chore(deps): consolidate Dependabot PRs #70–#80 + frontend security fixes

[pacphi]

Summary

Consolidates 11 open Dependabot PRs (#70–#80) into a single branch as
latest-compatible within each existing major, regenerates Cargo.lock and
frontend/pnpm-lock.yaml once each, and additionally patches 5 frontend
security advisories found by pnpm audit. Full backend + frontend gates pass.

Superseded Dependabot PRs

PR	Package(s)	Bump	Area
#70	openssl (+openssl-sys)	0.10.79 → 0.10.80 (sys 0.9.115 → 0.9.117)	Rust
#71	rust (docker image)	1.95 → 1.96-bookworm	Docker
#72	reqwest	0.13.3 → 0.13.4	Rust
#73	react-router	7.15.1 → 7.17.0	TS
#74	typescript-eslint	8.59.3 → 8.61.1	TS
#75	http	1.4.0 → 1.4.1	Rust
#76	react-router-dom	7.15.1 → 7.17.0	TS
#77	uuid	1.23.1 → 1.23.2	Rust
#78	@vitejs/plugin-react	6.0.1 → 6.0.2	TS
#79	sysinfo	0.39.2 → 0.39.3	Rust
#80	eslint	10.2.1 → 10.5.0	TS

Rust manifest constraints ("0.13", "1", "0.39") already permitted the new
versions — only Cargo.lock changed for those. Frontend floors were bumped in
package.json and the lockfile re-resolved to latest-compatible within caret.

Security audit

Rust — cargo audit (CI mirror .github/scripts/cargo-audit.sh): clean. No
vulnerabilities beyond the 7 documented non-actionable transitive exceptions in
audit-ignore (unchanged).

GitHub Dependabot alert #15 — openssl < 0.10.80
(GHSA-phqj-4mhp-q6mq, medium):
resolved by the openssl → 0.10.80 bump in this branch (auto-closes on merge).

Frontend — pnpm audit: 5 advisories, all fixed (patch-level, no breaking majors):

Advisory	Severity	Package	Fix
GHSA-fx2h-pf6j-xcff	High	vite	→ 8.0.16 (server.fs.deny bypass, Windows-only dev server)
GHSA-v6wh-96g9-6wx3	Moderate	vite	→ 8.0.16 (launch-editor NTLMv2 disclosure, Windows)
GHSA-h67p-54hq-rp68	Moderate	js-yaml	→ 4.2.0 (quadratic-complexity DoS on untrusted YAML)
GHSA-jxxr-4gwj-5jf2	Moderate	brace-expansion	→ 5.0.6 via pnpm.overrides (transitive: eslint→minimatch)
GHSA-4x5r-pxfx-6jf8	Low	@babel/core	≥ 7.29.6 via pnpm.overrides (transitive: eslint-plugin-react-hooks)

pnpm audit after fixes: No known vulnerabilities found.

Pre-existing fixes

None required — no pre-existing gate failures. (One transient: local backend
integration tests initially failed with 28P01 password authentication failed
due to a stale Docker postgres volume from a prior run; recreating the test DB
volume cleared it. Not a code issue and not committed.)

Docs / CI propagation

• Bumped Rust toolchain references 1.95 → 1.96 in docs/guides/maintainer-guide.md
  and docs/plan/origin/07-DEPLOYMENT.md to track the Dockerfile.backend image bump.
• Library/dependency bumps had no version references in Make/CI/docs (verified) — N/A.

Verification (gates mirror .github/workflows/ci.yml)

# Backend
cargo fmt --all -- --check                                  ✅
cargo clippy --workspace --all-targets -- -D warnings       ✅ (clean)
cargo test --workspace (vs finima_test postgres)            ✅ all suites 0 failed
bash .github/scripts/cargo-audit.sh                         ✅ clean

# Frontend
pnpm install --frozen-lockfile                              ✅ reproduces lockfile
pnpm run lint                                               ✅
pnpm exec tsc --noEmit                                      ✅
pnpm exec prettier --check 'src/**/*.{ts,tsx,css}'          ✅
pnpm run test -- --run                                      ✅ 9 passed
pnpm run build                                              ✅
pnpm audit                                                  ✅ No known vulnerabilities

🤖 Generated with Claude Code

---

pnpm 11 migration (follow-up commit)

Migrates the frontend package manager from pnpm 10 to pnpm 11.7.0, updating
every reference following the existing toolchain-bump pattern.

Reference	Change
frontend/package.json packageManager	pnpm@10.11.0 → pnpm@11.7.0 (CI's corepack enable pnpm reads this)
frontend/Dockerfile.frontend	corepack prepare pnpm@11.7.0; also COPY pnpm-workspace.yaml into the dev stage
pnpm.overrides (package.json)	moved to frontend/pnpm-workspace.yaml — pnpm 11 no longer reads the pnpm field in package.json
README.md, maintainer-guide.md	pnpm 10+ → 11+ prerequisite

Supply-chain policy: pnpm 11 enables a default 24h minimumReleaseAge that
blocks frozen installs (and CI) on dependency versions published <24h ago — e.g.
same-day Dependabot bumps. Set minimumReleaseAge: 0 in pnpm-workspace.yaml to
preserve pnpm 10 install behavior and keep CI deterministic.

Lockfile is unchanged (relocating overrides does not alter resolution). Full
frontend gate re-verified green under pnpm 11.7.0: frozen install, lint, tsc,
prettier, 9 tests, build, pnpm audit (no known vulnerabilities).

[pacphi]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.