Batch Dependabot Fixes & Security Workflow

[tmcneil-mdb]

Summary

Resolves all 11 open Dependabot security alerts (#52–#62) and adds per-framework audit workflows to catch vulnerabilities on future PRs.

Note: In hindsight, I should have made these separate PRs. This PR will fail because the Python fixes are in another PR.

Dependency Fixes

TanStack App (frameworks/javascript/tanstack/app/)

Package	Before	After	Alerts Fixed
vite	7.3.1	7.3.2	#55 (High), #56 (High), #57 (Medium)
postcss (transitive via vite)	< 8.5.10	8.5.10	#58 (Medium)
@tanstack/react-start	1.167.12	1.167.65	#52 (Low), #53 (Medium), #54 (Medium) — h3 vulnerability
@tanstack/react-router	1.168.7	1.169.2	— (version alignment)
@tanstack/router-plugin	1.167.8	1.167.35	— (version alignment)
@tanstack/react-router-devtools	1.166.11	1.166.13	— (version alignment)

TanStack Bluehawk (frameworks/javascript/tanstack/)

Package	Before	After	Alerts Fixed
lodash (transitive via chevrotain/bluehawk)	4.17.21	4.18.1 (via npm override)	#59 (Medium), #60 (Medium), #61 (High)

Python FastAPI (mflix/server/python-fastapi/)

Package	Before	After	Alerts Fixed
python-multipart	0.0.22	0.0.27	#62 (High)

New Audit Workflows

Added audit workflows that run on PRs when that framework's code changes.
These are separate from the test workflows, no DB setup, no heavy infrastructure, just lockfile scanning.

Files Added

• .github/workflows/audit-tanstack.yml — Runs npm audit --json on both the app and
  bluehawk lockfiles. Fails on high/critical vulnerabilities.
• .github/workflows/audit-python-fastapi.yml — Runs pip-audit --format json on
  requirements.txt. Fails on any vulnerability.
• .github/scripts/generate-audit-summary-npm.sh — Parses npm audit JSON and writes a
  formatted markdown summary to $GITHUB_STEP_SUMMARY.
• .github/scripts/generate-audit-summary-pip.sh — Parses pip-audit JSON and writes a
  formatted markdown summary to $GITHUB_STEP_SUMMARY.

How the workflows work

1. Run the audit tool → capture JSON output
2. Call the summary script → render a markdown table in the PR check summary
3. Check severity → fail the workflow if thresholds are exceeded

How to Test

Dependency fixes

# TanStack app
cd frameworks/javascript/tanstack/app
npm install
npm run dev          # should start without errors
npm audit            # should show 0 vulnerabilities

# TanStack bluehawk
cd frameworks/javascript/tanstack
npm install
npm audit            # should show 0 vulnerabilities

# Python FastAPI
cd mflix/server/python-fastapi
source .venv/bin/activate
uvicorn main:app --reload --port 3001   # should start, /docs should load


# Fake the GitHub Actions environment variable
export GITHUB_STEP_SUMMARY=$(mktemp)

# Generate npm audit JSON and test the summary
cd frameworks/javascript/tanstack/app
npm audit --json > /tmp/audit-test.json
../../.github/scripts/generate-audit-summary-npm.sh /tmp/audit-test.json "TanStack App"
cat "$GITHUB_STEP_SUMMARY"

# Generate pip-audit JSON and test the summary
export GITHUB_STEP_SUMMARY=$(mktemp)
cd mflix/server/python-fastapi
pip-audit -r requirements.txt --format json -o /tmp/audit-pip-test.json
../../.github/scripts/generate-audit-summary-pip.sh /tmp/audit-pip-test.json "Python FastAPI"
cat "$GITHUB_STEP_SUMMARY"

Known Limitations

• pip-audit catches CVEs that Dependabot currently misses (different vulnerability databases). There are 5 additional Python CVEs that will be addressed in a follow-up PR.
• Audit workflows use --audit-level=high for npm (moderate/low won't block). pip-audit blocks on any vulnerability.

[dacharyc]

This is awesome - thank you for adding these audit workflows 👏