Julien Gautier 1edaeb1857
CI / commits (pull_request) Successful in 2m13s
CI / check (pull_request) Failing after 2m23s
CI / a11y (pull_request) Successful in 1m45s
CI / perf (pull_request) Failing after 2m4s
CI / scan (pull_request) Failing after 7m29s
chore(deps): pin patched transitive deps via pnpm.overrides
Renovate-driven updates of direct deps could not clear the audit
gate: 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside
transitive chains pinned by upstream tooling — `nx > axios`,
`nx > yaml`, `nx > follow-redirects`, `@nx/devkit > minimatch >
brace-expansion`, `nestjs-prisma > @angular-devkit/core > ajv`,
`@angular/cli > @modelcontextprotocol/sdk > express-rate-limit >
ip-address`, `@lhci/cli > tmp`. Upstream releases that bump those
transitives have not landed (or never will, in some cases).

Use `pnpm.overrides` with the upper-bound form (`pkg@<x.y.z`):
forces patched versions even when a parent specifies a tighter
range, and the rule expires on its own once a parent legitimately
resolves to a patched version (it stops matching).

Result: `pnpm audit --audit-level=moderate` reports zero
vulnerabilities. Remaining peer-dep warnings (`chokidar`,
`typescript`) are pre-existing mismatches inside nestjs-prisma /
@nestjs/schematics and out of scope for this PR.

Also fix a lint-staged trap surfaced while preparing this PR: the
glob `*.yaml` was matching `pnpm-lock.yaml`, so prettier reformatted
the entire lockfile on every dep-change commit (~9000 lines of
diff churn, with a non-zero risk of pnpm rejecting the rewritten
file). Tighten the glob to `!(pnpm-lock).{...,yaml}` so the
lockfile is left to pnpm's own formatter.
2026-05-06 21:21:54 +02:00

Documentation index

This is the entry point to all project documentation. It is maintained automatically: any addition, rename, or removal of a .md file under docs/ must be reflected here in the same change.

Conventions

  • Documentation is written in English.
  • One topic per file. Group related files into a folder when there are three or more.
  • Cross-reference with relative links so they keep working in GitHub, IDEs, and exported sites.
  • For architectural decisions, do not add them here — they belong in decisions/ as MADR 4.0.0 ADRs.

Sections

Daily development

  • development.md — repo layout, prerequisites, initial setup, daily commands, dependency updates (Renovate), conventional commit cycle. Day-to-day reference for working on the project.

Architecture

  • architecture.md — cross-cutting Mermaid diagrams: C4 system context, C4 containers, Nx module boundaries, CI/CD pipeline. Single-decision diagrams (auth sequence, ERD, etc.) live inline in their ADR.

Onboarding & environment

Setup guides for new contributors:

Operations & runbooks

Empty — to be populated when we deploy.

Security, performance, accessibility

Empty — placeholders to be filled with rationale docs alongside their corresponding ADRs.

S
Description
No description provided
Readme 42 MiB
Languages
TypeScript 85.3%
JavaScript 5.4%
SCSS 4.3%
HTML 3.9%
Shell 0.8%
Other 0.3%