2026-03-29 — Dependency sweep and codebase hardening

What shipped today

Today was a full scout-dev automation cycle — three scout passes followed by dev-loop execution across 9 issues. The codebase went from having several outdated dependencies and loose error handling to a fully current, zero-vulnerability state.

The first scout run identified three categories of work: Python dependency auditing (pip-audit wasn’t installed), a batch of outdated dependencies spanning TypeScript 5→6, Stripe SDK 20→21, and several others, and overly broad except Exception catches in the engine that could mask bugs. The dependency umbrella issue (#634) was decomposed into individual issues per package to keep changes atomic and reviewable.

The second scout run caught three more package updates that the first pass missed: React 19.2.4 (patch), @vercel/analytics 1→2 (major), and lucide-react 0.576→1.7 (major). All three were clean upgrades — no code changes needed beyond the Stripe API version string ("2026-02-25.clover" → "2026-03-25.dahlia"). The third scout was the most thorough, running all 9 configured scan dimensions. It found security clean, dead code clean, test coverage at 100% for all handlers and services, and all 8 PRODUCT.md vision pillars implemented. The only actionable finding was a final batch of minor updates (Sentry, Supabase, PostHog, fast-xml-parser, vitest).

By end of day, both npm audit and pip-audit report zero vulnerabilities. All 537 web tests and 281 engine tests pass. The exception narrowing work replaced broad except Exception catches with specific types (ValueError, UnicodeError, UnicodeDecodeError) in URL parsing, webhook JSON handling, and HTML parsing — while keeping broad catches at resilience boundaries like the poller loop and scheduler tick.

Completed

• #633: Add pip-audit for Python dependency vulnerability scanning
• #634: Upgrade major dependencies (decomposed into #636, #637)
• #635: Narrow broad except Exception catches in engine
• #636: Upgrade TypeScript from 5.9 to 6.0
• #637: Upgrade Stripe server SDK from 20 to 21
• #638: Update react and react-dom to 19.2.4
• #639: Upgrade @vercel/analytics from 1.x to 2.x
• #640: Upgrade lucide-react from 0.x to 1.x
• #641: Dependency patch updates (Sentry, Supabase, PostHog, vitest, fast-xml-parser)

Carry-over

All actionable queues are empty. 8 issues remain in backlog — all are future-vision features (signal amplification, shared intelligence, cross-article patterns, browser extension) or known Sentry noise (ECLECTIS-2 syntax error from crawlers, ECLECTIS-5 ESM/CJS in briefings detail). None are urgent.

Risks

No new risks identified. The codebase is in a healthy state with zero known vulnerabilities on both npm and pip sides.

Flags and watch-outs

• shadcn v4 (3.8→4.1) and eslint 10 are available but skipped — both are major bumps that need migration work, not patch updates.
• starlette 1.0 is available but pulled transitively by FastAPI — will update naturally when FastAPI bumps its dependency.
• @types/node ^20→^25 is a major type definition bump — low risk but skipped to avoid type churn.

Next session

• All queues empty — /dev-loop will idle until /scout creates new work
• Consider promoting backlog items if Paul wants to push on features (homepage social proof #471 is the most self-contained)
• The Sentry ECLECTIS-5 (ESM/CJS require error) has been in backlog since March — worth a quick investigation to see if it’s still reproducing after the dependency updates