fix(deps): add dependency audit CI job and bump drizzle-orm, next

Add dependency-audit job to dependency-review workflow running
bun audit --audit-level=high on every PR.

Bump direct deps to patched versions:
- drizzle-orm ^0.45.1 → ^0.45.2 (SQL injection fix)
- next 16.1.5 → 16.2.3 (Server Components DoS fix)

Author: izadoesdev

.github/workflows/dependency-review.yml

@@ -16,3 +16,13 @@ jobs:
       - uses: actions/dependency-review-action@v4
         with:
           comment-summary-in-pr: always
+
+  dependency-audit:
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: "1.3.11"
+      - run: bun install --frozen-lockfile
+      - run: bun audit --audit-level=high

apps/dashboard/package.json

@@ -67,7 +67,7 @@
     "maplibre-gl": "^5.20.2",
     "motion": "^12.38.0",
     "nanoid": "^5.1.7",
-    "next": "^16.2.0",
+    "next": "^16.2.3",
     "next-themes": "^0.4.6",
     "nuqs": "^2.8.9",
     "ogl": "^1.0.11",

apps/docs/package.json

@@ -63,7 +63,7 @@
     "libphonenumber-js": "^1.12.38",
     "lucide-react": "^0.539.0",
     "motion": "^12.23.26",
-    "next": "^16.1.6",
+    "next": "^16.2.3",
     "next-themes": "^0.4.6",
     "nuqs": "^2.8.5",
     "ogl": "^1.0.11",

bun.lock

@@ -7,16 +7,16 @@
     "@biomejs/biome": "2.4.10",
     "@types/bun": "latest",
     "@types/dockerode": "^3.3.47",
-    "@types/node": "^24.12.0",
+    "@types/node": "^24.12.2",
     "chalk": "^5.6.2",
     "culori": "^4.0.2",
-    "dockerode": "^4.0.9",
+    "dockerode": "^4.0.10",
     "dotenv-cli": "^10.0.0",
     "husky": "^9.1.7",
     "ipaddr.js": "^2.3.0",
     "knip": "^5.88.1",
     "lint-staged": "^16.4.0",
-    "turbo": "^2.9.3",
+    "turbo": "^2.9.6",
     "typescript": "^5.9.3",
     "ultracite": "7.4.3"
   },
@@ -67,11 +67,11 @@
     "catalog": {
       "react": "19.2.4",
       "react-dom": "19.2.4",
-      "next": "16.1.5",
+      "next": "16.2.3",
       "typescript": "^5.9.3",
       "zod": "4.1.12",
       "tailwindcss": "^4.1.4",
-      "autumn-js": "^1.2.4",
+      "autumn-js": "^1.2.8",
       "stripe": "^18.2.1",
       "dayjs": "^1.11.13",
       "elysia": "^1.3.4",
@@ -102,7 +102,7 @@
       "bun-types": "latest",
       "ultracite": "^7.4.3",
       "turbo": "^2.5.2",
-      "drizzle-orm": "^0.42.0",
+      "drizzle-orm": "^0.45.2",
       "nanoid": "^5.1.6",
       "ua-parser-js": "^2.0.8",
       "evlog": "^2.11.1"

package.json

@@ -42,7 +42,7 @@
     "url": "https://github.com/databuddy-analytics/databuddy/issues"
   },
   "dependencies": {
-    "drizzle-orm": "^0.45.1"
+    "drizzle-orm": "^0.45.2"
   },
   "devDependencies": {
     "typescript": "^5.9.3",

packages/cache/package.json

@@ -15,7 +15,7 @@
     "@faker-js/faker": "^9.9.0",
     "@neondatabase/serverless": "^1.0.2",
     "@types/sqlstring": "^2.3.2",
-    "drizzle-orm": "^0.45.1",
+    "drizzle-orm": "catalog:",
     "ioredis": "^5.8.2",
     "pg": "^8.16.3",
     "sqlstring": "^2.3.3"

packages/db/package.json

@@ -25,7 +25,7 @@
     "autumn-js": "catalog:",
     "bullmq": "^5.34.0",
     "dayjs": "^1.11.19",
-    "drizzle-orm": "^0.44.7",
+    "drizzle-orm": "^0.45.2",
     "evlog": "catalog:",
     "jszip": "^3.10.1",
     "keypal": "^0.1.11",