A dependency-security release clearing all seven open Dependabot alerts. No application code changes.
Security
- multer 2.1.1 → 2.2.0 — fixes two denial-of-service vectors in multipart parsing: crash via deeply nested field names (GHSA-72gw-mp4g-v24j, high) and disk exhaustion from incompletely cleaned-up aborted uploads (GHSA-3p4h-7m6x-2hcm, moderate). These were the only alerts with real exposure:
/api/uploadis reachable with a fetchable CSRF token when authentication is disabled (the Docker default). - nodemailer 8.0.7 → 9.0.3 — clears GHSA-p6gq-j5cr-w38f (high) plus three moderate advisories. None were exploitable as used (the email service never uses the
rawoption,jsonTransport,List-*headers, or OAuth2), but the fix for the high only exists on the 9.x line. The API surface the app uses (createTransport/sendMail/verify) is unchanged. - form-data 4.0.5 → 4.0.6 (dev-only, via axios) — CRLF injection in multipart names (GHSA-hmw2-7cc7-3qxx); test-suite exposure only.
npm audit now reports 0 vulnerabilities across all dependency scopes.
Full Changelog: v4.3.0...v4.3.1