[FE] Construct: New npm audit vulnerabilities – assessment & fix plan

[sangayt1997]

Summary(Issued shown on 19/02/2026):

• npm audit reports multiple vulnerabilities. After review, only one affects production runtime code. The rest are dev-tooling related and do not ship to production.

Will be fixed

• jspdf (High severity)
• Runtime dependency with known injection and DoS issues.
• Action: Upgrade to latest patched version.

Will NOT be fixed

• ajv, minimatch, glob, ESLint-related packages
• These are devDependencies only (linting/build tools), not included in production bundles.

Why not fixing dev-only issues

• No end-user or runtime exposure
• Require local/malicious developer input to exploit
• Fixing them requires npm audit fix --force, which introduces breaking changes and destabilizes the toolchain
• Accepted industry practice to ignore dev-only audit warnings

Risk

• Production: Low (after jsPDF upgrade)
• Development tooling: Accepted / low impact

Action

• Upgrade jspdf
• Track remaining dev-only vulnerabilities as accepted risk