre-commit hooks
Manual Review Schedule
- Monthly: Full
npm auditreview - Quarterly: Update all dependencies to latest stable versions
- Annually: External security audit
Version History
| Date | Auditor | Critical | High | Moderate | Low |
|---|---|---|---|---|---|
| 2026-02-16 | System | 0 | 0 | 8 (dev) | 0 |