From b0c95c5698df268c2688deeada2b3581904d1e1e Mon Sep 17 00:00:00 2001
From: "matthias.lotz" <matthias.lotz@hobbyhimmel.de>
Date: Wed, 29 Oct 2025 23:16:27 +0100
Subject: [PATCH] docs: add security audit results to CHANGELOG

Document npm audit findings for frontend (21 vulns) and backend (27 vulns).
Recommend separate security PR for critical packages (axios, send/serve-static).

Ref: upgrade/deps-react-node-20251028
---
 CHANGELOG.md | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c05532a..135e247 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -69,7 +69,30 @@
   - Warning originates from `react-scripts` 5.0.1 transitive dependencies (postcss@8.5.6)
   - No action required - will be resolved in future react-scripts updates
 
-### 📝 Documentation
+### � Security Audit Results
+
+**Frontend Dependencies** (as of 29. Oktober 2025):
+- **21 vulnerabilities** detected: 9 moderate, 11 high, 1 critical
+- **Critical/High severity issues:**
+  - `axios` (<=0.30.1): CSRF, SSRF, DoS vulnerabilities
+  - `follow-redirects`: Information exposure, improper URL handling
+  - `ansi-regex`, `decode-uri-component`: ReDoS vulnerabilities
+- **Moderate severity:**
+  - `@babel/runtime-corejs3`: Inefficient RegExp complexity
+  - `webpack-dev-server`: Source code exposure (dev-only)
+  - `highlight.js`: Various security issues
+- **Resolution:** Most issues can be addressed with `npm audit fix`. Critical packages (axios, follow-redirects) should be updated in a separate security PR.
+
+**Backend Dependencies** (as of 29. Oktober 2025):
+- **27 vulnerabilities** detected: 4 low, 9 moderate, 13 high, 1 critical
+- **Critical/High severity issues:**
+  - `send`/`serve-static`: Template injection leading to XSS
+  - Various transitive dependencies with known vulnerabilities
+- **Resolution:** Run `npm audit fix` to address most issues. Critical packages should be updated manually in a follow-up security PR.
+
+**Recommendation:** Create a separate PR for security updates after this upgrade is merged to avoid mixing framework upgrades with dependency patches.
+
+### �📝 Documentation
 - Created `docs/UPGRADE_PLAN-upgrade-deps-react-node-20251028.md` with phase-by-phase plan
 - Created `.github/ISSUES/upgrade-deps-react-node-20251028.md` (issue/PR template)
 - This CHANGELOG documents all completed work