fix: tech debt cleanup + security audit (#17)

* refactor: delete dead fish data files and orphaned data copies

Remove 6 unused files (~2,500 lines). Only fish_data_v3.js is imported
anywhere in the codebase — v1, v2, corrupted backup, root data/ copies,
and issue list.md were all dead weight.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: sync yield auto-scaling between Express and Vercel backends

The Vercel API auto-scaled decimal yields < 1 to percentages (0.42 → 42)
but the Express server did not. Same Excel upload now produces consistent
yield values regardless of which backend processes it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: return 201 status for resource creation in Express server

POST /api/register, /api/save-calc, and /api/user-data now return 201
to match the Vercel API endpoints and HTTP conventions for resource
creation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: standardize CSV export date format between backends

Express server used toLocaleDateString() (date only) while Vercel API
used toLocaleString() (date + time). Standardized on toLocaleString().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: wire data validation script and update gitignore

Add npm run validate-data script for fish_data_v3 QA checks.
Add favicon-preview.html to gitignore (dev artifact).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: security audit — replace xlsx with exceljs, upgrade vulnerable deps

- Replace xlsx (unmaintained, CVEs) with exceljs for Excel/CSV parsing
  in both server/server.js and api/upload-data.js
- Upgrade sqlite3 5.x → 6.x (fixes tar/node-gyp/cacache chain)
- Upgrade bcrypt 5.x → 6.x (fixes @mapbox/node-pre-gyp/tar chain)
- Upgrade multer 2.0 → 2.1
- Drop .xls support (only .xlsx and .csv)
- Run npm audit fix across all three package roots

Remaining unfixable: elliptic via @stackframe/react (no upstream fix,
removed in Cloudflare migration), serialize-javascript via workbox-build
(no upstream fix yet for @rollup/plugin-terser).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: paccloud

.gitignore

@@ -47,3 +47,6 @@ worktrees/
 # Design and datasets
 Design Inspiration Ideas/
 datasets/
+
+# Dev artifacts
+favicon-preview.html

api/upload-data.js

@@ -1,5 +1,5 @@
 import formidable from 'formidable';
-import * as xlsx from 'xlsx';
+import ExcelJS from 'exceljs';
 import { promises as fs } from 'fs';
 import { query } from './_lib/db.js';
 import { requireAuth } from './_lib/auth.js';
@@ -43,10 +43,30 @@ async function handler(req, res) {
     const buffer = await fs.readFile(file.filepath);
 
     // Parse Excel/CSV file
-    const workbook = xlsx.read(buffer, { type: 'buffer' });
-    const sheetName = workbook.SheetNames[0];
-    const sheet = workbook.Sheets[sheetName];
-    const data = xlsx.utils.sheet_to_json(sheet);
+    const workbook = new ExcelJS.Workbook();
+    const ext = (file.originalFilename || '').split('.').pop()?.toLowerCase();
+    if (ext === 'csv') {
+      await workbook.csv.read(new (await import('stream')).Readable({
+        read() { this.push(buffer); this.push(null); }
+      }));
+    } else {
+      await workbook.xlsx.load(buffer);
+    }
+    const worksheet = workbook.worksheets[0];
+    if (!worksheet) throw new Error('No worksheet found');
+    const headers = [];
+    worksheet.getRow(1).eachCell((cell, colNumber) => {
+      headers[colNumber] = cell.value != null ? String(cell.value) : `Column${colNumber}`;
+    });
+    const data = [];
+    worksheet.eachRow((row, rowNumber) => {
+      if (rowNumber === 1) return;
+      const obj = {};
+      row.eachCell((cell, colNumber) => {
+        if (headers[colNumber]) obj[headers[colNumber]] = cell.value;
+      });
+      if (Object.keys(obj).length > 0) data.push(obj);
+    });
 
     let count = 0;
 

app/package-lock.json

@@ -8,7 +8,8 @@
     "build": "vite build",
     "lint": "eslint .",
     "preview": "vite preview",
-    "test": "vitest run"
+    "test": "vitest run",
+    "validate-data": "node src/data/validate_fish_data.js"
   },
   "dependencies": {
     "@stackframe/react": "^2.7.1",