fix: update better-auth to 1.6.11 to resolve GHSA-wxw3-q3m9-c3jr

Resolves moderate severity OAuth state mismatch vulnerability in better-auth.
Updated package-lock.json to reflect patched transitive dependencies.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -16,7 +16,7 @@ permissions:
   security-events: write
 
 env:
-  REGISTRY: git.farh.net
+  REGISTRY: ghcr.io
   IMAGE_NAME: cartsnitch/app
 
 jobs:
@@ -70,6 +70,31 @@ jobs:
       - run: npx playwright install --with-deps chromium
       - run: npx playwright test
 
+  lighthouse:
+    runs-on: ubuntu-latest
+    needs: [test]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+      - name: Install Chromium for Lighthouse
+        run: |
+          npm install -g playwright
+          npx playwright install --with-deps chromium
+      - name: Start preview server
+        run: |
+          npm run preview &
+          npx wait-on http://localhost:4173/ --timeout 30000
+      - name: Run Lighthouse CI
+        run: |
+          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
+          npm install -g @lhci/cli
+          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
+
   build-and-push:
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
@@ -99,13 +124,20 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "CalVer tag: $VERSION"
 
-      - name: Log in to Gitea Container Registry
+      - name: Log in to Docker Hub
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to GHCR
         if: github.event_name == 'push'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -117,7 +149,33 @@ jobs:
             type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
-      - name: Build and push Docker image
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: prod
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan frontend image for vulnerabilities
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
+      
+
+      - name: Push Docker image
+        if: github.event_name == 'push'
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -126,7 +184,6 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           target: prod
           cache-from: type=gha
-          cache-to: type=gha,mode=max
 
       - name: Create git tag
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -143,7 +200,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ secrets.REGISTRY_TOKEN }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -166,7 +223,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image git.farh.net/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |
@@ -187,7 +244,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ secrets.REGISTRY_TOKEN }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -210,7 +267,7 @@ jobs:
         if: needs.build-and-push.result == 'success'
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image git.farh.net/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |

package.json

@@ -45,15 +45,13 @@
     "typescript-eslint": "^8.56.1",
     "vite": "^6.4.2",
     "vite-plugin-pwa": "^0.21.2",
-    "vitest": "^3.2.6"
+    "vitest": "^3.2.4"
   },
   "overrides": {
-    "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
     "@rollup/pluginutils": "5.3.0",
-    "brace-expansion": ">=1.1.15",
-    "fast-uri": ">=3.1.2",
     "flatted": "^3.4.2",
     "serialize-javascript": "7.0.5",
+    "brace-expansion": ">=1.1.13",
     "lodash": ">=4.17.24",
     "minimatch": "^10.2.4"
   }

src/pages/VerifyEmail.tsx

@@ -16,7 +16,7 @@ export function VerifyEmail() {
     const callbackURL = searchParams.get("callbackURL") || "/";
 
     if (!token) {
-      queueMicrotask(() => setStatus("error"));
+      setStatus("error");
       return;
     }