fix(security): suppress CSRF false positive + upgrade next 15.5.19 + dep overrides

- Add .snyk policy file to suppress CSRF disabled false positive on JWT API chain
- Add inline documentation explaining why CSRF is intentionally disabled for stateless JWT
- Upgrade next.js 15.5.18 → 15.5.19 (latest stable 15.x patch)
- Upgrade eslint-config-next to match
- Add pnpm overrides for transitive CVEs: minimatch>=5.1.6, brace-expansion>=2.0.1, ajv>=8.17.1

.snyk

@@ -0,0 +1,19 @@
+# Snyk (https://snyk.io) policy file — managed by Lumen
+# Ignores documented false positives and accepted risks.
+version: v1.25.0
+language-settings:
+  java:
+    countUntriaged: false
+
+ignore:
+  # CSRF disabled on stateless JWT API chain — intentional and correct per OWASP:
+  # "If your application does not use cookies for authentication, CSRF is not a risk."
+  # The API security filter chain (Order 1) uses Authorization: Bearer tokens only.
+  # The portal filter chain (Order 2) correctly enables CSRF via CookieCsrfTokenRepository.
+  SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-CSRF:
+    - 'cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java':
+        reason: >-
+          Stateless JWT API — CSRF not applicable. Browser never auto-sends
+          Bearer tokens. Portal chain has CSRF enabled via CookieCsrfTokenRepository.
+        expires: 2027-06-19T00:00:00.000Z
+        created: 2026-06-19T07:00:00.000Z

cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java

@@ -54,6 +54,13 @@ public class SecurityConfig {
         http
                 .securityMatcher("/api/**")
                 .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+                // snyk:ignore java/CsrfProtectionDisabled — Intentional: this filter chain
+                // handles stateless JWT-authenticated API calls only. CSRF attacks exploit
+                // browser-managed session cookies; Bearer token auth is immune because the
+                // token is never sent automatically by the browser. OWASP CSRF Prevention
+                // Cheat Sheet: "If your application does not use cookies for authentication,
+                // CSRF is not a risk." The portal chain (Order 2) correctly enables CSRF via
+                // CookieCsrfTokenRepository for its session-based auth.
                 .csrf(csrf -> csrf.disable())
                 .sessionManagement(session -> session
                         .sessionCreationPolicy(SessionCreationPolicy.STATELESS))

cannamanage-frontend/package.json

@@ -56,7 +56,7 @@
     "emoji-picker-react": "4.12.2",
     "input-otp": "1.4.2",
     "lucide-react": "0.446.0",
-    "next": "15.5.18",
+    "next": "15.5.19",
     "next-auth": "5.0.0-beta.31",
     "next-intl": "^4.13.0",
     "react": "19.1.3",
@@ -88,7 +88,7 @@
     "@types/sockjs-client": "^1.5.4",
     "@vitejs/plugin-react": "^6.0.2",
     "eslint": "9.18.0",
-    "eslint-config-next": "15.5.18",
+    "eslint-config-next": "15.5.19",
     "eslint-config-prettier": "10.1.1",
     "eslint-plugin-prettier": "5.2.3",
     "jsdom": "^29.1.1",
@@ -107,6 +107,9 @@
     "@types/react": "19.0.12",
     "@types/react-dom": "19.0.4",
     "picomatch": ">=4.0.2",
-    "postcss": ">=8.4.31"
+    "postcss": ">=8.4.31",
+    "minimatch": ">=5.1.6",
+    "brace-expansion": ">=2.0.1",
+    "ajv": ">=8.17.1"
   }
 }

cannamanage-frontend/pnpm-lock.yaml

@@ -93,14 +93,14 @@ importers:
         specifier: 0.446.0
         version: 0.446.0(react@19.1.3)
       next:
-        specifier: 15.5.18
-        version: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
+        specifier: 15.5.19
+        version: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
       next-auth:
         specifier: 5.0.0-beta.31
-        version: 5.0.0-beta.31(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)
+        version: 5.0.0-beta.31(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)
       next-intl:
         specifier: ^4.13.0
-        version: 4.13.0(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3)
+        version: 4.13.0(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3)
       react:
         specifier: 19.1.3
         version: 19.1.3
@@ -184,8 +184,8 @@ importers:
         specifier: 9.18.0
         version: 9.18.0(jiti@2.6.1)
       eslint-config-next:
-        specifier: 15.5.18
-        version: 15.5.18(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3)
+        specifier: 15.5.19
+        version: 15.5.19(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3)
       eslint-config-prettier:
         specifier: 10.1.1
         version: 10.1.1(eslint@9.18.0(jiti@2.6.1))
@@ -679,56 +679,56 @@ packages:
       '@emnapi/core': ^1.7.1
       '@emnapi/runtime': ^1.7.1
 
-  '@next/env@15.5.18':
-    resolution: {integrity: sha512-hAV85Ckd9QR6RvH04MEKwsfLTksvFpO47j9xwtoIuvuPnlwecpSi+uZTtm8HirVbtlI2Fnz//xpcSTjFdyJk+g==}
+  '@next/env@15.5.19':
+    resolution: {integrity: sha512-sWWluFvcv5v3Fxznmf2ZfjyoVQt/64oCnYqS90inQWGzMPK1VjvekPiz3OPHKmFT30EnHrjlbyaHLt3M0vWabw==}
 
-  '@next/eslint-plugin-next@15.5.18':
-    resolution: {integrity: sha512-w4MYq8M26a8PNrfto0JosLf5/3ssln1rsyP96g2DkC8uFVymStM5DLSz5ElxxrPRg2XnTMnFo3kREFlhYvxhWw==}
+  '@next/eslint-plugin-next@15.5.19':
+    resolution: {integrity: sha512-Ctwb4qYuMbHN/1oXLlTdMchwG8h8Xzwq+wGZZMgF3o6+uwyBKAI2c96bdOsl+C62PaUD0Jkh+QpNkhUeDlam0Q==}
 
-  '@next/swc-darwin-arm64@15.5.18':
-    resolution: {integrity: sha512-w0WvQf1n+txiwns/9pwIQteCJpZTbxzO2SE0FLcwuD4v0WEh1JPOjdyxWL21XwJsdpx8cFRjyzxzCS/siP7HcQ==}
+  '@next/swc-darwin-arm64@15.5.19':
+    resolution: {integrity: sha512-jx9wWlTKueHKPvVOndyr7WuaevWCkuYqsQ8gC0TMPKAVWG3MhcdMrjfo9tvIZNXd0QOUYXXvAcZ325y8Uq7uzg==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@next/swc-darwin-x64@15.5.18':
-    resolution: {integrity: sha512-znn71QmDuxm+BOaglihMZfvyySMnNljkVIY5Z2TCssBmm+WqL6c19VhtH5ktFkHa8EZ2bnTUpcNcmNSQsg67og==}
+  '@next/swc-darwin-x64@15.5.19':
+    resolution: {integrity: sha512-291KFcsIQ3OenRdiUDFOR6W3wezzH4auENXm1gbm1Bjd4ANMMRgxPrWTUztQN43BnVoVuMnHCrLeECIMwgFKbA==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [darwin]
 
-  '@next/swc-linux-arm64-gnu@15.5.18':
-    resolution: {integrity: sha512-yPPe5MNL+igZUa+OsqQJisqSfh6oarIuA1Q0BDxljGJhRQyZeP+WRHh7rs/jZUGMh5aY0YdIjXZG0VohkKkUdw==}
+  '@next/swc-linux-arm64-gnu@15.5.19':
+    resolution: {integrity: sha512-WeH+nelQyyMeE2f8FxBRZNrGipya5zHZV2vjzfCOAYyiI6am+NbnWAAldOBFQBB2w0DjJcsvrKqoFT2b7+5YoA==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
 
-  '@next/swc-linux-arm64-musl@15.5.18':
-    resolution: {integrity: sha512-glaCczEWIrHsokFZ3pP08U4BpKxwIdnT+txdOM32OBgpL9Yw4aqx8NejmgtZQZOdstQ5f0L3CasIZudzCuD+nw==}
+  '@next/swc-linux-arm64-musl@15.5.19':
+    resolution: {integrity: sha512-5xTOE0lDlDCSSfp+BAif7j17VRRCjWp//ZPZy6NI0QpdrhxtQnsZguSx0xAAZ0c9XZLrLLwCe/XVe5YPrRilKw==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
 
-  '@next/swc-linux-x64-gnu@15.5.18':
-    resolution: {integrity: sha512-oUfg2EgJmU3R0OCOWiokGFUTvZiPfXtriXiuF3YNxRoROCdgvTedHIzYoeKH34gsZxS/V7mHbfq2hpAHwhH1/A==}
+  '@next/swc-linux-x64-gnu@15.5.19':
+    resolution: {integrity: sha512-LTxRmMgqqMv05Had879W00Fm53quiJd3Zuz8h1JSNJ3nGSlbZ/7Tjs1tKyScgN3Au3t3MyPsjPlq60fMmSHLsg==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
 
-  '@next/swc-linux-x64-musl@15.5.18':
-    resolution: {integrity: sha512-JLxSP3KTd9iu/bvUMQxH7RJo9xKSHf55/6RPE4a6FTSZygGn7uvZbCej0AHXydwkggQGSD9UddSjwv6Xz5ESfA==}
+  '@next/swc-linux-x64-musl@15.5.19':
+    resolution: {integrity: sha512-eoNQSpA5PQfB9wBO4RA47MTDXWz1fizy9Y3Z6e4DetYIF3dvjuu8sj7aIGn/bFCU6lnFzTK34NtCaffP4NsQ7Q==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
 
-  '@next/swc-win32-arm64-msvc@15.5.18':
-    resolution: {integrity: sha512-ir1v7enP52K2HNz3tQQvwF+x7VNxBk1ciiZ18WBPvxf4C59IqdfmHPJYK3vH7rSxpuCVw/8C712wTXNAtEp+NA==}
+  '@next/swc-win32-arm64-msvc@15.5.19':
+    resolution: {integrity: sha512-6UNt2dFuCHOe446sm/Kp69nUe8/wIhnh9bm6Xcqw4qEWCOppLMOvhTBVgvM7invVUNr4SPpP6NOQsACtn2IN9Q==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [win32]
 
-  '@next/swc-win32-x64-msvc@15.5.18':
-    resolution: {integrity: sha512-LIu5me6QTANCd25E7I5uIEfvgQ06RK7tvHAbYo3zCb3VpxQEPvMcSpd87NwUABDT6MbGPdEGR5VRiK4PPTJhQg==}
+  '@next/swc-win32-x64-msvc@15.5.19':
+    resolution: {integrity: sha512-PhmojAHyqMne56HBLGu9dhDnHPuFmEjrXSQMM/nW0J6j849lk3ESrVtqNJcCk8CKOV7brpTTbaYAjwKPzKM69w==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [win32]
@@ -2802,8 +2802,8 @@ packages:
     resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==}
     engines: {node: '>=10'}
 
-  eslint-config-next@15.5.18:
-    resolution: {integrity: sha512-HuoJU6uUPD00eyiud78IBnT4HLhztFj2V+ild2Uon5ZUrYZKe0Olu2QRD99e9IgL4/H1eg5Onka3BsfRW2U0Xw==}
+  eslint-config-next@15.5.19:
+    resolution: {integrity: sha512-UZwkuhBCNxVZfo93MSHRDOVNWXooJJGcAUyTAVIp0+9QFhH4SqJxWY0s6Mk9C2kMi777HPMn3dseOrZshWpG9Q==}
     peerDependencies:
       eslint: ^7.23.0 || ^8.0.0 || ^9.0.0
       typescript: '>=3.3.1'
@@ -3655,8 +3655,8 @@ packages:
       typescript:
         optional: true
 
-  next@15.5.18:
-    resolution: {integrity: sha512-eKL8zUJkX9Y5lE+RX/2YJoItVdGlIscyVyboeD9wSpp0PaGqjoA4tTpT2qPqz9ax+5IzGESyLSeZ/RCwbSZ2uQ==}
+  next@15.5.19:
+    resolution: {integrity: sha512-xNOW6tYshGX1/Oi3F8uuk4gpDeWsSUE/1Z0G5uUMekIxaQ0xc03UXd9II0VQHYMWviMeA0OHpJFAKsHf8bTYVg==}
     engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0}
     hasBin: true
     peerDependencies:
@@ -5051,34 +5051,34 @@ snapshots:
       '@tybys/wasm-util': 0.10.2
     optional: true
 
-  '@next/env@15.5.18': {}
+  '@next/env@15.5.19': {}
 
-  '@next/eslint-plugin-next@15.5.18':
+  '@next/eslint-plugin-next@15.5.19':
     dependencies:
       fast-glob: 3.3.1
 
-  '@next/swc-darwin-arm64@15.5.18':
+  '@next/swc-darwin-arm64@15.5.19':
     optional: true
 
-  '@next/swc-darwin-x64@15.5.18':
+  '@next/swc-darwin-x64@15.5.19':
     optional: true
 
-  '@next/swc-linux-arm64-gnu@15.5.18':
+  '@next/swc-linux-arm64-gnu@15.5.19':
     optional: true
 
-  '@next/swc-linux-arm64-musl@15.5.18':
+  '@next/swc-linux-arm64-musl@15.5.19':
     optional: true
 
-  '@next/swc-linux-x64-gnu@15.5.18':
+  '@next/swc-linux-x64-gnu@15.5.19':
     optional: true
 
-  '@next/swc-linux-x64-musl@15.5.18':
+  '@next/swc-linux-x64-musl@15.5.19':
     optional: true
 
-  '@next/swc-win32-arm64-msvc@15.5.18':
+  '@next/swc-win32-arm64-msvc@15.5.19':
     optional: true
 
-  '@next/swc-win32-x64-msvc@15.5.18':
+  '@next/swc-win32-x64-msvc@15.5.19':
     optional: true
 
   '@nodelib/fs.scandir@2.1.5':
@@ -7020,9 +7020,9 @@ snapshots:
 
   escape-string-regexp@4.0.0: {}
 
-  eslint-config-next@15.5.18(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3):
+  eslint-config-next@15.5.19(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3):
     dependencies:
-      '@next/eslint-plugin-next': 15.5.18
+      '@next/eslint-plugin-next': 15.5.19
       '@rushstack/eslint-patch': 1.16.1
       '@typescript-eslint/eslint-plugin': 8.61.0(@typescript-eslint/parser@8.61.0(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3))(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3)
       '@typescript-eslint/parser': 8.61.0(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3)
@@ -7875,22 +7875,22 @@ snapshots:
 
   negotiator@1.0.0: {}
 
-  next-auth@5.0.0-beta.31(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3):
+  next-auth@5.0.0-beta.31(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3):
     dependencies:
       '@auth/core': 0.41.2
-      next: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
+      next: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
       react: 19.1.3
 
   next-intl-swc-plugin-extractor@4.13.0: {}
 
-  next-intl@4.13.0(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3):
+  next-intl@4.13.0(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3):
     dependencies:
       '@formatjs/intl-localematcher': 0.8.10
       '@parcel/watcher': 2.5.6
       '@swc/core': 1.15.41
       icu-minify: 4.13.0
       negotiator: 1.0.0
-      next: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
+      next: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3)
       next-intl-swc-plugin-extractor: 4.13.0
       po-parser: 2.1.1
       react: 19.1.3
@@ -7900,9 +7900,9 @@ snapshots:
     transitivePeerDependencies:
       - '@swc/helpers'
 
-  next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3):
+  next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3):
     dependencies:
-      '@next/env': 15.5.18
+      '@next/env': 15.5.19
       '@swc/helpers': 0.5.15
       caniuse-lite: 1.0.30001799
       postcss: 8.4.31
@@ -7910,14 +7910,14 @@ snapshots:
       react-dom: 19.1.3(react@19.1.3)
       styled-jsx: 5.1.6(react@19.1.3)
     optionalDependencies:
-      '@next/swc-darwin-arm64': 15.5.18
-      '@next/swc-darwin-x64': 15.5.18
-      '@next/swc-linux-arm64-gnu': 15.5.18
-      '@next/swc-linux-arm64-musl': 15.5.18
-      '@next/swc-linux-x64-gnu': 15.5.18
-      '@next/swc-linux-x64-musl': 15.5.18
-      '@next/swc-win32-arm64-msvc': 15.5.18
-      '@next/swc-win32-x64-msvc': 15.5.18
+      '@next/swc-darwin-arm64': 15.5.19
+      '@next/swc-darwin-x64': 15.5.19
+      '@next/swc-linux-arm64-gnu': 15.5.19
+      '@next/swc-linux-arm64-musl': 15.5.19
+      '@next/swc-linux-x64-gnu': 15.5.19
+      '@next/swc-linux-x64-musl': 15.5.19
+      '@next/swc-win32-arm64-msvc': 15.5.19
+      '@next/swc-win32-x64-msvc': 15.5.19
       '@playwright/test': 1.60.0
       sharp: 0.34.5
     transitivePeerDependencies: