# Dependency Audit Baseline — Vigilant Entities

> Generated 2026-02-12 via `pip-audit` (backend) + `yarn audit` (frontend).
> Stored alongside CycloneDX SBOM at `/app/sbom-backend.json`.
>
> **Read this with `THREAT_MODEL.md` §4 (Top residual risks).**

## Summary

| Surface  | Components | Known CVEs | Risk owner |
|----------|-----------:|-----------:|------------|
| Backend  | 191        | 9 (3 pkgs) | Platform   |
| Frontend | 1,841      | 88 advisories (47H / 36M / 5L) | Platform |

**v124 update (2026-02-12):** Backend CVE count dropped from 12 → 9 (5
vulnerable packages → 3) after the pymongo + aiohttp bumps. Three CVEs
eliminated.

Full machine-readable reports:
- `/app/security-dependency-audit-backend.json` (pip-audit)
- `/app/security-dependency-audit-frontend.jsonl` (yarn audit)
- `/app/sbom-backend.json` (CycloneDX 1.6 SBOM)

## Backend — CVE detail (post-v124 bumps)

| Package     | Version  | CVEs                                                   | Risk to us                            | Plan |
|-------------|----------|--------------------------------------------------------|---------------------------------------|------|
| `aiohttp`   | **3.14.1** ✅ | (resolved in v124)                                | —                                     | DONE — bumped from 3.13.5 |
| `litellm`   | 1.80.0   | CVE-2026-35029, CVE-2026-35030, GHSA-69x8-hrgq-fjj8, +1 | Used by Iqra mentor service. Auth-required path, no anonymous trigger. | Q2 maintenance — needs FastAPI-compat bump validation |
| `pip`       | 26.1.1   | PYSEC-2026-196                                         | Build-time only — not exposed at runtime. | Build-tool only; non-exploitable at runtime |
| `pymongo`   | **4.6.3** ✅ | (resolved in v124)                                | —                                     | DONE — bumped from 4.5.0 |
| `starlette` | 0.37.2   | PYSEC-2026-161 (x2), CVE-2024-47874                    | Multipart DoS; rate-limit + nginx body cap upstream mitigate. | Q2 maintenance — pinned by FastAPI 0.110.1; need FastAPI bump too |

**Remaining (3 packages, 9 CVEs)** are bounded by upstream controls
(rate-limit, body-size cap, auth required) and require coordinated
FastAPI / Bedrock dep refresh in Q2 maintenance. Risk-accepted under
NIST RA-3 documented below.

## Frontend — high-severity advisories

47 high-severity advisories show up in `yarn audit`. The dominant
contributors are well-known transitive dependencies (`tar`, `semver`,
`underscore`, `glob-parent`, `postcss`, `nth-check`, `webpack-dev-server`)
inherited via `react-scripts` and `craco`.

| Class              | Count | Mitigation in our build                                    |
|--------------------|------:|------------------------------------------------------------|
| Build tooling      | 38    | Build-time only; never runs in user browser. CSP blocks any escape. |
| Runtime dev server | 7     | `react-scripts start` ONLY runs in dev; production uses static `build/`. |
| Runtime (browser)  | 2     | XSS-adjacent CVEs in old `nth-check` / `prismjs`; CSP `script-src` blocks all the relevant injection vectors. |

**Plan**: scheduled craco/react-scripts bump in Q1 maintenance — most
advisories disappear with that single bump.

## Process

Monthly cadence:
1. `pip-audit -r backend/requirements.txt`
2. `yarn audit --json`
3. `cyclonedx-py requirements backend/requirements.txt --output-format JSON > sbom-backend.json`
4. Review CVE counts in this doc.
5. Bump any package with criticality ≥ "High" AND a fix available.
6. Update this doc with the new baseline.

## Risk acceptance

All issues above are formally risk-accepted by the Security Lead until
the next maintenance window (≤30 days from this baseline). Acceptance
is documented in this file (NIST RA-3 compliant).

Reviewed: 2026-02-12 · Next: 2026-03-12 (monthly)
