Security audit and remediation for canvas-ai

[inlined]

Security Audit & Remediation: canvas-ai

A. Previous CVEs

• GHSA-9qr9-h5gf-34mp - next (Severity: Critical)
• GHSA-mwv6-3258-q52c - next (Severity: High)
• GHSA-h25m-26qc-wcjf - next (Severity: High)
• GHSA-267c-6grr-h53f - next (Severity: High)
• GHSA-mg66-mrh9-m8jx - next (Severity: High)
• GHSA-c4j6-fc7j-m34r - next (Severity: High)
• GHSA-q4gf-8mx6-v5v3 - next (Severity: High)
• GHSA-8h8q-6873-q5fj - next (Severity: High)
• GHSA-26hh-7cqf-hhc6 - next (Severity: High)
• GHSA-36qx-fr4f-26g5 - next (Severity: High)
• GHSA-ph9p-34f9-6g65 - tmp (Severity: High)
• GHSA-48c2-rrv3-qjmp - yaml (Severity: Moderate)
• GHSA-qx2v-qp2m-jg93 - postcss (Severity: Moderate)
• GHSA-w5hq-g745-h8pq - uuid (Severity: Moderate)

B. Changes Made

• Updated next from 15.2.3 to ^15.5.19
• Removed unused abandonware patch-package and refactored call sites to use native runtime stdlib
• Added npm overrides to update transitive postcss to ^8.5.10 and uuid to ^11.1.1

C. Remaining CVEs

• Transitive dependencies under @opentelemetry/... (Required transitively by google-gax, firebase-admin, @google-cloud/modelarmor, genkit-cli): No fix available upstream in Genkit/Google Cloud SDK packages yet. Transitive tree: genkit-cli > @genkit-ai/telemetry-server > @opentelemetry/...

D. Introduced CVEs

• None

E. Testing Strategy

• Created and executed standalone smoke test validation script (node audit_verify.mjs) - 100% passing.
• Executed automated TypeScript typecheck (npx tsc --noEmit) - 100% passing.

[gemini-code-assist]

Code Review

This pull request adds an automated verification script (audit_verify.mjs) for the canvas-ai application and updates several dependencies in package.json, including upgrading next and postcss, removing patch-package, and adding dependency overrides. Feedback on the verification script recommends using globalThis.crypto?.randomUUID instead of directly referencing crypto.randomUUID to safely handle environments where the global crypto object might be undefined and avoid throwing a ReferenceError.

[gemini-code-assist]

Accessing crypto.randomUUID directly will throw a ReferenceError if the global crypto object is not defined (e.g., in older Node.js environments), because the identifier crypto must be resolved before accessing its property. Using globalThis.crypto?.randomUUID avoids this reference error and allows the assertion to fail gracefully with the specified message.

Suggested change

	assert.strictEqual(typeof crypto.randomUUID, 'function', 'crypto.randomUUID built-in should exist');
	assert.strictEqual(typeof globalThis.crypto?.randomUUID, 'function', 'crypto.randomUUID built-in should exist');