Julien Gautier 778e163ae9
CI / scan (pull_request) Successful in 2m37s
CI / commits (pull_request) Successful in 2m36s
CI / a11y (pull_request) Successful in 1m36s
CI / check (pull_request) Successful in 4m19s
CI / perf (pull_request) Successful in 4m51s
chore(deps): pin protobufjs to >=8.0.2 to clear 7 transitive advisories
protobufjs 8.0.0 / 8.0.1 ship 7 fresh advisories (4 high, 3 moderate
— prototype pollution, dos via unbounded recursion, code-gen gadget
after prototype pollution, etc.) that block `pnpm audit
--audit-level=moderate`, which the ci:audit gate runs on every push.

the vulnerable version is pulled in transitively as
@opentelemetry/exporter-trace-otlp-http
  > @opentelemetry/otlp-transformer
  > protobufjs

the otlp-transformer doesn't allow a clean parent bump yet, so this
pins the dep directly via pnpm.overrides — same shape we already
use for axios, brace-expansion, follow-redirects, ip-address, tmp,
and yaml. resolution lands on protobufjs@8.2.0 (latest stable). the
override is `protobufjs@<8.0.2: ">=8.0.2"` so it auto-yields the
moment a non-vulnerable transitive lands and the override becomes
a no-op.

advisories cleared:
  GHSA-66ff-xgx4-vchm  high      code generation gadget
  GHSA-75px-5xx7-5xc7  high      code generation gadget after prototype pollution
  GHSA-jvwf-75h9-cwgg  high      process-wide dos through unsafe option paths
  GHSA-685m-2w69-288q  high      dos through unbounded protobuf recursion
  GHSA-q6x5-8v7m-xcrf  moderate  overlong utf-8 decoding
  GHSA-2pr8-phx7-x9h3  moderate  dos from crafted field names in generated code
  GHSA-fx83-v9x8-x52w  moderate  prototype injection in generated message constructors

verified locally:
  pnpm audit --audit-level=moderate  ⇒  no known vulnerabilities found
  pnpm nx test portal-bff            ⇒  99/99 pass
  pnpm nx build portal-bff           ⇒  webpack compiled successfully
2026-05-12 18:27:11 +02:00

Documentation index

This is the entry point to all project documentation. It is maintained automatically: any addition, rename, or removal of a .md file under docs/ must be reflected here in the same change.

Conventions

  • Documentation is written in English.
  • One topic per file. Group related files into a folder when there are three or more.
  • Cross-reference with relative links so they keep working in GitHub, IDEs, and exported sites.
  • For architectural decisions, do not add them here — they belong in decisions/ as MADR 4.0.0 ADRs.

Sections

Daily development

  • development.md — repo layout, prerequisites, initial setup, daily commands, observability dev-loop (Jaeger UI, log ↔ trace correlation), dependency updates (Renovate), conventional commit cycle. Day-to-day reference for working on the project.

Architecture

  • architecture.md — cross-cutting Mermaid diagrams: C4 system context, C4 containers, Nx module boundaries, CI/CD pipeline. Single-decision diagrams (auth sequence, ERD, etc.) live inline in their ADR.

Onboarding & environment

Setup guides for new contributors:

Operations & runbooks

Empty — to be populated when we deploy.

Security, performance, accessibility

Empty — placeholders to be filled with rationale docs alongside their corresponding ADRs.

S
Description
No description provided
Readme 42 MiB
Languages
TypeScript 85.3%
JavaScript 5.4%
SCSS 4.3%
HTML 3.9%
Shell 0.8%
Other 0.3%