chore(deps): Update Yarn dependencies (security-updates)

[nielsdrost7]

Yarn Dependency Update

This PR updates Yarn (npm) dependencies.

Update Type: security-updates
Triggered by: schedule

Lock File Status

✓ No lock file conflicts detected.

Updated Packages

╔═══════════════════════════════════════════════════════════════╗
║                    Package Update Report                     ║
╚═══════════════════════════════════════════════════════════════╝

📦 DIRECT DEPENDENCIES (from package.json)
─────────────────────────────────────────────────────────────────

  ✓ axios
    1.13.2 → 1.13.6


═════════════════════════════════════════════════════════════════
SUMMARY: 1 direct, 0 transitive (1 total)
═════════════════════════════════════════════════════════════════

Checks Performed

• Assets built successfully
• Dependencies installed and verified
• Lock file conflicts checked

Security Audit

2 security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify assets build correctly
• Check for breaking changes in frontend
• Test UI changes in development environment
• Verify no console errors in browser

---

This PR was automatically created by the Yarn Update workflow.

Summary by CodeRabbit

• Chores

  • Updated axios dependency to version 1.13.6

• Documentation

  • Updated security audit advisories and findings

[coderabbitai]

📝 Walkthrough

Walkthrough

Added an audit-before.json file documenting two high-severity vulnerabilities (axios and rollup). Updated audit-report.json to reflect resolved advisories. Bumped axios dependency from ^1.13.2 to ^1.13.6 in package.json and reformatted the package update report.

Changes

Cohort / File(s)	Summary
Audit Reporting audit-before.json, audit-report.json	Added new audit baseline file with two high-severity supply-chain vulnerabilities; modified audit report to track single remaining rollup vulnerability (axios advisory resolved).
Dependency Management package.json, updated-packages.txt	Updated axios development dependency from ^1.13.2 to ^1.13.6; reformatted package update report to reflect single JavaScript dependency change instead of previous PHP Composer entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With whiskers twitched and nose held high,
We audit dependencies under the sky.
Axios bumped, vulnerabilities tamed,
Supply chains secured—security's claimed!
Version by version, we hop toward the light. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating Yarn/npm dependencies for security purposes, which is reflected in the axios version bump and security-related audit file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch automated/yarn-update-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 11: The audit flags [email protected] used by Vite as vulnerable; to fix,
update package.json so the project uses a Vite release that bundles a patched
Rollup (bump the "vite" dependency to a version that includes rollup >=4.59.0)
or add a package manager override/resolution to force rollup to ^4.59.0 (use
"resolutions" for Yarn or "overrides" for npm) and regenerate lockfile; target
symbols: the "vite" dependency in package.json and add/modify "resolutions" or
"overrides" to pin "rollup" to ^4.59.0, then reinstall and verify the vuln is
resolved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e6b1fd7c-945a-48bb-b4cb-e74d9f976531

📥 Commits

Reviewing files that changed from the base of the PR and between ba54801 and 477cd9d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• audit-before.json
• audit-report.json
• package.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unresolved rollup advisory and lockfile-resolved versions (read-only)
rg -n '"module_name":"rollup"|"vulnerable_versions"|"patched_versions"|vite>rollup' audit-report.json audit-before.json
rg -n '^vite@|^rollup@|^\s+version "' yarn.lock -A3 -B1

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 50386

---

Resolve the remaining Rollup high-severity advisory before merging this security PR.

Axios was correctly upgraded to ^1.13.6 (resolves GHSA-43fc-jf86-j433), but the audit still reports vite>rollup at 4.54.0, which is vulnerable to CVE-2026-27606 (Arbitrary File Write via Path Traversal). Rollup versions >=4.0.0 <4.59.0 are affected; please upgrade Vite to a version with patched Rollup or pin Rollup to ^4.59.0 via Yarn resolutions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 11, The audit flags [email protected] used by Vite as
vulnerable; to fix, update package.json so the project uses a Vite release that
bundles a patched Rollup (bump the "vite" dependency to a version that includes
rollup >=4.59.0) or add a package manager override/resolution to force rollup to
^4.59.0 (use "resolutions" for Yarn or "overrides" for npm) and regenerate
lockfile; target symbols: the "vite" dependency in package.json and add/modify
"resolutions" or "overrides" to pin "rollup" to ^4.59.0, then reinstall and
verify the vuln is resolved.