[deps] Triage stale and overlapping dependency PRs after CI recovery

[jamiesun]

Context Boundary

• Repo/module: talkincode/toughradius, dependency maintenance across Go modules, web npm dependencies, and GitHub Actions.
• Version/commit: observed while working from origin/main commit 9bec7aff6dd7944ceebd09c44a432a4e7f307feb plus PR fix: restore strict security scan on main #231 branch verification.
• Related PRs currently open:
  • build(deps): bump the npm_and_yarn group across 1 directory with 9 updates #223 npm grouped updates
  • build(deps-dev): bump vite from 5.4.21 to 8.0.14 in /web #220 Vite major update
  • build(deps): bump golang.org/x/crypto from 0.45.0 to 0.52.0 #219 golang.org/x/crypto update
  • build(deps-dev): bump @typescript-eslint/eslint-plugin from 7.18.0 to 8.60.0 in /web #216 @typescript-eslint/eslint-plugin update
  • build(deps): bump golang.org/x/sync from 0.18.0 to 0.20.0 #215 golang.org/x/sync update
  • chore(deps): bump esbuild from 0.21.5 to 0.25.12 in /web in the npm_and_yarn group across 1 directory #198 older npm/esbuild grouped update
  • chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in the go_modules group across 1 directory #197 older golang.org/x/crypto grouped update
  • build(deps): bump github.com/labstack/echo-jwt/v4 from 4.3.1 to 4.4.0 #195 echo-jwt update
  • Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 #175 older github.com/golang-jwt/jwt/v4 update

Expectation vs. Reality

Expected:

After main CI is stable again, dependency PRs should be triaged into one clear path: merge the safe non-overlapping updates, close superseded duplicates, and create a replacement PR for any major update that needs manual migration.

Actual:

Multiple dependency PRs are open at the same time, including overlapping Go security-library updates and overlapping npm/esbuild/Vite update paths. This makes it unclear which PR should be reviewed first and which are already superseded.

Reproduction Path

1. Run:

gh pr list --state open --limit 30 --json number,title,headRefName,isDraft,url,updatedAt

2. Observe the open Dependabot PR set listed above.
3. Run web dependency installation/build validation:

npm --prefix web ci
npm --prefix web run build

4. Observe that install/build can complete, while npm still reports moderate/high vulnerability audit output during install.
5. Run Go vulnerability validation:

go run golang.org/x/vuln/cmd/govulncheck@latest ./...

6. Current local validation reported no called Go vulnerabilities, so the Go PRs should be triaged by dependency freshness and CI compatibility rather than assumed runtime exploitability.

Blast Radius

• Affected users/paths: maintainers reviewing dependency and security PRs.
• Frequency: every CI run and dependency review until stale/superseded PRs are resolved.
• Severity rationale: not a runtime crash; this is release hygiene and security-maintenance debt. Leaving overlapping PRs open increases merge conflicts and hides which dependency path is authoritative.
• Workaround: manually inspect each PR and close superseded ones before reviewing the next dependency update.

Evidence

• PR fix: restore strict security scan on main #231 restores the security scan path so dependency PRs can be judged on stable CI.
• npm --prefix web ci && npm --prefix web run build completed locally, with npm audit output reporting 13 vulnerabilities (8 moderate, 5 high) during install.
• go run golang.org/x/vuln/cmd/govulncheck@latest ./... completed locally with no called vulnerabilities found.
• Open PR list shows duplicate/overlapping dependency streams, especially Go crypto updates and npm grouped updates.