chore: update license allowlist for Next.js deps

[ajitpratap0]

Summary

Add CC-BY-4.0 and MPL-2.0 licenses to the CI dependency review allowlist.

Why

Next.js depends on caniuse-lite (CC-BY-4.0) and other packages that use MPL-2.0. These are standard open-source licenses but were not in the project's security workflow allowlist, causing the Dependency Review CI check to fail.

Changes

• .github/workflows/security.yml - Added CC-BY-4.0 and MPL-2.0 to the allow-licenses list

Context

This is a prerequisite for the Next.js website rebuild (PR #390). These licenses are well-established open-source licenses compatible with Apache-2.0.

🤖 Generated with Claude Code

[claude]

Claude finished @ajitpratap0's task —— View job

---

PR Review Complete ✅

Todo List:

• Review license allowlist changes in security.yml
• Analyze website migration from Astro to Next.js
• Check package.json for security/dependency concerns
• Review code quality and architecture changes
• Assess test coverage impact
• Provide comprehensive feedback

---

📋 Review Summary

This PR addresses the stated license allowlist issue while introducing a major website framework migration from Astro to Next.js. The changes are much more extensive than the PR title suggests.

✅ Positive Findings

License Changes (Primary Goal)

• Correctly addresses the issue: Added CC-BY-4.0 and MPL-2.0 to .github/workflows/security.yml:171
• Proper justification: Both licenses are permissive and appropriate for frontend dependencies
• Security workflow intact: No changes to security scanning logic or thresholds

Website Migration Quality

• Modern Next.js 16.1.6: Uses latest stable version with proper TypeScript setup
• Security best practices:
  • No hardcoded secrets or API keys
  • Proper use of environment-aware configuration
  • Uses next/link for client-side navigation
• Good component architecture: Well-organized components with proper separation of concerns
• Performance optimizations: Uses dynamic imports and proper font loading strategies

⚠️ Areas of Concern

1. Scope Creep - Major Issue

• PR title: "update license allowlist"
• Actual changes: Complete website framework migration (97 files, ~5k lines)
• Impact: This should be split into separate PRs for better review and rollback capability

2. Missing Dependencies

The migration removes build scripts and configs but doesn't add corresponding Next.js alternatives:

• No scripts/split-changelog.js file found but referenced in package.json:7
• Missing critical build-time dependencies like any linting or testing setup

3. Test Coverage Gap - Critical

• No website tests found: Neither old Astro nor new Next.js implementation has tests
• Missing in PR: No test strategy for the new Next.js components
• Recommendation: Add at least basic component tests for critical user journeys

4. SEO and Performance Concerns

// website/src/lib/docs.ts:19 - Potential build-time issue
const DOCS_DIR = path.join(process.cwd(), '..', 'docs');

• Relies on relative path that may break in different deployment environments
• Should use absolute paths or environment variables

5. Configuration Issues

// next.config.ts - Missing important configs
const nextConfig: NextConfig = {
  async redirects() { /* only redirects defined */ }
  // Missing: output, images, experimental features, etc.
};

🚨 Security Considerations

• No security vulnerabilities detected in the new code
• Dependency analysis:
  • next-mdx-remote@6.0.0 - Clean, well-maintained
  • @vercel/analytics@2.0.1 - Official Vercel package
  • No suspicious dependencies or supply chain risks

🎯 Recommendations

Immediate Actions

1. Split this PR:

   • License fix (ready to merge)
   • Website migration (needs more work)

2. Fix missing script:

   # Create the missing changelog script referenced in package.json
   mkdir -p website/scripts && touch website/scripts/split-changelog.js

3. Add basic tests:

   # Consider adding at least smoke tests
   npm install --save-dev @testing-library/react @testing-library/jest-dom

Long-term Improvements

• Add comprehensive component testing
• Implement proper error boundaries
• Add performance monitoring
• Consider adding E2E tests for critical paths

📊 Risk Assessment

• License changes: ✅ Low risk - Well-justified and secure
• Website migration: ⚠️ Medium-high risk - Large scope, missing tests, potential deployment issues

---