--- issue: 102 title: "Backend: 14 high-severity npm vulnerabilities, no audit step in CI" severity: medium domain: Dependencies labels: [security, backend, dependencies, ci-cd] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: 14 high-severity npm vulnerabilities, no audit step in CI **Severity:** medium **Domain:** Dependencies **Labels:** security, backend, dependencies, ci-cd ## Description `npm audit` reports 14 high-severity vulnerabilities in backend production dependencies (packages include mongoose, multer, axios, and others). No CI pipeline step runs `npm audit`, so new vulnerabilities silently accumulate. ## Options 1. Add `npm audit` (or `audit-ci`) as a non-blocking report step first, then make blocking. 2. Upgrade the flagged packages and add a blocking audit gate. 3. Adopt Renovate/Dependabot plus a CI audit step. ## Recommendation Add an audit step (start as report), prioritize upgrading the 14 highs, then make the gate blocking. Package upgrades risk breakage — test before making the gate mandatory. ## Affected Files - `backend/package.json` - `backend/.woodpecker/development.yml` — add audit step ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-51