[FIX] Patch frontend Dependabot alerts (axios + transitive deps); drop unused package-lock.json

[jaseemjaskp]

What

Patches the frontend critical/high Dependabot alerts and removes the unused frontend/package-lock.json.

• axios 1.13.5 → 1.16.0 (proxy-auth credential leak, prototype-pollution gadgets, ReDoS)
• Raise caret floors above the vulnerable versions: handlebars 4.7.9, js-cookie 3.0.8, happy-dom 20.10.2, vite 7.3.5, vitest 3.2.6
• overrides for transitive deps that didn't dedupe: lodash/lodash-es 4.18.0, immutable 4.3.8, socket.io-parser 4.2.6, and vite ^7.3.5 (forces vite-node's nested copy off the vulnerable 7.3.1)
• Delete frontend/package-lock.json — the production image builds with bun install --frozen-lockfile from bun.lock; the npm lockfile was installed by nothing and only caused lockfile drift + false Dependabot signals
• Git-ignore package-lock.json / yarn.lock to prevent accidental re-adds
• Repoint the docker compose watch rebuild trigger from package-lock.json → bun.lock

Why

The frontend had the bulk of the open critical/high npm Dependabot alerts (axios ×11, handlebars critical, vitest critical, vite, etc.). Two committed lockfiles (bun.lock + package-lock.json) were drifting and only bun.lock is actually used to build, so the npm one was both useless and misleading.

How

• bun add/update for the direct bumps, overrides in package.json for transitive ones, then regenerated bun.lock.
• Verified bun install --frozen-lockfile --ignore-scripts (the prod Dockerfile's exact command) passes, and bun run build succeeds.

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

No expected breakage.

• Direct bumps are within-range patch/minor updates (axios is the only direct API surface; 1.13→1.16 is backward-compatible).
• Most updated packages are dev/build-time tooling (vite, vitest, happy-dom, rollup, lodash in tests).
• package-lock.json removal is safe: no Dockerfile or CI installs from it — the frontend image uses oven/bun + bun install --frozen-lockfile against bun.lock, and frontend CI only runs Biome (no install step).

Database Migrations

None.

Env Config

None.

Relevant Docs

N/A

Related Issues or PRs

GitHub Dependabot alerts (frontend / npm). Follow-up PRs will cover the Python (uv.lock) ecosystems.

Dependencies Versions

axios 1.16.0 · handlebars 4.7.9 · js-cookie 3.0.8 · happy-dom 20.10.2 · vite 7.3.5 · vitest 3.2.6 · lodash/lodash-es 4.18.0 · immutable 4.3.8 · socket.io-parser 4.2.6

Known remaining (deferred, tracked separately)

• picomatch@2.3.1 (via http-proxy-middleware > micromatch) — bun has no scoped overrides; low risk (dev proxy tooling).
• tar@6.2.1 (via jsdom > canvas > node-pre-gyp) — needs a major 6→7 bump behind an already-invalid canvas peer; handled separately.

Notes on Testing

• bun install --frozen-lockfile --ignore-scripts ✓ (no lock drift)
• bun run build ✓
• biome ci src/ — pre-existing warnings only, no new issues

Screenshots

N/A — dependency/build-config only.

Checklist

I have read and understood the Contribution Guidelines.

[github-actions]

Frontend Lint Report (Biome)

✅ All checks passed! No linting or formatting issues found.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a97c2ee-ddfe-4264-9bf4-ac3737d3acf6

📥 Commits

Reviewing files that changed from the base of the PR and between cafcca7 and e8d0cdb.

⛔ Files ignored due to path filters (2)

• frontend/bun.lock is excluded by !**/*.lock
• frontend/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• docker/sample.compose.override.yaml
• frontend/.gitignore
• frontend/package.json

---

Summary by CodeRabbit

Chores

• Updated development dependencies including Vite and Vitest to latest stable versions
• Updated production dependencies (axios, handlebars, js-cookie) for improved compatibility
• Enhanced package manager configuration and build consistency settings

Walkthrough

The PR standardizes the frontend to use Bun as the exclusive package manager. Docker compose watch configuration is updated to monitor bun.lock, .gitignore is configured to exclude npm and yarn lockfiles, and frontend dependencies are bumped across both production and development contexts with explicit version overrides for transitive dependencies.

Changes

Bun package manager standardization and dependency updates

Layer / File(s)	Summary
Bun lock file configuration and gitignore docker/sample.compose.override.yaml, frontend/.gitignore	Docker compose development watch rule is changed to trigger rebuilds on ../frontend/bun.lock instead of npm's lockfile. .gitignore is updated with entries for package-lock.json and yarn.lock and includes a comment clarifying Bun as the only package manager.
Dependency version updates and overrides frontend/package.json	Dependencies axios, handlebars, and js-cookie are bumped to newer versions. DevDependencies happy-dom, vite, and vitest are updated. An overrides section is added to pin lodash, lodash-es, immutable, socket.io-parser, and vite to specific versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: patching frontend Dependabot alerts (axios and transitive dependencies) and removing the unused package-lock.json file.
Description check	✅ Passed	The description comprehensively covers all required template sections with detailed information about what was changed, why, how it was verified, compatibility impact, and testing notes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-frontend-axios

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[greptile-apps]

Greptile Summary

This PR patches the frontend's critical/high Dependabot alerts by bumping axios, handlebars, js-cookie, happy-dom, vite, and vitest to safe versions, adds npm overrides for transitive dependencies that wouldn't dedupe (lodash, lodash-es, immutable, socket.io-parser, vite), deletes the unused package-lock.json in favour of the already-canonical bun.lock, and adjusts .gitignore and the docker compose watch trigger accordingly.

• The direct dependency bumps (axios 1.13→1.16, vite 7.0→7.3.5, vitest 3.2.0→3.2.6, handlebars, js-cookie, happy-dom) are all within-range, backward-compatible updates targeting known CVEs.
• The transitive overrides block (immutable, socket.io-parser, vite) pins safe versions, but both lodash and lodash-es are pinned to the exact version 4.18.0 — which introduced a regression bug (a ReferenceError in template.js and fromPairs modular builds) that was already fixed in 4.18.1.

Confidence Score: 3/5

The overall direction is correct but the lodash/lodash-es overrides land on a known-buggy release that could break modular lodash consumers at build or test time.

The overrides block pins both lodash and lodash-es to exactly 4.18.0, which introduced a ReferenceError in modular builds (both template and fromPairs) fixed in 4.18.1. At least one transitive dependency uses lodash as a modular build, making the regression plausibly reachable. Every other change — direct bumps, immutable/socket.io-parser/vite overrides, lockfile cleanup — looks correct.

frontend/package.json — specifically the overrides.lodash and overrides.lodash-es values.

Important Files Changed

Filename	Overview
frontend/package.json	Direct bumps (axios, handlebars, vite, vitest, happy-dom, js-cookie) correctly target vulnerable versions. The overrides block for immutable, socket.io-parser, and vite is correct. However, lodash/lodash-es are pinned to 4.18.0, which has a known regression; 4.18.1 is the correct safe version.
frontend/.gitignore	Adds package-lock.json and yarn.lock to gitignore with a clear comment directing developers to use bun exclusively; no issues.
docker/sample.compose.override.yaml	Updates the docker compose watch rebuild trigger from the now-deleted package-lock.json to bun.lock; correct and necessary change.
frontend/bun.lock	Regenerated lockfile reflects all the bumped direct deps and the overrides; confirms lodash@4.18.0 and lodash-es@4.18.0 are the versions currently installed.
frontend/package-lock.json	Deleted entirely; correct removal of an unused npm lockfile that was drifting from the canonical bun.lock.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json\ndirect deps + overrides] --> B{bun install}
    B -->|reads| C[bun.lock\nfrozen lockfile]
    C --> D[node_modules]
    subgraph overrides [Transitive Overrides]
        O1[lodash 4.18.0 should be 4.18.1]
        O2[lodash-es 4.18.0 should be 4.18.1]
        O3[immutable 4.3.8]
        O4[socket.io-parser 4.2.6]
        O5[vite ^7.3.5]
    end
    A --> overrides
    E[Docker build frontend.Dockerfile] -->|bun install --frozen-lockfile| C
    F[package-lock.json deleted] -. was unused .-> G[No longer tracked gitignore updated]
    H[compose watch trigger] -->|was package-lock.json now bun.lock| C

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
frontend/package.json:101-102
Both `lodash@4.18.0` and `lodash-es@4.18.0` have a known regression introduced in that exact release: `template.js` throws `ReferenceError: assignWith is not defined`, and `fromPairs` breaks when imported from modular builds (e.g. `lodash/fromPairs` or `lodash-es/fromPairs`). This was reported in [lodash/lodash#6167](https://github.com/lodash/lodash/issues/6167) and fixed in `4.18.1` (released April 1, 2026). At least one transitive dependency in this tree (`@react-awesome-query-builder/core`) imports lodash as a modular build and uses utilities like `fromPairs`, making a breakage during build or test plausible. Bump both overrides to `4.18.1`.

```suggestion
    "lodash": "4.18.1",
    "lodash-es": "4.18.1",
```

_{Reviews (1): Last reviewed commit: "[FIX] Patch frontend Dependabot alerts (..." | Re-trigger Greptile}

[greptile-apps]

Both lodash@4.18.0 and lodash-es@4.18.0 have a known regression introduced in that exact release: template.js throws ReferenceError: assignWith is not defined, and fromPairs breaks when imported from modular builds (e.g. lodash/fromPairs or lodash-es/fromPairs). This was reported in lodash/lodash#6167 and fixed in 4.18.1 (released April 1, 2026). At least one transitive dependency in this tree (@react-awesome-query-builder/core) imports lodash as a modular build and uses utilities like fromPairs, making a breakage during build or test plausible. Bump both overrides to 4.18.1.

Suggested change

	"lodash": "4.18.0",
	"lodash-es": "4.18.0",
	"lodash": "4.18.1",
	"lodash-es": "4.18.1",

Prompt To Fix With AI

This is a comment left during a code review.
Path: frontend/package.json
Line: 101-102

Comment:
Both `lodash@4.18.0` and `lodash-es@4.18.0` have a known regression introduced in that exact release: `template.js` throws `ReferenceError: assignWith is not defined`, and `fromPairs` breaks when imported from modular builds (e.g. `lodash/fromPairs` or `lodash-es/fromPairs`). This was reported in [lodash/lodash#6167](https://github.com/lodash/lodash/issues/6167) and fixed in `4.18.1` (released April 1, 2026). At least one transitive dependency in this tree (`@react-awesome-query-builder/core`) imports lodash as a modular build and uses utilities like `fromPairs`, making a breakage during build or test plausible. Bump both overrides to `4.18.1`.

```suggestion
    "lodash": "4.18.1",
    "lodash-es": "4.18.1",
```

How can I resolve this? If you propose a fix, please make it concise.

[jaseemjaskp]

Automated review (PR Review Toolkit). Scope is a focused frontend dependency patch (5 files). Verified: bun install --frozen-lockfile is the only install path (frontend.Dockerfile + CI all use bun), there are zero remaining references to package-lock.json or npm ci in the repo, and bun.lock carries a matching overrides block — so deleting the lockfile and adding it to .gitignore is safe. One forward-looking note below; the lodash@4.18.0 regression is already covered by greptile's thread, so not reposting it.

[jaseemjaskp]

Verify each override maps to a real alert, and reconsider exact-pinning (complements greptile's lodash thread — not a duplicate).

Three distinct points on this new overrides block:

1. lodash / lodash-es override may be unnecessary. Before this PR the tree already resolved lodash@4.17.23 / lodash-es@4.17.23 (see the bun.lock diff), which is past the 4.17.21 line that patched the known lodash prototype-pollution CVEs. Forcing 4.18.0 doesn't appear to close any alert that 4.17.23 left open — and per greptile it introduces a runtime regression. Worth confirming which Dependabot alert this override targets; if none, removing the two lodash overrides (letting it stay on the already-safe 4.17.x) is safer than greptile's bump-to-4.18.1.

2. Exact pins freeze immutable@4.3.8 and socket.io-parser@4.2.6 against future patches. Unlike vite (^7.3.5), these are pinned exactly, so Dependabot/bun won't pick up a future 4.2.7 / 4.3.9 security fix without another manual PR. If the intent is to lock to a known-good version that's fine — just flagging the maintenance trade-off.

3. Document the rationale. JSON can't carry comments, so consider noting in the PR description which alert each override resolves (socket.io-parser ≥4.2.4 for the parser advisory, immutable, etc.). It makes the next person's audit much faster.