chore: fix security vulnerabilities found by yarn audit (#1121)

* chore: fix security vulnerabilities found by yarn audit

Resolves all security vulnerabilities reported by yarn audit:

Direct dependency upgrades:
- nodemailer: ^7.0.11 → ^8.0.5 (SMTP command injection)
- posthog-js: ^1.345.5 → ^1.369.0 (dompurify XSS/prototype pollution)
- @posthog/ai: ^7.8.10 → ^7.15.0 (langsmith prototype pollution)

Resolutions for transitive dependencies:
- next via @react-email/preview-server (DoS with Server Components)
- hono + @hono/node-server via @modelcontextprotocol/sdk (cookie, path traversal, middleware bypass)
- langsmith via @langchain/core (prototype pollution)
- markdown-it via codemirror-json-schema (ReDoS)
- yaml via codemirror-json-schema + openapi3-ts (stack overflow)
- ajv via @eslint/eslintrc (ReDoS)
- smol-toml via @react-grab/cli (DoS)
- teeny-request via retry-request (incorrect control flow in @tootallnate/once)

Also adds `audit` script to root package.json with --no-deprecations flag.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: update CHANGELOG with audit fix PR

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -17,7 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bumped dependencies (Go 1.25, Next.js, Vitest v4, tsx). [#1112](https://github.com/sourcebot-dev/sourcebot/pull/1112) [#1113](https://github.com/sourcebot-dev/sourcebot/pull/1113) [#1115](https://github.com/sourcebot-dev/sourcebot/pull/1115) [#1116](https://github.com/sourcebot-dev/sourcebot/pull/1116)
 
 ### Fixed
-- Fixed multiple CVEs in the Docker image by upgrading Go to 1.25, patching Alpine base packages (musl-utils, zlib), adding a build resolution for esbuild, and removing unused npm with its vulnerable transitive dependencies. [#1112](https://github.com/sourcebot-dev/sourcebot/pull/1112) [#1114](https://github.com/sourcebot-dev/sourcebot/pull/1114) [#1118](https://github.com/sourcebot-dev/sourcebot/pull/1118) [#1119](https://github.com/sourcebot-dev/sourcebot/pull/1119)
+- Fixed multiple CVEs in the Docker image and JS dependencies by upgrading Go to 1.25, patching Alpine base packages (musl-utils, zlib), adding a build resolution for esbuild, removing unused npm with its vulnerable transitive dependencies, and resolving all yarn audit security vulnerabilities. [#1112](https://github.com/sourcebot-dev/sourcebot/pull/1112) [#1114](https://github.com/sourcebot-dev/sourcebot/pull/1114) [#1118](https://github.com/sourcebot-dev/sourcebot/pull/1118) [#1119](https://github.com/sourcebot-dev/sourcebot/pull/1119) [#1121](https://github.com/sourcebot-dev/sourcebot/pull/1121)
 
 ## [4.16.8] - 2026-04-09
 

package.json

@@ -19,7 +19,8 @@
         "dev:prisma:db:push": "yarn with-env yarn workspace @sourcebot/db prisma:db:push",
         "build:deps": "yarn workspaces foreach --recursive --topological --from '{@sourcebot/schemas,@sourcebot/db,@sourcebot/shared,@sourcebot/query-language}' run build",
         "openapi:generate": "yarn workspace @sourcebot/web openapi:generate",
-        "tool:decrypt-jwe": "yarn with-env yarn workspace @sourcebot/web tool:decrypt-jwe"
+        "tool:decrypt-jwe": "yarn with-env yarn workspace @sourcebot/web tool:decrypt-jwe",
+        "audit": "yarn npm audit --all --recursive --no-deprecations"
     },
     "devDependencies": {
         "concurrently": "^9.2.1",
@@ -45,6 +46,16 @@
         "ajv@npm:^8.17.1": "^8.18.0",
         "brace-expansion@npm:^2.0.2": "^2.0.3",
         "brace-expansion@npm:^5.0.2": "^5.0.5",
-        "brace-expansion@npm:^1.1.7": "^1.1.13"
+        "brace-expansion@npm:^1.1.7": "^1.1.13",
+        "@react-email/preview-server/next": "^16.2.3",
+        "@modelcontextprotocol/sdk/hono": "^4.12.12",
+        "@modelcontextprotocol/sdk/@hono/node-server": "^1.19.13",
+        "langsmith@npm:>=0.5.0 <1.0.0": "^0.5.19",
+        "markdown-it@npm:^14.1.0": "^14.1.1",
+        "yaml@npm:^2.3.4": "^2.8.3",
+        "yaml@npm:^2.8.0": "^2.8.3",
+        "ajv@npm:^6.12.4": "^6.14.0",
+        "smol-toml@npm:^1.6.0": "^1.6.1",
+        "teeny-request@npm:^10.0.0": "^10.1.2"
     }
 }

packages/web/package.json

@@ -59,12 +59,12 @@
     "@hookform/resolvers": "^3.9.0",
     "@iconify/react": "^5.1.0",
     "@iizukak/codemirror-lang-wgsl": "^0.3.0",
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@openrouter/ai-sdk-provider": "^2.2.3",
     "@opentelemetry/api-logs": "^0.203.0",
     "@opentelemetry/instrumentation": "^0.203.0",
     "@opentelemetry/sdk-logs": "^0.203.0",
-    "@posthog/ai": "^7.8.10",
+    "@posthog/ai": "^7.15.0",
     "@radix-ui/react-accordion": "^1.2.11",
     "@radix-ui/react-alert-dialog": "^1.1.5",
     "@radix-ui/react-avatar": "^1.1.2",
@@ -156,11 +156,11 @@
     "next-auth": "^5.0.0-beta.30",
     "next-navigation-guard": "^0.2.0",
     "next-themes": "^0.3.0",
-    "nodemailer": "^7.0.11",
+    "nodemailer": "^8.0.5",
     "octokit": "^4.1.3",
     "openai": "^4.98.0",
     "parse-diff": "^0.11.1",
-    "posthog-js": "^1.345.5",
+    "posthog-js": "^1.369.0",
     "posthog-node": "^5.24.15",
     "pretty-bytes": "^6.1.1",
     "psl": "^1.15.0",