chore(deps-dev): bump typescript from 5.9.3 to 6.0.2

[dependabot]

Bumps typescript from 5.9.3 to 6.0.2.

Release notes

Sourced from typescript's releases.

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• 206ed1a Deprecate assert in import() (#63172)
• e688ac8 Update dependencies (#63156)
• 29b300d Bump the github-actions group across 1 directory with 2 updates (#63205)
• 0c2c7a3 DOM update (#63183)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Knip Code Analysis

Found 10 total issues

Category	Count
Unused Dependencies	1
Unused Dev Dependencies	2
Unused Exports	6
Unused Types	1

View details

Run pnpm knip locally to see the full report.

Use pnpm knip:filter pattern to filter results by file path.

---

Use /** @public */ JSDoc tags to mark intentionally exported symbols.

[github-actions]

✅ Security audit passed

Passed (28/28)

• ✅ Auth enforcement on protected routes
• ✅ No dangerous functions (eval, innerHTML, etc.)
• ✅ No hardcoded secrets in source
• ✅ Security headers in next.config.ts
• ✅ Cookie security (httpOnly, sameSite, secure)
• ✅ No sensitive fields in API responses
• ✅ No .env files committed to repo
• ✅ No raw SQL in API routes
• ✅ No fetch/redirect with unvalidated URLs in routes
• ✅ Timing-safe comparison for secret values
• ✅ No raw SQL migration files (schema-first only)
• ✅ External fetch calls have timeouts
• ✅ Docker container runs as non-root user
• ✅ Public routes match proxy allowlist
• ✅ File delete operations have path traversal defense
• ✅ Password hashing uses Argon2 (not SHA-256/bcrypt)
• ✅ Encrypted columns written via encrypt()
• ✅ TOTP 2FA flow integrity
• ✅ Emergency lockdown flow integrity
• ✅ Scrub & delete (nuke) flow integrity
• ✅ Backup restore flow integrity
• ✅ Login flow integrity
• ✅ No console.log in API routes
• ✅ No TODO/FIXME in security-critical files
• ✅ JSON.parse wrapped in try-catch
• ✅ No swallowed errors in catch blocks
• ✅ Request body size validation on upload routes
• ✅ BigInt fields use string serialization

---

Summary: 28/28 checks passed

See scripts/security-audit.ts for check definitions and SECURITY.md for the full security architecture.