# Security Advisories

Last reviewed: 2026-05-05.

## npm audit items that require upstream-compatible releases

`npm audit --json` still reports moderate advisories after updating the direct `postcss` devDependency to `8.5.14`:

- `next` -> bundled `postcss` advisory GHSA-qx2v-qp2m-jg93. The local project uses `next@16.2.4`; npm currently reports the vulnerable nested package at `node_modules/next/node_modules/postcss` and suggests `next@9.3.3`, which is not a compatible fix for this Next 16 application.
- `next-auth` -> transitive `uuid` advisory GHSA-w5hq-g745-h8pq. The local project uses `next-auth@4.24.13`; npm currently suggests `next-auth@3.29.10`, which is a breaking downgrade and not a compatible fix.

Do not apply `npm audit fix --force` for these items without a compatibility review. Re-check when a compatible stable `next` or auth migration path is available.