security: patch runtime dependency vulnerabilities (mongoose, grpc-js, bn.js)

[grunch]

Qué hace

Cierra las alertas de Dependabot de scope runtime (producción) que son seguras de aplicar:

Paquete	Antes	Ahora	Alerta	Sev
mongoose	8.17.1	8.24.0	GHSA-wpg9-53fq-2r8h ($nor NoSQL injection)	high
@grpc/grpc-js	1.13.1	1.14.4 (override ^1.13.5)	GHSA-5375-pq7m-f5r2 / GHSA-99f4-grh7-6pcq (DoS crash)	high
bn.js	5.2.0/5.2.1	5.2.3 (override)	GHSA-378v-28hj-76wf (infinite-loop DoS)	medium

@grpc/grpc-js y bn.js son transitivas (vía lightning / invoices), por eso se fijan con overrides.

Cambio de tipos por mongoose

Mongoose 8.22+ endureció el genérico de Document._id. Las tres interfaces que declaran _id: string (IOrder, ICommunity, UserDocument) ahora extienden Document<string> para mantener la compatibilidad. Sin esto el build de TypeScript falla.

Fuera de alcance (a tratar aparte)

• valibot (ReDoS, high, transitiva vía ecpair→lightning): requiere subir lightning (10.25→10.27.x). La ruta vulnerable (EMOJI_REGEX) no es alcanzable desde esta app, así que se difiere a un PR propio con pruebas de la integración LND.
• 28 alertas dev-only (axios 0.x, express, body-parser, qs, serialize-javascript, glob, etc.): provienen de telegram-test-api y mocha; no se despliegan a producción. Se limpiarán subiendo esas herramientas en un PR aparte.

Verificación

• npm ci ✓ (lockfile en sync)
• npx tsc ✓
• npm run lint ✓
• npm test ✓ — 133 tests

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated database driver dependency to a newer version and resolved dependency version constraints for improved compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 145c1464-824b-4f7c-89eb-cd248b5b23c5

📥 Commits

Reviewing files that changed from the base of the PR and between 82d66d0 and ee26e14.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• models/community.ts
• models/order.ts
• models/user.ts
• package.json

---

Walkthrough

mongoose is bumped from ^8.17.1 to ^8.24.0 in package.json, along with a new overrides block pinning @grpc/grpc-js and bn.js. Three Mongoose document interfaces — ICommunity, IOrder, and UserDocument — are updated to extend Document<string> instead of the unparameterized Document.

Changes

Mongoose Upgrade and Model Type Fixes

Layer / File(s)	Summary
Mongoose version bump and dependency overrides package.json	mongoose updated from ^8.17.1 to ^8.24.0; new overrides block added pinning @grpc/grpc-js to ^1.13.5 and bn.js to ^5.2.3.
Model interfaces parameterized as Document<string> models/order.ts, models/user.ts, models/community.ts	IOrder, UserDocument, and ICommunity each changed from extending Document to Document<string> to match updated Mongoose generics.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• lnp2pBot/bot#725: Directly modifies the same Mongoose model TypeScript interfaces (ICommunity, IOrder, UserDocument) in the same three model files.

Suggested reviewers

• knocte
• Catrya

Poem

🐇 A string to tighten each Document's seam,
Mongoose leaps higher — a version-bumped dream!
With grpc and bn pinned snug in their place,
The models now type with precision and grace.
Hop hop, compile clean! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: patching runtime dependency vulnerabilities in mongoose, grpc-js, and bn.js, which aligns with the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/bump-runtime-deps

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed due to a network error.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}