MinistryPlatform-Community · chriskehayias · May 22, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.claude/TODO/2026-04-17-commands-audit-deps-stale-key-deps.md b/.claude/TODO/2026-04-17-commands-audit-deps-stale-key-deps.md
diff --git a/.claude/TODO/2026-05-21-xmldom-critical-vulnerability.md b/.claude/TODO/2026-05-21-xmldom-critical-vulnerability.md
diff --git a/.claude/TODO/INDEX.md b/.claude/TODO/INDEX.md
@@ -8,6 +8,7 @@ last_updated: 2026-05-21
 <!-- 2026-04-18: closed 3 utils TODOs (imb-fallback-silent, tool-params-missing-test, tool-params-parseint-nan) — see commit fix(utils): log barcode fallbacks, guard tool-params NaN, add tool-params tests -->
 <!-- 2026-04-18: closed 5 low TODOs (contexts-session-context-misnamed, dto-constants-batchsize-duplication, dto-constants-mailerid-not-validated, testing-claude-md-readme-counts-drift, verify-auth-oauth-flow) — see commit chore: rename contexts hook, dedupe BATCH_SIZE, validate mailerId, refresh docs -->
 <!-- 2026-05-21: opened 1 critical TODO (xmldom-critical-vulnerability) — see install-testing feedback; address before next ship -->
+<!-- 2026-05-21: closed 1 critical TODO (xmldom-critical-vulnerability) — replaced docxtemplater-image-module-free with maintained docxtemplater-image (uses @xmldom/xmldom@^0.9.7) -->
 
 
 # TODO Index
@@ -19,16 +20,14 @@ All open TODOs dropped during the context-engineering review (2026-04-17) and an
 - **medium**: doc drift, missing test, refactor with real cost
 - **low**: nits, minor doc fixes, stylistic improvements
 
-Total: **4 open TODOs**.
+Total: **3 open TODOs**.
 
 ---
 
 ## By severity
 
-### Critical (1)
-| Area | Tags | Title | File |
-|---|---|---|---|
-| components | security | Critical xmldom vulnerability via docxtemplater-image-module-free | [→](2026-05-21-xmldom-critical-vulnerability.md) |
+### Critical (0)
+_none open_
 
 ### High
 _none open_
@@ -47,8 +46,8 @@ _none open_
 
 ## By tag
 
-### security (1)
-- xmldom-critical-vulnerability — critical
+### security (0)
+_none open_
 
 ### bug (2)
 _see severity sections above; tag appears on items involving a functional defect_
@@ -74,7 +73,7 @@ _none open_
 
 | Area | Count |
 |---|---|
-| components | 4 |
+| components | 3 |
 | auth | 0 |
 | mp-provider | 0 |
 | services | 0 |

diff --git a/.claude/commands/audit-deps.md b/.claude/commands/audit-deps.md
@@ -46,9 +46,13 @@ If the user requests, execute the recommended action plan:
 - Report final status
 
 ## Key Dependencies to Always Check
-- next / next-auth (framework security)
+- next / eslint-config-next (framework security)
 - react / react-dom (core framework)
-- jsonwebtoken / bcryptjs (auth/crypto)
-- drizzle-orm / drizzle-kit (database)
-- Any AWS SDK packages
-- Any packages with known historical vulnerabilities
+- better-auth (auth/session)
+- zod (validation — v4 API differs from v3)
+- @grapesjs/react / grapesjs / grapesjs-mjml / mjml (template editor)
+- docx / docxtemplater / docxtemplater-image-module-free / pizzip (Word merge)
+- openai (LLM client, if used by tools)
+- @react-pdf/renderer (PDF output)
+- vitest / @vitest/coverage-v8 / @vitejs/plugin-react (test runner)
+- typescript (toolchain)
diff --git a/.claude/references/components/address-labels.md b/.claude/references/components/address-labels.md
@@ -59,7 +59,7 @@ Tool route: `src/app/(web)/tools/addresslabels/page.tsx` → `address-labels.tsx
 - **POSTNET**: Legacy 5/9/11-digit tall/short bar barcode (no Mailer ID needed).
 - **Skip reasons** (`SkipReason` in `src/lib/dto/address-label.dto.ts:15`): `no_address`, `no_postal_code`, `opted_out` (`Bulk_Mail_Opt_Out=true`), `no_barcode` (only when `includeMissingBarcodes=false`), `no_household` (household mode only — contact lacks `Household_ID` so dedup cannot be guaranteed).
 - **Pre-encoded bar states**: `preEncodeBarcodes()` encodes once on the server into `LabelData.barStates` so the PDF/Word renderers are pure layout (see `../utils/barcodes.md`).
-- **Mail-merge tab**: uploads a `.docx` with `{Name}`, `{AddressLine1}`, `{AddressLine2}`, `{City}`, `{State}`, `{PostalCode}`, `{%Barcode}` tokens plus `{#addresses}…{/addresses}` loop and `{#isNotLast}<pagebreak>{/isNotLast}` conditional — barcodes become BMP images via `docxtemplater-image-module-free`.
+- **Mail-merge tab**: uploads a `.docx` with `{Name}`, `{AddressLine1}`, `{AddressLine2}`, `{City}`, `{State}`, `{PostalCode}`, `{%Barcode}` tokens plus `{#addresses}…{/addresses}` loop and `{#isNotLast}<pagebreak>{/isNotLast}` conditional — barcodes become BMP images via `docxtemplater-image`.
 - **LocalStorage persistence**: last-used `LabelConfig` stored under key `address-labels-config` (`src/app/(web)/tools/addresslabels/address-labels.tsx:15`).
 
 ## API / Interface
@@ -177,7 +177,7 @@ const SERVICE_TYPES = [{id:'040',…}, {id:'300',…}, {id:'044',…}, {id:'700'
 ### mergeTemplate (.docx mail merge)
 - Rejects `templateBase64` if `Math.ceil(length * 0.75) > 5 * 1024 * 1024`.
 - `preEncodeBarcodes()` then builds `addresses[]` rows with `{ Name, AddressLine1, AddressLine2, City, State, PostalCode, Barcode: 'barcode_N', isNotLast }` plus a `Map<string,Buffer>` of BMP barcodes keyed by `barcode_N`.
-- `Docxtemplater` with `docxtemplater-image-module-free` — `getImage` resolves key strings to buffers; `getSize` returns `[200, 25]` for the `Barcode` tag.
+- `Docxtemplater` with `docxtemplater-image` — `getImage` resolves key strings to buffers; `getSize` returns `[200, 25]` for the `Barcode` tag.
 - Render errors containing "tag" are wrapped as `Template error: …`.
 
 ### Mail merge tab upload flow

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -47,7 +47,7 @@
     "cmdk": "^1.1.1",
     "docx": "^9.6.1",
     "docxtemplater": "^3.68.5",
-    "docxtemplater-image-module-free": "^1.1.1",
+    "docxtemplater-image": "^0.1.2",
     "dotenv": "^17.3.1",
     "grapesjs": "^0.22.14",
     "grapesjs-mjml": "^1.0.8",

diff --git a/src/components/address-labels/actions.test.ts b/src/components/address-labels/actions.test.ts
@@ -72,7 +72,7 @@ vi.mock('pizzip', () => ({
   default: class {},
 }));
 
-vi.mock('docxtemplater-image-module-free', () => ({
+vi.mock('docxtemplater-image', () => ({
   default: class {},
 }));
 

diff --git a/src/components/address-labels/actions.ts b/src/components/address-labels/actions.ts
@@ -23,7 +23,7 @@ import { preEncodeBarcodes } from '@/lib/barcode-helpers';
 import { validateMailerId } from '@/lib/validation';
 import Docxtemplater from 'docxtemplater';
 import PizZip from 'pizzip';
-import ImageModule from 'docxtemplater-image-module-free';
+import ImageModule from 'docxtemplater-image';
 import { imbBarcodeToBmp, postnetBarcodeToBmp } from '@/lib/barcode-image';
 
 async function getSession() {

diff --git a/src/components/address-labels/sample-template.ts b/src/components/address-labels/sample-template.ts
@@ -88,7 +88,7 @@ export async function generateSampleTemplate(): Promise<string> {
           ],
         }),
 
-        // Barcode image placeholder (% prefix for docxtemplater-image-module-free)
+        // Barcode image placeholder (% prefix for docxtemplater-image)
         new Paragraph({
           spacing: { after: 200 },
           children: [new TextRun({ text: '{%Barcode}', size: 22, font: 'Arial' })],

diff --git a/...ypes/docxtemplater-image-module-free.d.ts → src/types/docxtemplater-image.d.ts b/...ypes/docxtemplater-image-module-free.d.ts → src/types/docxtemplater-image.d.ts
@@ -1,4 +1,4 @@
-declare module 'docxtemplater-image-module-free' {
+declare module 'docxtemplater-image' {
   interface ImageModuleOptions {
     centered?: boolean;
     getImage: (tagValue: unknown, tagName: string) => Buffer | string;