Apply non-major audit updates and harden path handling for Semgrep.

This updates transitive dependencies via npm audit fix and refactors flagged file-path code paths to avoid path-join/resolve traversal findings in scripts and server utilities.

Made-with: Cursor

server/api/contact.post.js

@@ -6,19 +6,15 @@ import { readUsers, migrateUserRoles } from '../utils/auth.js'
 
 // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
 // filename is always a hardcoded constant ('config.json'), never user input
-const getDataPath = (filename) => {
+const getConfigPath = () => {
   const cwd = process.cwd()
-  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
-  // filename is a fixed internal constant ('config.json').
-  if (cwd.endsWith('.output')) return path.join(cwd, '../server/data', filename)
-  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
-  // filename is a fixed internal constant ('config.json').
-  return path.join(cwd, 'server/data', filename)
+  if (cwd.endsWith('.output')) return `${cwd}/../server/data/config.json`
+  return `${cwd}/server/data/config.json`
 }
 
 async function loadConfig() {
   try {
-    const configFile = getDataPath('config.json')
+    const configFile = getConfigPath()
     const raw = await fs.readFile(configFile, 'utf-8')
     return JSON.parse(raw)
   } catch (error) {