fix(root): resolve js-cookie, postcss, and ws dependency vulnerabilities

[cursor]

Summary

Scheduled dependency security audit fixes for three actionable advisories (highest severity with available patches).

Fixed vulnerabilities

Package	Severity	Advisory	Strategy
js-cookie	high	GHSA-qjx8-664m-686j	pnpm override js-cookie@<3.0.7 → ^3.0.7 (transitive via @clerk/nextjs, @segment/analytics-next)
postcss	moderate	GHSA-qx2v-qp2m-jg93	Direct dependency bump to ^8.5.10 + pnpm override postcss@<8.5.10 (nested via next)
ws	moderate	GHSA-58qx-3vcg-4xpx	pnpm override ws@>=8.0.0 <8.20.1 → ^8.20.1 (transitive via @novu/js → socket.io-client)

Validation

• pnpm audit — advisories 1119459, 1117015, 1119108 no longer reported
• pnpm build — passed

Remaining advisories (not in scope)

• fast-xml-parser (moderate) — requires >=5.7.0; tree has 4.5.6 via fumadocs-openapi (major bump)
• uuid (moderate) — requires >=11.1.1; tree has 9.0.1 via @scalar/api-client-react (major bump)

Linear

Linear MCP was not authenticated in this environment. Please create/link a Linear ticket (e.g. fixes NV-XXXX) before merge per team process.

  

Greptile Summary

• Updates dependency security controls for js-cookie, postcss, and ws.
• Bumps the direct postcss dev dependency range to ^8.5.10.
• Adds pnpm overrides for vulnerable transitive dependency ranges.
• Refreshes pnpm-lock.yaml to resolve the patched versions.

Confidence Score: 5/5

The dependency-only changes are narrow and align with the stated security audit fixes.

Only package.json and pnpm-lock.yaml were changed to bump or override vulnerable dependency ranges, with no application code paths modified.

T-Rex Logs

What T-Rex did

• Conducted a base install audit to identify vulnerabilities and the affected package versions.
• Applied dependency fixes and performed a head install/audit to verify patched versions and absence of targeted advisories.
• Attempted a production build after applying fixes; the build command ran and was terminated by SIGKILL (137), attributed to environmental resource exhaustion in the captured output.

_{Ran code and verified through T-Rex}

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into cursor/docsrepo..." | Re-trigger Greptile}

[netlify]

✅ Deploy Preview for docs-novu ready!

Name	Link
🔨 Latest commit	23191df
🔍 Latest deploy log	https://app.netlify.com/projects/docs-novu/deploys/6a3242f3bfcedc0008718059
😎 Deploy Preview	https://deploy-preview-1117--docs-novu.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.