Add dependency vulnerability scanning to CI pipeline

[spaciousejar]

Description

The project relies on numerous third-party packages (including bcrypt, axios, next, and many Radix UI components) but does not have a vulnerability scanning step in the CI/CD pipeline. While Dependabot is configured for version bumps, there is no explicit audit gate.

Risk

• Known CVEs in dependencies could go unnoticed until they are exploited
• Supply chain attacks via compromised packages would not be detected early
• The bcrypt native compilation step introduces additional build-time risk

Suggested Fix

1. Add npm audit (or bun audit) as a CI step that fails builds on high-severity findings
2. Consider integrating Snyk or GitHub's built-in Dependabot alerts (already partially configured)
3. Establish a regular cadence for dependency review and updates

Example CI step for an existing workflow:

- name: Run npm audit
  run: npm audit --audit-level=high

Severity: MEDIUM | Ref: PCS-005

[github-actions]

The GitHub issue proposes adding a dependency vulnerability scanning step to the CI/CD pipeline for improved security. Currently, the project relies on third-party packages like bcrypt, axios, and Radix UI components, but lacks an explicit audit mechanism to identify high-severity vulnerabilities, creating risks such as unnoticed CVEs, supply chain attacks, and build-time issues related to bcrypt. The suggested solution involves incorporating a tool like npm audit or bun audit into the CI pipeline to fail builds with high-severity findings, leveraging tools like Snyk or enhancing Dependabot alerts, and establishing regular dependency reviews. An example of how to integrate npm audit into the workflow is provided. The severity of this issue is marked as MEDIUM and is referenced as PCS-005.