Hard-gate bun audit in CI; pin patched postcss + mdast-util-to-hast

.github/workflows/ci.yml

@@ -105,3 +105,31 @@ jobs:
       - name: Server logs (on failure)
         if: failure()
         run: cat /tmp/server.log || true
+
+      # Hard-gates on vulnerable direct/transitive deps. One advisory is
+      # ignored because it's upstream-blocked (uuid <14.0.0 via
+      # resend → svix@1.90.0, dev-/server-side, no exploitable code path) —
+      # see CLAUDE.md "Audit advisories" for context and removal triggers.
+      # Any new advisory fails the job.
+      - name: Dependency audit
+        run: bun audit --ignore=GHSA-w5hq-g745-h8pq
+
+  # Runs only on PRs (no baseline diff to compute on a push to main).
+  # Compares the PR's dependency manifest against main and flags
+  # high-severity advisories or license incompatibilities. Posts a summary
+  # comment on the PR when it finds something. continue-on-error while we
+  # establish a baseline of acceptable findings.
+  dependency-review:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48  # v4.9.0
+        continue-on-error: true
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure

.gitignore

@@ -43,3 +43,6 @@ next-env.d.ts
 #velite generated files
 .velite
 public/static
+
+# claude code local settings (per-machine tool allowlists)
+.claude

CLAUDE.md

@@ -44,3 +44,13 @@ This is a Next.js 15 marketing website for Vortex, a columnar file format. The s
 - `next.config.ts` - Plausible proxy configuration
 
 The site is optimized for performance with font optimization, analytics integration, and responsive WebGL rendering.
+
+## Audit advisories
+
+`bun audit` is the source of truth for dependency advisories. State as of 2026-05-04:
+
+- **postcss `<8.5.10`** (GHSA-qx2v-qp2m-jg93, moderate XSS in CSS stringify). Multiple transitive resolutions — `next@16.2.4` pins `postcss@8.4.31` exactly, and `@tailwindcss/postcss@4.2.3` brings in `postcss@^8.5.6`. Resolved via `overrides.postcss = "8.5.10"` in `package.json`, which dedupes all transitives to the patched version. Drop the override after `next` and `@tailwindcss/postcss` ship releases that pull their transitives to ≥ 8.5.10.
+- **mdast-util-to-hast `<13.2.1`** (GHSA-4fh9-h7wg-q85m, moderate XSS via unsanitized class attribute). Pulled in by three independent paths (shiki/rehype-pretty-code, react-markdown, velite/@mdx-js/mdx) — all parents accept `^13.0.0`, so the lockfile resolved to 13.2.0 (pre-fix). Resolved via `overrides.mdast-util-to-hast = "^13.2.1"`. Drop the override after parents ship releases that pull a patched version directly; verify with `bun pm ls --all | grep mdast-util-to-hast` showing only ≥ 13.2.1.
+- **uuid `<14.0.0`** (GHSA-w5hq-g745-h8pq, moderate missing buffer bounds in v3/v5/v6 when `buf` provided). **Upstream-blocked.** Comes exclusively from `resend@6.12.2 → svix@1.90.0 → uuid@^10.0.0`. svix's declared range `^10.0.0` doesn't admit a 14.x override without risking the parent's CJS imports. Exposure is theoretical: `/api/subscribe` invokes Resend's send-email endpoint, which doesn't exercise svix's webhook-signing path, and the vulnerable code (v3/v5/v6 with explicit `buf`) isn't called. Remove the `--ignore` when `svix` (or `resend`) ships a release that bumps uuid to `^14.0.0`.
+
+CI hard-gates on `bun audit` (`.github/workflows/ci.yml`) with `--ignore=GHSA-w5hq-g745-h8pq` for the upstream-blocked uuid advisory. Any new advisory fails the job. The `dependency-review-action` PR job is a separate gate (license/severity-focused) that remains `continue-on-error: true` while a baseline of acceptable findings is established.

package.json

@@ -44,5 +44,9 @@
     "@types/react-dom": "^19.2.3",
     "tailwindcss": "4.2.3",
     "typescript": "^6.0.3"
+  },
+  "overrides": {
+    "postcss": "8.5.10",
+    "mdast-util-to-hast": "^13.2.1"
   }
 }