chore(deps): resolve Dependabot security advisories via pnpm overrides

[Bekacru]

Summary

Clears the large majority of the repo's open Dependabot alerts (317 unique advisories / ~700 alert paths) by pinning vulnerable dependencies to patched versions.

Key point: none of the alerts are in runtime dependencies that ship to npm consumers. Every flagged dependency in a published package is a devDependency, a peerDependency (consumer-provided), or a transitive build/test dep — and the bulk live in the non-published example apps, docs, and CI tooling. So this is dashboard hygiene, not a fix to the installed library's attack surface.

Approach

• Per-major pnpm.overrides added to the root workspace and to each standalone project (apps/examples/*, .github/broken-link-checker). Keys are scoped by major version (e.g. minimatch@3 → 3.1.4, minimatch@9 → 9.0.7) so security patches are applied within each major rather than forcing incompatible major upgrades.
• Direct devDependency bumps in published packages: next-auth (next, nodemailer), @auth/core (postcss), @auth/drizzle-adapter (drizzle-orm), @auth/typeorm-adapter (typeorm), plus the root vitest/@vitest/*/@playwright/test toolchain (kept version-aligned to avoid peer breakage).
• All affected lockfiles regenerated (--lockfile-only per project).

Verification

turbo run build passes for next-auth and all 30 @auth/* packages (incl. @auth/sveltekit, svelte-check: 0 errors). The @auth/qwik build is excluded — it fails identically on main in this environment (Node 24 native/vite issue), independent of this change.

Not addressed (intentionally)

These require breaking changes or have no fix, so they're out of scope for a mechanical security PR:

Dependency	Reason
@mikro-orm/core 5.x → 6.6.10	only fix is a major upgrade; @auth/mikro-orm-adapter is built/peered against v5
@builder.io/qwik 1.7→1.19, @builder.io/qwik-city, vite-plugin-static-copy 1→2	breaks the @auth/qwik build; needs a separate framework upgrade
request, useragent, tsup, vue-template-compiler, ip, one vm2 advisory	no patched version available (EOL / unmaintained transitive chains)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-docs	Ready	Preview, Comment	Jun 9, 2026 8:44pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
next-auth-docs	Ignored	Preview	Jun 9, 2026 8:44pm
proxy	Ignored		Jun 9, 2026 8:44pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.7
	class-variance-authority@​0.7.0
	@​radix-ui/​react-slot@​1.0.2
	@​radix-ui/​react-avatar@​1.0.4
	@​auth/​qwik@​0.9.2
	@​radix-ui/​react-collapsible@​1.0.3
	@​radix-ui/​react-dropdown-menu@​2.0.6
	@​types/​react-dom@​18.3.0
	@​radix-ui/​react-navigation-menu@​1.1.4
	next-auth@​5.0.0-beta.31
	@​types/​react@​18.3.1
	tailwindcss-animate@​1.0.7
	clsx@​2.1.1
	@​builder.io/​qwik@​1.19.1
	@​types/​node@​18.19.33
	@​builder.io/​qwik-city@​1.19.2
	postcss@​8.5.10
	react@​18.3.1
	tailwind-merge@​1.14.0
	autoprefixer@​10.4.19
	tailwindcss@​3.4.3
	typescript@​5.4.5
	react-dom@​18.3.1
	lucide-react@​0.274.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @auth/core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/examples/nextjs-pages/pnpm-lock.yaml → npm/@auth/qwik@0.9.2 → npm/next-auth@5.0.0-beta.31 → npm/@auth/core@0.41.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@auth/core@0.41.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @types/node is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/examples/nextjs-pages/package.json → npm/@types/node@18.19.33 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@18.19.33. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/examples/nextjs-pages/pnpm-lock.yaml → npm/next@16.2.7 → npm/autoprefixer@10.4.19 → npm/caniuse-lite@1.0.30001617 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001617. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.29%. Comparing base (d4dab3d) to head (0247a1c).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13441      +/-   ##
==========================================
+ Coverage   39.18%   40.29%   +1.10%     
==========================================
  Files         200      190      -10     
  Lines       32353    31463     -890     
  Branches     1404     1395       -9     
==========================================
  Hits        12678    12678              
+ Misses      19675    18785     -890     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.