docs: add security audit results to CHANGELOG

Document npm audit findings for frontend (21 vulns) and backend (27 vulns).
Recommend separate security PR for critical packages (axios, send/serve-static).

Ref: upgrade/deps-react-node-20251028

CHANGELOG.md

@@ -69,7 +69,30 @@
   - Warning originates from `react-scripts` 5.0.1 transitive dependencies (postcss@8.5.6)
   - No action required - will be resolved in future react-scripts updates
 
-### 📝 Documentation
+### <20> Security Audit Results
+
+**Frontend Dependencies** (as of 29. Oktober 2025):
+- **21 vulnerabilities** detected: 9 moderate, 11 high, 1 critical
+- **Critical/High severity issues:**
+  - `axios` (<=0.30.1): CSRF, SSRF, DoS vulnerabilities
+  - `follow-redirects`: Information exposure, improper URL handling
+  - `ansi-regex`, `decode-uri-component`: ReDoS vulnerabilities
+- **Moderate severity:**
+  - `@babel/runtime-corejs3`: Inefficient RegExp complexity
+  - `webpack-dev-server`: Source code exposure (dev-only)
+  - `highlight.js`: Various security issues
+- **Resolution:** Most issues can be addressed with `npm audit fix`. Critical packages (axios, follow-redirects) should be updated in a separate security PR.
+
+**Backend Dependencies** (as of 29. Oktober 2025):
+- **27 vulnerabilities** detected: 4 low, 9 moderate, 13 high, 1 critical
+- **Critical/High severity issues:**
+  - `send`/`serve-static`: Template injection leading to XSS
+  - Various transitive dependencies with known vulnerabilities
+- **Resolution:** Run `npm audit fix` to address most issues. Critical packages should be updated manually in a follow-up security PR.
+
+**Recommendation:** Create a separate PR for security updates after this upgrade is merged to avoid mixing framework upgrades with dependency patches.
+
+### <20>📝 Documentation
 - Created `docs/UPGRADE_PLAN-upgrade-deps-react-node-20251028.md` with phase-by-phase plan
 - Created `.github/ISSUES/upgrade-deps-react-node-20251028.md` (issue/PR template)
 - This CHANGELOG documents all completed work