fix: security problems, outdated deps versions

[HardMax71]

Summary by cubic

Updates vulnerable and outdated dependencies across backend and frontend, and hardens the cert-generator image. Standardizes the dev CA path to /shared_ca/ca.pem to prevent HTTPS trust errors.

• Bug Fixes

  • Unified CA filename to /shared_ca/ca.pem across cert-generator, docker-compose, rollup, and docs to fix dev TLS issues.
  • Removed mkcert and wget from cert-generator to reduce attack surface.

• Dependencies

  • Backend: click 8.3.1, multidict 6.7.1, propcache 0.4.1, sse-starlette 3.2.0, iniconfig 2.3.0; updated uv.lock.
  • Frontend: @codemirror/state 6.5.4, @codemirror/view 6.39.11, @lucide/svelte 0.563.1, @hey-api/openapi-ts ^0.90.10, @typescript-eslint/parser 8.53.1; updated package-lock.json.
  • cert-generator: kubectl pinned to v1.35.0.

^{Written for commit 1b13b98. Summary will update on new commits.}

Summary by CodeRabbit

• Chores

  • Updated backend and frontend package dependencies to latest versions
  • Updated kubectl to v1.35.0
  • Simplified certificate handling infrastructure by removing mkcert configuration

• Documentation

  • Updated development guides with certificate configuration path references

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates project dependencies in backend and frontend manifests (click, multidict, propcache, sse-starlette, iniconfig, @codemirror, @lucide/svelte, @hey-api/openapi-ts, @typescript-eslint/parser), removes mkcert from the certificate generator Docker image, bumps kubectl to v1.35.0, and updates all certificate path references from mkcert-ca.pem to ca.pem.

Changes

Cohort / File(s)	Summary
Dependency Version Updates backend/pyproject.toml, frontend/package.json	Minor version bumps for click, multidict, propcache, sse-starlette, iniconfig, and frontend libraries (@codemirror, @lucide/svelte, @hey-api/openapi-ts, @typescript-eslint/parser).
mkcert Removal & Kubernetes Update cert-generator/Dockerfile	Removed MKCERT_VERSION arg, mkcert installation step, and MKCERT_ARCH mappings; updated kubectl from v1.33.6 to v1.35.0; simplified architecture handling.
Certificate Path Migration cert-generator/setup-certs.sh, docker-compose.yaml, frontend/rollup.config.js	Updated CA certificate filename from mkcert-ca.pem to ca.pem across certificate setup script, Docker Compose config, and rollup proxy configuration.
Documentation Update docs/architecture/frontend-build.md	Updated development TLS proxy guidance to reference new CA certificate path (/shared_ca/ca.pem).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• deps bump #98: Performs dependency version bumps in the same backend and frontend manifest files.
• chore: update of dependencies #71: Updates dependency versions in identical manifest files (backend/pyproject.toml and frontend/package.json).
• dependencies update #58: Overlapping changes to certificate generator infrastructure with dependency version updates in the same manifests.

Poem

🐰 A certificate path, once mkcert it was,
Now called simply ca.pem—such clarity! Because
Dependencies bumped, kubectl upgraded too,
The infrastructure hops forward, fresh and new! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references 'security problems' and 'outdated deps versions', but the changeset only shows routine dependency version bumps without clear security rationale or specific vulnerabilities addressed.	Clarify what specific security problems are being fixed and which dependencies address them. Alternatively, use a more accurate title like 'deps: update click, multidict, propcache, sse-starlette, kubectl and others' if these are routine maintenance updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/sec-and-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

No issues found across 9 files