Context: On April 3-6, 2026, a concentrated batch of 10+ PRs was merged to address Dependabot alerts and Wiz scan findings across the starters. These included overrides for picomatch, lodash, form-data, rollup, webpack, qs, fast-xml-parser, and serialize-js. The final PR (#429) refreshed all lock files. However, these merges targeted the dmz branch, which currently sits 1 commit behind main. The fixes need to reach main and be verified as complete.
Steps:
1. Merge dmz to main (or confirm the April 6 batch has been promoted).
2. Run `npm audit` in each starter directory and verify no high/critical findings remain.
3. For any remaining findings, add `overrides` entries in the affected `package.json` files.
4. Refresh lock files: `npm install --package-lock-only` in each starter.
5. Run full CI validation (build, lint, type-check, test) across all starters.
Acceptance criteria:
`npm audit` shows zero high/critical vulnerabilities in all enabled starters
All Dependabot alerts on the repository are resolved or have documented exceptions
CI passes on main branch
Risks: Some transitive vulnerabilities may not be resolvable via overrides if the parent dependency hasn't published a fix. In those cases, document the exception and set a follow-up date.