fix(deps): regenerate backend package-lock.json to sync with overrides

[DerekRoberts]

Summary

• PR chore(deps): lock file maintenance #2646 (renovate lock file maintenance) updated hono to 4.12.9 in backend/package-lock.json, but the overrides section in backend/package-lock.json pins hono@<4.11.7 to 4.11.7. This caused npm ci to fail with: Invalid: lock file's hono@4.12.9 does not satisfy hono@4.11.7.
• Regenerated the lock file via npm install --package-lock-only to resolve the inconsistency.
• Verified: npm ci, npm run build, and npm run lint all pass.

Root Cause: How #2646 Merged Despite Failing

The repository ruleset (configured via GitHub Rulesets, not branch protection) requires these status checks:

1. Analysis Results (from Analysis workflow)
2. PR Results (from PR workflow)
3. Validate Results (from PR Validate workflow)

The Backend Tests job (which runs npm ci) failed, but because Analysis Results has needs: [backend-tests, frontend-tests] and the results job only fails when needs.*.result contains failure or canceled — however, the backend-tests was not skipped, it failed. The actual issue is that the analysis-results check name registered as SKIPPED (passing) while the individual Backend Tests check registered as FAILURE. Since only Analysis Results is in the required checks list (not Backend Tests), the PR was allowed to merge.

Additionally, the Builds (backend) check (from the PR workflow) passed because it builds inside a Docker container using deploy script (npm ci --ignore-scripts) which runs at a different layer, not the host npm ci used by the Analysis workflow.

---

Thanks for the PR!

Deployments, as required, will be available below:

• Frontend
• Backend

Please create PRs in draft mode. Mark as ready to enable:

• Analysis Workflow

After merge, new images are deployed in:

• Merge Workflow

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jsdom@​29.0.1
	@​types/​react-dom@​19.2.3
	lodash@​4.17.23 ⏵ 4.17.21		-1
	@​vitest/​ui@​4.1.2
	@​tanstack/​router-plugin@​1.167.12
	@​tanstack/​react-router@​1.168.10
	eslint-plugin-react@​7.37.5
	bootstrap-icons@​1.13.1
	bootstrap@​5.3.8
	@​testing-library/​user-event@​14.6.1
	react-bootstrap@​2.10.10
	@​testing-library/​react@​16.3.2
	@​testing-library/​jest-dom@​6.9.1
	sass-embedded@​1.98.0
	axios@​1.14.0
	sass@​1.98.0
	msw@​2.12.14
	eslint-plugin-react-hooks@​7.0.1
	@​vitejs/​plugin-react@​6.0.1
	playwright@​1.59.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: frontend/package-lock.json → npm/jsdom@29.0.1 → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• backend/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.