fix(security): audit and harden existing examples against supply-chain attacks

260-nestjs-websocket-stt (HIGH — 3 CVEs fixed):
- path-to-regexp 8.3.0 → 8.4.2 via npm audit fix (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7)
- @nestjs/core and @nestjs/platform-express 11.1.17 → 11.1.18
- Pinned all ^ ranges to exact versions in package.json

310-crewai-voice-agents-python (CVE documented):
- crewai[tools]>=1.12.0 → ==1.13.0
- deepgram-sdk==v6.1.1 → ==6.1.1 (removed invalid v prefix)
- python-dotenv>=1.0.0 → ==1.1.1
- CVE-2026-25645 (requests 2.32.5) documented: crewai-tools==1.13.0
  pins requests~=2.32.5 upstream; cannot override without breaking tools

200, 240, 270, 280 (pinning):
- Replaced all ^ and ~ ranges with exact versions from resolved lockfiles
- No vulnerabilities found in these examples

270-sveltekit-live-transcription-ts (LOW — upstream blocker):
- cookie <0.7.0 vulnerability via @sveltejs/kit; npm audit fix --force would
  downgrade to 0.0.30 (breaking). Upstream issue, monitored.

Author: lukeocodes

examples/200-vanilla-js-browser-transcription/package.json

@@ -8,11 +8,11 @@
     "test": "node tests/test.js"
   },
   "dependencies": {
-    "@deepgram/sdk": "^5.0.0",
-    "dotenv": "^16.4.0",
-    "express": "^4.21.0",
-    "express-ws": "^5.0.2",
-    "ws": "^8.18.0"
+    "@deepgram/sdk": "5.0.0",
+    "dotenv": "16.6.1",
+    "express": "4.22.1",
+    "express-ws": "5.0.2",
+    "ws": "8.20.0"
   },
   "engines": {
     "node": ">=18"

examples/240-nuxt-streaming-stt-tts-ts/package.json

@@ -10,9 +10,9 @@
   },
   "dependencies": {
     "@deepgram/sdk": "5.0.0",
-    "nuxt": "^3.17.0"
+    "nuxt": "3.21.2"
   },
   "devDependencies": {
-    "typescript": "^5.8.0"
+    "typescript": "5.9.3"
   }
 }

examples/260-nestjs-websocket-stt/package-lock.json

@@ -11,20 +11,20 @@
   },
   "dependencies": {
     "@deepgram/sdk": "5.0.0",
-    "@nestjs/common": "^11.0.0",
-    "@nestjs/core": "^11.1.17",
-    "@nestjs/platform-express": "^11.1.17",
-    "@nestjs/platform-socket.io": "^11.1.17",
-    "@nestjs/websockets": "^11.1.17",
-    "dotenv": "^16.4.0",
-    "reflect-metadata": "^0.2.2",
-    "rxjs": "^7.8.0",
-    "socket.io": "^4.7.0"
+    "@nestjs/common": "11.1.17",
+    "@nestjs/core": "11.1.18",
+    "@nestjs/platform-express": "11.1.18",
+    "@nestjs/platform-socket.io": "11.1.17",
+    "@nestjs/websockets": "11.1.17",
+    "dotenv": "16.6.1",
+    "reflect-metadata": "0.2.2",
+    "rxjs": "7.8.2",
+    "socket.io": "4.8.3"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "socket.io-client": "^4.8.3",
-    "typescript": "^5.7.0"
+    "@types/node": "22.19.15",
+    "socket.io-client": "4.8.3",
+    "typescript": "5.9.3"
   },
   "engines": {
     "node": ">=18"

examples/260-nestjs-websocket-stt/package.json

@@ -13,16 +13,16 @@
   },
   "dependencies": {
     "@deepgram/sdk": "5.0.0",
-    "@sveltejs/adapter-node": "^5.2.0",
-    "@sveltejs/kit": "^2.21.0",
-    "@sveltejs/vite-plugin-svelte": "^5.0.0",
-    "dotenv": "^16.4.0",
-    "svelte": "^5.0.0",
-    "vite": "^6.0.0"
+    "@sveltejs/adapter-node": "5.5.4",
+    "@sveltejs/kit": "2.55.0",
+    "@sveltejs/vite-plugin-svelte": "5.1.1",
+    "dotenv": "16.6.1",
+    "svelte": "5.55.1",
+    "vite": "6.4.1"
   },
   "devDependencies": {
-    "typescript": "^5.7.0",
-    "ws": "^8.18.0"
+    "typescript": "5.9.3",
+    "ws": "8.20.0"
   },
   "engines": {
     "node": ">=18"

examples/270-sveltekit-live-transcription-ts/package.json

@@ -10,14 +10,14 @@
     "preview": "vite preview"
   },
   "dependencies": {
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0"
+    "react": "19.2.4",
+    "react-dom": "19.2.4"
   },
   "devDependencies": {
-    "@types/react": "^19.0.0",
-    "@types/react-dom": "^19.0.0",
-    "@vitejs/plugin-react": "^4.3.0",
-    "typescript": "^5.6.0",
-    "vite": "^6.0.0"
+    "@types/react": "19.2.14",
+    "@types/react-dom": "19.2.3",
+    "@vitejs/plugin-react": "4.7.0",
+    "typescript": "5.9.3",
+    "vite": "6.4.1"
   }
 }

examples/280-express-react-live-transcription-ts/client/package.json

@@ -12,7 +12,7 @@
     "test": "node tests/test.js"
   },
   "dependencies": {
-    "ws": "^8.18.0"
+    "ws": "8.20.0"
   },
   "engines": {
     "node": ">=18"

examples/280-express-react-live-transcription-ts/package.json

@@ -10,20 +10,20 @@
   },
   "dependencies": {
     "@deepgram/sdk": "5.0.0",
-    "cors": "^2.8.5",
-    "dotenv": "^16.4.0",
-    "express": "^4.21.0",
-    "express-ws": "^5.0.2",
-    "ws": "^8.18.0"
+    "cors": "2.8.6",
+    "dotenv": "16.6.1",
+    "express": "4.22.1",
+    "express-ws": "5.0.2",
+    "ws": "8.20.0"
   },
   "devDependencies": {
-    "@types/cors": "^2.8.17",
-    "@types/express": "^5.0.0",
-    "@types/express-ws": "^3.0.5",
-    "@types/node": "^22.0.0",
-    "@types/ws": "^8.5.13",
-    "ts-node": "^10.9.2",
-    "typescript": "^5.6.0"
+    "@types/cors": "2.8.19",
+    "@types/express": "5.0.6",
+    "@types/express-ws": "3.0.6",
+    "@types/node": "22.19.15",
+    "@types/ws": "8.18.1",
+    "ts-node": "10.9.2",
+    "typescript": "5.9.3"
   },
   "engines": {
     "node": ">=18"

examples/280-express-react-live-transcription-ts/server/package.json

@@ -1,3 +1,6 @@
-crewai[tools]>=1.12.0
-deepgram-sdk==v6.1.1
-python-dotenv>=1.0.0
+crewai[tools]==1.13.0
+deepgram-sdk==6.1.1
+python-dotenv==1.1.1
+# NOTE: crewai-tools==1.13.0 pins requests~=2.32.5 (CVE-2026-25645).
+# This cannot be overridden without breaking crewai-tools.
+# Track: https://github.com/crewAIInc/crewAI-tools/issues for a fix.