=== JAVASCRIPT DEPENDENCY AUDIT TRIAGE ===

Package manager: npm

Findings: 3 critical and 19 high vulnerabilities reported.

Immediate recommendation: Do not run a force fix blindly.

Why: Force fixes can introduce major version upgrades and break production, especially in frameworks, build tools, authentication libraries, or server dependencies.

Production dependency issues: Need to identify which findings affect runtime dependencies used by the deployed app.

Development dependency issues: Some high/critical findings may be in build tools or test tools. These still matter, but they may not have the same urgency as production runtime issues.

Direct dependencies: Identify which vulnerable packages are listed directly in package.json.

Transitive dependencies: For transitive issues, identify the parent package. The safe fix may be updating the parent dependency rather than forcing a nested package.

Safe update strategy:

1. Save the current audit output.
2. Group findings by package and dependency path.
3. Identify production runtime findings.
4. Patch direct production dependencies first.
5. For transitive findings, update the parent package when possible.
6. Use overrides only when compatibility is understood.
7. Avoid major upgrades without changelog review.
8. Run tests and build after each group of updates.

Force/override caution: Use force or overrides only after reviewing the proposed version changes and compatibility risk. Never use force as a blind cleanup step before a production release.

Testing checklist:

• npm install/ci succeeds
• lockfile is updated
• npm audit rerun shows reduction
• app builds
• unit/integration tests pass
• auth/payment/admin flows tested if relevant
• staging smoke test passes