Skip to main content
PensionsPortal.ie uses a layered approach to vulnerability management, combining automated scanning at build and CI time with periodic manual reviews.

Dependency Scanning

npm audit

npm audit is executed as part of the CI pipeline on every pull request and on a scheduled basis against the production branch. It checks all direct and transitive dependencies against the npm advisory database. 
npm audit --audit-level=high
High and critical severity findings block the CI pipeline. Moderate findings are tracked and remediated within the SLAs defined below.

Dependabot / Automated Updates

Automated dependency update pull requests are configured to:
  • Open PRs for security patches automatically
  • Group minor/patch updates to reduce PR noise
  • Require CI passage before any dependency update is merged

Runtime Dependency Inventory

Key dependencies and their security posture:
PackagePurposeNotes
nextFrameworkKept up-to-date; Next.js security advisories monitored
next-authAuthenticationAuth.js v5; actively maintained
drizzle-ormORMParameterised queries prevent SQL injection by design
bcryptjsPassword hashingStandard bcrypt implementation
@sentry/nextjsError monitoringDetects runtime errors in production
@ai-sdk/anthropicAI integrationNo user data sent to Anthropic beyond session-scoped prompts

Vulnerability Severity SLAs

SeverityTarget Remediation Time
Critical24 hours
High7 days
Moderate30 days
LowNext scheduled maintenance window
Critical vulnerabilities in authentication, session handling, or data encryption components are treated as incidents and follow the Incident Response process.

Application-Layer Security Testing

Beyond dependency scanning, security is verified at the application layer:
  • Security regression tests (src/tests/api/security.test.ts) run in CI on every PR
  • Tests verify that API routes do not expose connection strings, stack traces, or environment variable names in error responses
  • New API routes require a corresponding security review checklist item in the PR template

Infrastructure Scanning

LayerControl
Vercel deploymentVercel’s own dependency scanning and build-time checks
Cloudflare WAFManaged rulesets updated automatically by Cloudflare
Neon PostgreSQLManaged service — Neon applies PostgreSQL patches; major version upgrades planned

Disclosure and Patch Process

  1. Vulnerability discovered (automated scan, researcher report, or vendor advisory)
  2. Severity assessed against CVSS and business context
  3. Patch or mitigation implemented on a feature branch
  4. CI pipeline + security test suite run
  5. Deployed to preview environment for validation
  6. Merged to main and deployed to production
  7. Audit log entry or incident ticket created documenting the remediation

Responsible Disclosure

Security researchers who discover vulnerabilities in PensionsPortal.ie are asked to disclose responsibly via the contact details in the application’s security policy. We commit to acknowledging reports within 2 business days and providing a remediation timeline within 7 days.