security(deps): harden Dart, Java, Kotlin, Rust/Tauri — all languages covered

Dart/Flutter (150):
- pubspec.yaml: all ^ ranges replaced with exact versions via pub.dev API
  record 6.2.0, http 1.6.0, flutter_dotenv 6.0.0, path_provider 2.1.5,
  permission_handler 12.0.1, flutter_lints 6.0.0
- No active CVEs (http advisory GHSA-4rgh-jx4f-qfcq not applicable at 1.6.0)
- NOTE: pubspec.lock must be committed after running flutter pub get locally

Java/Spring Boot (300):
- Spring Boot parent 3.4.4 -> 3.5.3 (latest)
- OWASP dependency-check-maven plugin added (failBuildOnCVSS=7)
- deepgram-java-sdk 0.2.0 already latest

Kotlin/Android (360):
- Dependency locking enabled: allprojects { dependencyLocking { lockAllConfigurations() } }
- All versions already exact — no range changes needed
- NOTE: run ./gradlew dependencies --write-locks to generate lockfiles

Rust/Tauri (340):
- Cargo.toml: all deps pinned with = exact versions
- dotenv crate (RUSTSEC-2021-0141 unmaintained) replaced with dotenvy==0.15.7
- deepgram updated 0.9.1 -> 0.9.2 (latest patch)
- main.rs updated: dotenv::dotenv() -> dotenvy::dotenv()
- Cargo.lock generated (528 packages locked)
- cargo audit: 0 errors; 18 warnings are unfixable tauri transitive GTK deps
- TypeScript frontend: packageManager@10.30.3 added, pnpm-lock.yaml generated

Instructions:
- engineer.md: add Dart/Flutter and Kotlin/Android per-language security section
- lead-review.md: bypass + raw protocol checks from previous commit

Author: lukeocodes

examples/150-flutter-voice-transcription-dart/pubspec.yaml

@@ -11,20 +11,20 @@ dependencies:
   flutter:
     sdk: flutter
   # Audio recording — cross-platform (iOS, Android, web, desktop)
-  record: ^5.1.0
+  record: 6.2.0
   # HTTP client for Deepgram REST API (no official Dart SDK exists)
-  http: ^1.2.0
+  http: 1.6.0
   # Read .env file for API key during development
-  flutter_dotenv: ^5.1.0
+  flutter_dotenv: 6.0.0
   # File path utilities
-  path_provider: ^2.1.0
+  path_provider: 2.1.5
   # Permission handling for microphone access
-  permission_handler: ^11.3.0
+  permission_handler: 12.0.1
 
 dev_dependencies:
   flutter_test:
     sdk: flutter
-  flutter_lints: ^4.0.0
+  flutter_lints: 6.0.0
 
 flutter:
   uses-material-design: true

examples/300-spring-boot-live-transcription-java/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.4</version>
+        <version>3.5.3</version>
         <relativePath/>
     </parent>
 
@@ -25,6 +25,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <!-- version managed by spring-boot-starter-parent BOM -->
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -47,6 +48,16 @@
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
+            <!-- Supply-chain: scan dependencies for known CVEs on every build -->
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>12.1.3</version>
+                <configuration>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <suppressionFile>owasp-suppressions.xml</suppressionFile>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>

examples/340-tauri-live-transcription-rust-ts/src/.npmrc

@@ -0,0 +1 @@
+save-exact=true

examples/340-tauri-live-transcription-rust-ts/src/package.json

@@ -3,6 +3,7 @@
   "private": true,
   "version": "0.1.0",
   "type": "module",
+  "packageManager": "pnpm@10.30.3",
   "scripts": {
     "dev": "vite",
     "build": "tsc && vite build",