chore(deps): monitor transitive security alerts in better-auth dependency tree

[ggfevans]

Summary

Three Dependabot alerts (high severity) exist for transitive dependencies pulled in by better-auth. None are exploitable in our codebase — documented here for tracking until upstream patches.

Alerts

#	Package	CVE	Severity	Parent Dep	Why Not Exploitable
47	effect@3.18.4	CVE-2026-32887	High	@prisma/config (peer dep)	Dev-only tooling, never loaded at runtime. No AsyncLocalStorage or RPC usage.
48	kysely@0.28.11	CVE-2026-33468	High	@better-auth/kysely-adapter	Better Auth runs in stateless mode (no DB). Zero kysely imports in source.
49	kysely@0.28.11	CVE-2026-33442	High	@better-auth/kysely-adapter	Same as above. Also MySQL-specific — no MySQL in project.

Action Items

• Monitor better-auth releases for dependency bumps that resolve these
• Dismiss Dependabot alerts once upstream patches land
• If we ever add a database layer, re-evaluate kysely usage and prefer type-safe query builders

Context

• Better Auth is configured for stateless mode (cookie-only sessions, no database backend)
• kysely CVEs are MySQL-specific; we have no MySQL
• effect is only present as a peer dep of @prisma/config, loaded during CLI operations only
• Assessment performed 2026-03-22

[ggfevans]

Update 2026-04-15 — five additional transitive alerts matching the same "not reachable" pattern

Adding to the tracking table. Evidence file: api/src/auth/config.ts:381-382 — Better Auth is configured without a database option, so stateless cookie-only mode is active and no DB adapter is instantiated.

#	Sev	Pkg	Chain	Why not exploitable
#68	high	drizzle-orm 0.45.1 (SQL injection via unescaped identifiers)	better-auth → @better-auth/drizzle-adapter → drizzle-orm	No DB adapter configured — drizzle-orm is never imported at runtime.
#58	high	defu 6.1.4 (__proto__ prototype pollution in defaults arg)	better-auth → defu (also via prisma → c12)	Loaded at runtime for config merge, but only merges our hardcoded createAuth() options object. No attacker-controlled input flows into the defaults argument.
#62	medium	@hono/node-server 1.19.11 (serveStatic repeated-slash bypass)	better-auth → prisma@7.4.2 → @prisma/dev → @hono/node-server	API runtime is Bun, not Node. @prisma/dev is CLI/dev-only; never loaded in the running server.
#56	medium	lodash 4.17.21 (prototype pollution in _.unset/_.omit)	… → @prisma/dev → @mrleebo/prisma-ast → chevrotain → lodash	Same — Prisma CLI dep chain, not runtime.
#57	high	lodash 4.17.21 (_.template code injection)	Same chain	Same — Prisma CLI dep chain, not runtime.

Action

Dismissing all five via `gh api` as "not used in runtime" with a link back to this issue. Upstream-patch monitoring stays the action item on this issue.

Previously tracked here (unchanged): #47 (effect), #48 + #49 (kysely).