Record outdated-deps and security-audit findings for the fork as of
2026-06-20 (pnpm outdated -r + pnpm audit --prod): 162 outdated entries,
50 major-behind, 51 vulnerabilities (16 high).
Key finding: pnpm.overrides pin several packages to versions flagged by
the audit (ws, undici, tmp, hono, protobufjs, dompurify) — cheapest fix
is bumping the pins. Also flags direct-dep highs (@nestjs/platform-fastify
auth middleware bypass, nodemailer, form-data, react-router-dom),
risky majors to schedule separately (Mantine9/React19, Hocuspocus 4,
CASL 7, TypeScript 6, zod 4, stripe), the deprecated @types/form-data,
and @types/node drift across the workspace.
