[Bug]: Latest Evidence packages produce npm audit vulnerabilities via pinned transitive deps

## Describe the bug

Installing the latest published Evidence packages currently leaves production `npm audit` vulnerabilities in the dependency graph.

As of 2026-04-27, the direct Evidence packages are already on the latest versions available on npm:

- `@evidence-dev/evidence@40.1.8`
- `@evidence-dev/bigquery@2.0.12`
- `@evidence-dev/core-components@5.4.2`
- `@evidence-dev/tailwind@3.1.4`

Running `npm audit --omit=dev --audit-level=moderate` reports:

- 37 total vulnerabilities
- 3 low
- 27 moderate
- 7 high
- 0 critical

The affected graph includes Evidence-owned packages and pinned transitive framework/runtime dependencies such as:

- `@evidence-dev/evidence`
- `@evidence-dev/sdk`
- `@evidence-dev/preprocess`
- `@evidence-dev/bigquery`
- `@evidence-dev/core-components`
- `@evidence-dev/tailwind`
- `@sveltejs/kit`
- `svelte`
- `vite`
- `@sveltejs/vite-plugin-svelte`
- `@google-cloud/bigquery`
- `remark-parse`
- `trim`
- `minimatch`
- `prismjs`

Examples of public advisories surfaced by the audit:

- `@sveltejs/kit`: GHSA-2crg-3p73-43xp
- `minimatch`: GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74
- `trim`: GHSA-w5p7-h5w8-2hfq
- `svelte`: GHSA-crpf-4hrx-3jrp, GHSA-m56q-vw4c-c2cp, GHSA-f7gr-6p89-r883, GHSA-phwv-c562-gvmh
- `vite`: GHSA-4w7w-66w2-5vf9
- `uuid`: GHSA-w5hq-g745-h8pq

`npm audit fix --force` is not a safe workaround because npm suggests moving `@evidence-dev/evidence` to `29.0.3`, which is a breaking downgrade from the current `40.1.8` release.

## Steps to Reproduce

1. Create a project with the latest Evidence packages:

```json
{
  "dependencies": {
    "@evidence-dev/bigquery": "2.0.12",
    "@evidence-dev/core-components": "5.4.2",
    "@evidence-dev/evidence": "40.1.8",
    "@evidence-dev/tailwind": "3.1.4"
  }
}
```

2. Install dependencies.

3. Run:

```shell
npm audit --omit=dev --audit-level=moderate
```

## Logs

```shell
npm audit --omit=dev --audit-level=moderate

found 37 vulnerabilities
3 low, 27 moderate, 7 high
```

Relevant installed versions from the lockfile:

```shell
@evidence-dev/evidence 40.1.8
@evidence-dev/bigquery 2.0.12
@evidence-dev/core-components 5.4.2
@evidence-dev/tailwind 3.1.4
@evidence-dev/sdk 4.0.2
@sveltejs/kit 2.8.4
svelte 4.2.19
vite 5.4.21
@sveltejs/vite-plugin-svelte 3.1.2
@google-cloud/bigquery 6.2.0
```

`npm audit fix --dry-run --omit=dev --audit-level=moderate` still exits non-zero and leaves the audit unresolved.

## System Info

```shell
node v25.9.0
npm 11.12.1
```

## Severity

serious, but I can work around it

## Additional Information, or Workarounds

This appears to need an upstream Evidence release that updates pinned framework/runtime dependencies. A forced user-side audit fix is not suitable because it proposes a breaking downgrade to `@evidence-dev/evidence@29.0.3`.

Upstream `main` currently still pins, among others:

```shell
@evidence-dev/evidence 40.1.8
@sveltejs/kit 2.8.4
svelte 4.2.19
vite 5.4.21
@google-cloud/bigquery 6.2.0
remark-parse 8.0.2
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: Latest Evidence packages produce npm audit vulnerabilities via pinned transitive deps #3302

Describe the bug

Steps to Reproduce

Logs

System Info

Severity

Additional Information, or Workarounds

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Bug]: Latest Evidence packages produce npm audit vulnerabilities via pinned transitive deps #3302

Description

Describe the bug

Steps to Reproduce

Logs

System Info

Severity

Additional Information, or Workarounds

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions