fix: update vulnerable dependencies (13 high / 23 moderate / 1 low → 0)

docs/security-overrides.md

@@ -0,0 +1,58 @@
+# Security dependency overrides
+
+This project uses `pnpm.overrides` only when a vulnerable transitive dependency cannot be updated through a direct parent dependency yet, or when pnpm's auto-installed peer dependencies need to be kept aligned with an updated security-sensitive package family.
+
+## `dompurify >=3.4.0 <4.0.0`
+
+`dompurify` is pulled in transitively through:
+
+```text
+@monaco-editor/react > monaco-editor > dompurify
+```
+
+`@monaco-editor/react` is already at the current available release, so the dependency is forced with a pnpm override until the parent packages update their own `dompurify` dependency.
+
+This override addresses these advisories:
+
+- GHSA-v2wj-7wpq-c8vv
+- GHSA-cjmm-f4jc-qw8r
+- GHSA-cj63-jhhr-wcxv
+- GHSA-39q2-94rc-95cp
+- GHSA-h7mw-gpvr-xq4m
+- GHSA-crv5-9vww-q3g8
+- GHSA-v9jr-rg53-9pgp
+- GHSA-h8r8-wccr-v5f2
+
+Remove this override when `@monaco-editor/react` or `monaco-editor` updates its `dompurify` dependency to a patched version.
+
+## `esbuild >=0.28.1 <0.29.0`
+
+`esbuild` is pulled in transitively through Astro/Vite production paths, including:
+
+```text
+@astrojs/react > vite > esbuild
+@astrojs/react > vite > tsx > esbuild
+```
+
+This override is present because the currently selected Astro/Vite production dependency graph still resolves vulnerable `esbuild` versions while `pnpm audit --prod` requires `>=0.28.1`.
+
+This override addresses these advisories:
+
+- GHSA-gv7w-rqvm-qjhr
+- GHSA-g7r4-m6w7-qqqr
+
+Remove this override when Astro, Vite, or tsx updates its own `esbuild` dependency to a patched version.
+
+## Effect peer dependency alignment
+
+`@effect/platform-node` is updated to `0.107.0` for security fixes in its production dependency path. pnpm auto-installs peer dependencies for this package family, and without overrides it can keep older peer versions that no longer match what `@effect/platform-node@0.107.0` expects.
+
+These overrides keep the Effect peer family aligned while allowing patch releases within the same pre-1.0 minor line:
+
+- `@effect/cluster >=0.59.0 <0.60.0`
+- `@effect/rpc >=0.75.1 <0.76.0`
+- `@effect/sql >=0.51.1 <0.52.0`
+
+pnpm overrides alone do not change every auto-installed peer selection in this dependency graph, so the matching peer packages are also listed as direct dependencies. `@effect/workflow` and `@effect/experimental` are direct dependencies for the same alignment reason because they are required peers of the updated `@effect/cluster` and `@effect/sql` versions.
+
+Remove these overrides and direct Effect peer dependencies when the Effect packages can be updated together without pnpm peer dependency warnings.

package.json

@@ -23,12 +23,26 @@
 		"update-opencode-version": "node scripts/update-opencode-version.mjs"
 	},
 	"packageManager": "pnpm@10.20.0",
+	"pnpm": {
+		"overrides": {
+			"@effect/cluster": ">=0.59.0 <0.60.0",
+			"@effect/rpc": ">=0.75.1 <0.76.0",
+			"@effect/sql": ">=0.51.1 <0.52.0",
+			"dompurify": ">=3.4.0 <4.0.0",
+			"esbuild": ">=0.28.1 <0.29.0"
+		}
+	},
 	"dependencies": {
-		"@astrojs/node": "10.0.4",
-		"@astrojs/react": "5.0.2",
+		"@astrojs/node": "10.1.4",
+		"@astrojs/react": "5.0.7",
 		"@base-ui/react": "^1.2.0",
-		"@effect/platform": "^0.94.5",
-		"@effect/platform-node": "^0.104.1",
+		"@effect/cluster": "^0.59.0",
+		"@effect/experimental": "^0.60.0",
+		"@effect/platform": "^0.96.1",
+		"@effect/platform-node": "^0.107.0",
+		"@effect/rpc": "^0.75.1",
+		"@effect/sql": "^0.51.1",
+		"@effect/workflow": "^0.18.2",
 		"@fontsource-variable/inter": "^5.2.8",
 		"@monaco-editor/react": "^4.7.0",
 		"@opencode-ai/sdk": "^1.14.31",
@@ -37,13 +51,13 @@
 		"@tailwindcss/vite": "^4.2.0",
 		"ai": "^6.0.97",
 		"argon2": "^0.44.0",
-		"astro": "6.1.1",
+		"astro": "6.4.6",
 		"better-sqlite3": "^12.6.2",
 		"class-variance-authority": "^0.7.1",
 		"clsx": "^2.1.1",
 		"cmdk": "^1.1.1",
-		"drizzle-orm": "^0.45.1",
-		"effect": "^3.19.18",
+		"drizzle-orm": "^0.45.2",
+		"effect": "^3.21.3",
 		"highlight.js": "^11.11.1",
 		"lucide-react": "^0.561.0",
 		"motion": "^12.34.3",