fix(deps): patch 3 npm vulnerabilities (brace-expansion, path-to-regexp, picomatch)

[lupita-hom]

Automated Security Scan — 2026-03-30

npm audit findings (server/)

Package	Severity	Advisory
brace-expansion 4.0.0–5.0.4	Moderate	Zero-step sequence causes process hang and memory exhaustion (GHSA-f886-m6hf-6m8v)
path-to-regexp <0.1.13	High	ReDoS via multiple route parameters (GHSA-37ch-88jc-xwx2)
picomatch ≤2.3.1	High	Method injection in POSIX character classes + ReDoS via extglob quantifiers (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj)

Code review

Reviewed: server.js, socket.js, github.js, githubAuth.js, db.js, docker-compose.yml, .env.example, Helm chart templates, CI workflow, workflowController.js, syncService.js, workflowService.js, apiService.js (client).

No new code-level security issues found. Existing hardening (CORS allowlists, rate limiting, webhook signature verification, admin token auth, input sanitization, NoSQL injection guards) remains solid.

Changes

• server/package-lock.json — updated via npm audit fix (no breaking changes)

---

Generated by Lupita's weekly security scan cron job

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 981a50d.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
npm/brace-expansion	5.0.5	🟢 6.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 7/25 approved changesets -- score normalized to 2 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/path-to-regexp	0.1.13	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches CI-Tests 🟢 8 21 out of 24 merged PRs checked by a CI test -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 7 found 8 unreviewed changesets out of 29 -- score normalized to 7 Contributors 🟢 10 25 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 5 5 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 5 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 no vulnerabilities detected
npm/picomatch	2.3.2	🟢 6.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Maintained 🟢 10 20 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 3 Found 6/20 approved changesets -- score normalized to 3 Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2

Scanned Files

• server/package-lock.json