Reduce backend dependency audit exposure

.github/workflows/ci.yml

@@ -43,6 +43,27 @@ jobs:
       - name: Run tests
         run: npm test -- --runInBand --ci --colors
 
+  audit:
+    name: Production dependency audit
+    runs-on: ubuntu-latest
+    env:
+      CI: 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: npm
+
+      - name: Install
+        run: npm ci
+
+      - name: Audit production dependencies
+        run: npm run audit:prod
+
   lint-sql:
     name: Schema sanity
     runs-on: ubuntu-latest

README.md

@@ -38,8 +38,23 @@ npm ci
 cp .env.example .env        # then edit — see .env.example for inline docs
 npm run dev                 # nodemon on :3001
 npm test                    # full jest suite (~830 cases)
+npm run audit:prod          # fail on critical production dependency issues
 ```
 
+## Dependency Audit Triage
+
+`npm run audit:prod` is wired into CI and fails on critical production
+vulnerabilities. As of this update, the remaining production audit findings are
+known transitive issues under `syscoinjs-lib`'s Ethereum proof stack
+(`eth-proof` / `isomorphic-fetch` / `node-fetch` and `ethers` v5 helpers).
+`npm audit fix --force` proposes changing `syscoinjs-lib` through a breaking
+path, so that risk is tracked separately instead of forced into a dependency
+maintenance PR.
+
+`pm2` is intentionally not an application dependency. If you use it for process
+supervision, install it globally or through your host image, as shown in the
+single-host deployment notes below.
+
 ## Configuration
 
 All configuration is via environment variables. `.env.example` is the source of truth and carries inline rationale for every field. The short form: