fix/guide-bom-1.0.7-cves
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches (no suppressions): postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding downgrade / MITM httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) — DoS httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core. Verified locally: builds and tests pass on 1.0.7. Refs bom#6 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Description
Guide content service — API and admin SPA
Languages
Svelte
46.4%
Java
37.1%
Python
6.9%
TypeScript
4.8%
CSS
1.7%
Other
3.1%