00504352c184383ccca06e69f36ef6f9e4a6f54f
CI / commits (pull_request) Successful in 2m22s
CI / scan (pull_request) Successful in 2m31s
CI / a11y (pull_request) Successful in 2m24s
CI / check (pull_request) Failing after 5m20s
Docs site / build (pull_request) Successful in 2m6s
CI / perf (pull_request) Successful in 6m29s
`pnpm audit` flagged two moderate vulnerabilities introduced by the docs-site chantier (#154): * esbuild ≤ 0.24.2 — dev-server reflection of arbitrary cross-site requests (GHSA-67mh-4wv8-2f99). * vite ≤ 6.4.1 — path traversal via optimized-deps `.map` handling (GHSA-4w7w-66w2-5vf9). Both come from VitePress 1.6.4's pinned dep tree (`vitepress → vite@5.4.21 → esbuild@0.21.5`). The rest of the workspace already runs vite 8.0.13 + esbuild 0.27.3 (via @nx/vite, @analogjs/vite-plugin-angular, Vitest) — only the VitePress branch was stuck on the vulnerable line. The vite team did not backport the security fix to the 5.x line (`vite@^5.4.22` is not published — latest 5.x stays at 5.4.21, which is vulnerable). The only path forward is to let pnpm pick a patched major. With the override below, pnpm resolves vitepress's `vite ^5.0.0` constraint up to vite 7.3.2 — VitePress 1.6.4 runs against it cleanly: `docs:build` succeeds in ~4 s and the Mermaid- in-ADR-0009 regression fence still passes. Pattern matches the existing `pnpm.overrides` entries in this project (axios, follow-redirects, ip-address, etc.) — version- selector form `<package>@<vulnerable-range>` so the override becomes a no-op when the underlying dep eventually ships a clean version of its own. Why Renovate didn't propose this PR itself: vite and esbuild are **transitive** dependencies (declared by vitepress, not by us). Renovate's `vulnerabilityAlerts` flow handles direct deps; for pnpm transitives it would have to write to `pnpm.overrides` itself, which the v40 image doesn't do out of the box. The override is the manual remediation that Renovate would write if it could.
Documentation index
This is the entry point to all project documentation. It is maintained automatically: any addition, rename, or removal of a .md file under docs/ must be reflected here in the same change.
Conventions
- Documentation is written in English.
- One topic per file. Group related files into a folder when there are three or more.
- Cross-reference with relative links so they keep working in GitHub, IDEs, and exported sites.
- For architectural decisions, do not add them here — they belong in decisions/ as MADR 4.0.0 ADRs.
Sections
Daily development
- development.md — repo layout, prerequisites, initial setup, daily commands, observability dev-loop (Jaeger UI, log ↔ trace correlation), dependency updates (Renovate), conventional commit cycle. Day-to-day reference for working on the project.
Architecture
- architecture.md — cross-cutting Mermaid diagrams: C4 system context, C4 containers, Nx module boundaries, CI/CD pipeline. Single-decision diagrams (auth sequence, ERD, etc.) live inline in their ADR.
Onboarding & environment
Setup guides for new contributors:
- setup/01-wsl-terminal-setup.md — modern WSL terminal (Zsh + Powerlevel10k + CLI tools)
- setup/02-dev-web-stack.md — Node via nvm, pnpm via corepack, Docker
- setup/03-angular-nx-monorepo.md — Angular + Nx monorepo bootstrap
Operations & runbooks
Empty — to be populated when we deploy.
Security, performance, accessibility
Empty — placeholders to be filled with rationale docs alongside their corresponding ADRs.
Description
Languages
TypeScript
85.3%
JavaScript
5.4%
SCSS
4.3%
HTML
3.9%
Shell
0.8%
Other
0.3%