fix(deps): upgrade vulnerable dependencies to resolve Dependabot security alerts

[gkorland]

Summary

Upgrade vulnerable dependencies to resolve open Dependabot security alerts.

Changes

Python (uv.lock):

• litellm: 1.82.0 → 1.83.0 — fixes critical auth bypass via OIDC cache collision (OpenAI-Key-Readme #84) and high privilege escalation (Extend README with OpenAI KEY configuration  #83)
• aiohttp: 3.13.3 → 3.13.5 — fixes 10 vulnerabilities: duplicate Host headers, null byte injection, response splitting, memory DoS, cookie leaking, multipart bypass, SSRF, CRLF injection, DNS cache DoS, unlimited trailers (Bump tree-sitter-cli from 0.20.8 to 0.22.5 #71–Bump openai from 4.26.0 to 4.38.5 #80)
• Pygments: 2.19.2 → 2.20.0 — fixes ReDoS via GUID regex (Bump @types/node from 20.11.19 to 20.12.7 #70)

npm (app/package.json + app/package-lock.json):

• lodash-es: 4.17.21 → 4.18.1 (via overrides) — fixes prototype pollution (Bump react-dom and @types/react-dom #82) and code injection (Bump next from 14.1.0 to 14.2.3 #81)

Not fixable in this PR

• pypdf (Bump web-tree-sitter from 0.20.8 to 0.22.1 #54–Update .env.local.template #64, 11 alerts, medium/low): graphrag-sdk pins pypdf>=5.9.0,<6.0.0 but the fix requires >=6.7.1. Needs an upstream graphrag-sdk release.

Testing

• uv sync --all-extras ✅
• uv run ruff check . — same 70 pre-existing errors, no regressions
• npm --prefix ./app run build ✅ (includes tsc type-check)

Memory / Performance Impact

N/A — lock file updates only, no code changes.

Related Issues

Resolves Dependabot alerts #70–#84 (except #54–#64)

Summary by CodeRabbit

• Chores
  • Updated dependency override configuration to ensure compatibility with required package versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

The app/package.json file's overrides section was updated to add a new dependency override for lodash-es pinned to version ^4.18.0, while preserving the existing prismjs override configuration.

Changes

Cohort / File(s)	Summary
Dependency Override Configuration app/package.json	Added lodash-es override to ^4.18.0 in the overrides section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A tiny hop, a lodash leap so fine,
Another override joins the line,
Version squared, dependencies aligned,
The warren's code, forever refined! 📦✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: upgrading vulnerable dependencies to resolve Dependabot security alerts, which matches the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

app/package.json (1)

1-12: Consider adding an engines field to enforce Node 20+.

The project requires Node version 20+ for frontend development and builds. Adding an engines field would help prevent developers from using incompatible Node versions.

📦 Proposed addition of engines field

 {
   "name": "code-graph",
   "version": "0.3.0",
   "private": true,
   "type": "module",
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "scripts": {

Based on learnings: "Ensure Node version is 20+ for frontend development and builds" applies to app/** files.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/package.json` around lines 1 - 12, The package.json is missing an engines
declaration to enforce Node 20+ for the frontend dev/build scripts (e.g., "dev",
"build", "build:dev"); add an "engines" field in package.json with "node":
">=20" (or ">=20.0.0") so tooling and package managers can warn or block older
Node versions, and update any contributor docs if present to reflect this
requirement.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@app/package.json`:
- Around line 1-12: The package.json is missing an engines declaration to
enforce Node 20+ for the frontend dev/build scripts (e.g., "dev", "build",
"build:dev"); add an "engines" field in package.json with "node": ">=20" (or
">=20.0.0") so tooling and package managers can warn or block older Node
versions, and update any contributor docs if present to reflect this
requirement.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d35066ff-97f4-4b67-a111-cccabe6528b8

📥 Commits

Reviewing files that changed from the base of the PR and between ff57c2a and 90a46c9.

⛔ Files ignored due to path filters (2)

• app/package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• app/package.json