* [Kysely] Migrate Action mutations and lookups to Kysely

* add org match for rules and tests to cover missing bugs

* attempt to make lint happy

* code review fixes

* fix tests using bad org as we create a new org now.

* [Kysely] Migrate backtests and retroaction out of sequelize

* disable again

Closes #204

* build(deps): bump pg from 8.9.0 to 8.20.0

Bumps [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) from 8.9.0 to 8.20.0.
- [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md)
- [Commits](https://github.com/brianc/node-postgres/commits/pg@8.20.0/packages/pg)

---
updated-dependencies:
- dependency-name: pg
dependency-version: 8.20.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump concurrently from 6.5.1 to 9.2.1

Bumps [concurrently](https://github.com/open-cli-tools/concurrently) from 6.5.1 to 9.2.1.
- [Release notes](https://github.com/open-cli-tools/concurrently/releases)
- [Commits](https://github.com/open-cli-tools/concurrently/compare/v6.5.1...v9.2.1)

---
updated-dependencies:
- dependency-name: concurrently
dependency-version: 9.2.1
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump @types/validator from 13.11.9 to 13.15.10

Bumps [@types/validator](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/validator) from 13.11.9 to 13.15.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/validator)

---
updated-dependencies:
- dependency-name: "@types/validator"
dependency-version: 13.15.10
dependency-type: direct:development
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump @types/express from 4.17.16 to 5.0.6

Bumps [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) from 4.17.16 to 5.0.6.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express)

---
updated-dependencies:
- dependency-name: "@types/express"
dependency-version: 5.0.6
dependency-type: direct:development
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @graphql-codegen/cli from 6.2.1 to 6.3.0

Bumps [@graphql-codegen/cli](https://github.com/dotansimha/graphql-code-generator/tree/HEAD/packages/graphql-codegen-cli) from 6.2.1 to 6.3.0.
- [Release notes](https://github.com/dotansimha/graphql-code-generator/releases)
- [Changelog](https://github.com/dotansimha/graphql-code-generator/blob/master/packages/graphql-codegen-cli/CHANGELOG.md)
- [Commits](https://github.com/dotansimha/graphql-code-generator/commits/@graphql-codegen/cli@6.3.0/packages/graphql-codegen-cli)

---
updated-dependencies:
- dependency-name: "@graphql-codegen/cli"
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paweł Wieczorek <pawiecz@collabora.com>

* [fix] Surface Thread-kind items in user submission history
Thread items submitted with a schema field role were
silently being dropped from creator-keyed surfaces

* [test] Add unit tests for getCreator across item kinds

Pins the behavior change from the previous commit so the THREAD case
can't silently regress to `undefined` again. Covers:

- CONTENT: returns the creator from the creatorId field role; returns
undefined when the role is unconfigured or the field is missing.
- THREAD: same as CONTENT (this is the regression case the bug fix
targets).
- USER: always returns undefined.

Exports `getCreator` from `makeItemSubmission.ts` for testability;
nothing else in the codebase imports it.

* client: Add dummy package.json for ESLint custom rules

NPM requires "package.json" file to include "name" and "version" fields
for packages published to the registry [0]. ESLint custom rules will
stay within this repo for the time being. Dependabot doesn't impose any
requirements on this file so an empty one would suffice but let's provide
some details anyway.

File "index.js" now filters out all non-JS files so there's no attempt
made to pick up additional rules from the dummy "package.json".

[0] https://docs.npmjs.com/creating-a-package-json-file

Fixes: #279

Co-authored-by: Juan Mrad <juansmrad@gmail.com>

* [Express] Upgrade to express 5

* fix ci

* fix

* build(deps): bump fast-check from 3.12.0 to 4.6.0 in /server

Bumps [fast-check](https://github.com/dubzzz/fast-check/tree/HEAD/packages/fast-check) from 3.12.0 to 4.6.0.
- [Release notes](https://github.com/dubzzz/fast-check/releases)
- [Changelog](https://github.com/dubzzz/fast-check/blob/main/packages/fast-check/CHANGELOG.md)
- [Commits](https://github.com/dubzzz/fast-check/commits/v4.6.0/packages/fast-check)

---
updated-dependencies:
- dependency-name: fast-check
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @opentelemetry/semantic-conventions in /server

Bumps [@opentelemetry/semantic-conventions](https://github.com/open-telemetry/opentelemetry-js) from 1.22.0 to 1.40.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/v1.22.0...semconv/v1.40.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/semantic-conventions"
dependency-version: 1.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @clickhouse/client from 1.13.0 to 1.18.2 in /server

Bumps [@clickhouse/client](https://github.com/ClickHouse/clickhouse-js) from 1.13.0 to 1.18.2.
- [Release notes](https://github.com/ClickHouse/clickhouse-js/releases)
- [Changelog](https://github.com/ClickHouse/clickhouse-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ClickHouse/clickhouse-js/compare/1.13.0...1.18.2)

---
updated-dependencies:
- dependency-name: "@clickhouse/client"
dependency-version: 1.18.2
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @types/jsonwebtoken from 8.5.9 to 9.0.10 in /server

Bumps [@types/jsonwebtoken](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jsonwebtoken) from 8.5.9 to 9.0.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jsonwebtoken)

---
updated-dependencies:
- dependency-name: "@types/jsonwebtoken"
dependency-version: 9.0.10
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump ioredis from 5.9.2 to 5.10.1 in /server

Bumps [ioredis](https://github.com/luin/ioredis) from 5.9.2 to 5.10.1.
- [Release notes](https://github.com/luin/ioredis/releases)
- [Changelog](https://github.com/redis/ioredis/blob/main/CHANGELOG.md)
- [Commits](https://github.com/luin/ioredis/compare/v5.9.2...v5.10.1)

---
updated-dependencies:
- dependency-name: ioredis
dependency-version: 5.10.1
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update bullmq to 5.75.2 to dedupe ioredis with the bumped version

The ioredis 5.9.2 -> 5.10.1 bump in this batch caused bullmq@5.67.3 to
keep its own nested copy of ioredis@5.9.2 (it pins the version exactly).
The two copies produced incompatible Redis types in our consumers of
bullmq Queue. bullmq@5.75.2 (still ^5.0.0, no API change for us) pins
ioredis@5.10.1, which lets npm dedupe the tree.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Kysely] Migrate location banks API out of sequelize

* add guard for org id.

* lint fix

* build(deps): bump @opentelemetry/semantic-conventions

Bumps [@opentelemetry/semantic-conventions](https://github.com/open-telemetry/opentelemetry-js) from 1.27.0 to 1.40.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/v1.27.0...semconv/v1.40.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/semantic-conventions"
dependency-version: 1.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @opentelemetry/resource-detector-container

Bumps [@opentelemetry/resource-detector-container](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/resource-detector-container) from 0.4.1 to 0.8.5.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/resource-detector-container/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js-contrib/commits/resource-detector-container-v0.8.5/packages/resource-detector-container)

---
updated-dependencies:
- dependency-name: "@opentelemetry/resource-detector-container"
dependency-version: 0.8.5
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @opentelemetry/exporter-trace-otlp-grpc

Bumps [@opentelemetry/exporter-trace-otlp-grpc](https://github.com/open-telemetry/opentelemetry-js) from 0.53.0 to 0.214.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/experimental/v0.53.0...experimental/v0.214.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/exporter-trace-otlp-grpc"
dependency-version: 0.214.0
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @opentelemetry/propagator-aws-xray

Bumps [@opentelemetry/propagator-aws-xray](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/HEAD/packages/propagator-aws-xray) from 1.26.0 to 2.2.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/propagator-aws-xray/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js-contrib/commits/propagator-aws-xray-v2.2.0/packages/propagator-aws-xray)

---
updated-dependencies:
- dependency-name: "@opentelemetry/propagator-aws-xray"
dependency-version: 2.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump @opentelemetry/resources in /nodejs-instrumentation

Bumps [@opentelemetry/resources](https://github.com/open-telemetry/opentelemetry-js) from 1.26.0 to 2.6.1.
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-js/compare/v1.26.0...v2.6.1)

---
updated-dependencies:
- dependency-name: "@opentelemetry/resources"
dependency-version: 2.6.1
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Regenerate nodejs-instrumentation/package-lock.json after batching dependency updates

* Migrate /nodejs-instrumentation to OpenTelemetry 2.x

Bumps the OpenTelemetry stack to a coherent set of versions (stable 2.x,
experimental 0.215.x) so the previously-batched bumps don't leave the
workspace with an inconsistent SDK that fails to compile.

Coordinated bumps beyond the original Dependabot scope:
- @opentelemetry/auto-instrumentations-node ^0.50.0 -> ^0.73.0
- @opentelemetry/exporter-metrics-otlp-grpc ^0.53.0 -> ^0.215.0
- @opentelemetry/resource-detector-aws ^1.6.1 -> ^2.15.0
- @opentelemetry/sdk-metrics ^1.26.0 -> ^2.7.0
- @opentelemetry/sdk-node ^0.53.0 -> ^0.215.0
- @opentelemetry/sdk-trace-base ^1.26.0 -> ^2.7.0
- @opentelemetry/winston-transport ^0.6.0 -> ^0.25.0

Source change in src/autoinstrumentation.ts to match the 2.x Resource
API: the Resource class is gone, replaced by the resourceFromAttributes
and defaultResource factory functions.

Workspace version bumped 1.0.6 -> 1.1.0.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Kysely] Migrate rule mutations and backtest list/cancel to Kysely

* code review feedback

* build(deps): bump @total-typescript/ts-reset in /migrator

Bumps [@total-typescript/ts-reset](https://github.com/total-typescript/ts-reset) from 0.5.1 to 0.6.1.
- [Release notes](https://github.com/total-typescript/ts-reset/releases)
- [Changelog](https://github.com/mattpocock/ts-reset/blob/main/CHANGELOG.md)
- [Commits](https://github.com/total-typescript/ts-reset/commits)

---
updated-dependencies:
- dependency-name: "@total-typescript/ts-reset"
dependency-version: 0.6.1
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump umzug from 3.0.0 to 3.8.2 in /migrator

Bumps [umzug](https://github.com/sequelize/umzug) from 3.0.0 to 3.8.2.
- [Release notes](https://github.com/sequelize/umzug/releases)
- [Changelog](https://github.com/sequelize/umzug/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sequelize/umzug/compare/v3.0.0...v3.8.2)

---
updated-dependencies:
- dependency-name: umzug
dependency-version: 3.8.2
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump yargs from 16.2.0 to 18.0.0 in /migrator

Bumps [yargs](https://github.com/yargs/yargs) from 16.2.0 to 18.0.0.
- [Release notes](https://github.com/yargs/yargs/releases)
- [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/yargs/yargs/compare/v16.2.0...v18.0.0)

---
updated-dependencies:
- dependency-name: yargs
dependency-version: 18.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump typescript from 5.2.2 to 6.0.3 in /migrator

Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.2.2 to 6.0.3.
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.2.2...v6.0.3)

---
updated-dependencies:
- dependency-name: typescript
dependency-version: 6.0.3
dependency-type: direct:development
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Regenerate migrator/package-lock.json after batching dependency updates

* Bump @roostorg/db-migrator to 1.1.0 for batched dependency release

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump uuid from 8.3.2 to 13.0.0 in /db

Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.2 to 13.0.0.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v8.3.2...v13.0.0)

---
updated-dependencies:
- dependency-name: uuid
dependency-version: 13.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump latlon-geohash from 1.1.0 to 2.0.0 in /db

Bumps [latlon-geohash](https://github.com/chrisveness/latlon-geohash) from 1.1.0 to 2.0.0.
- [Commits](https://github.com/chrisveness/latlon-geohash/compare/v1.1.0...v2.0.0)

---
updated-dependencies:
- dependency-name: latlon-geohash
dependency-version: 2.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump csv-parse from 5.6.0 to 6.2.1 in /db

Bumps [csv-parse](https://github.com/adaltas/node-csv/tree/HEAD/packages/csv-parse) from 5.6.0 to 6.2.1.
- [Changelog](https://github.com/adaltas/node-csv/blob/master/packages/csv-parse/CHANGELOG.md)
- [Commits](https://github.com/adaltas/node-csv/commits/csv-parse@6.2.1/packages/csv-parse)

---
updated-dependencies:
- dependency-name: csv-parse
dependency-version: 6.2.1
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /db

Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.3.
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.9.3...v6.0.3)

---
updated-dependencies:
- dependency-name: typescript
dependency-version: 6.0.3
dependency-type: direct:development
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Kysely] Migrate MRT action/policy id lookups off Sequelize

* code review changes

Bumps protobufjs in the /client directory: [protobufjs](https://github.com/protobufjs/protobuf.js).

Updates `protobufjs` from 7.4.0 to 7.5.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.4.0...protobufjs-v7.5.5)

Bumps the prod-security group with 1 update in the /nodejs-instrumentation directory: [protobufjs](https://github.com/protobufjs/protobuf.js).


Updates `protobufjs` from 7.4.0 to 7.5.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.4.0...protobufjs-v7.5.5)

---
updated-dependencies:
- dependency-name: protobufjs
dependency-version: 7.5.5
dependency-type: indirect
dependency-group: prod-security
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the prod-security group with 1 update in the /server directory: [protobufjs](https://github.com/protobufjs/protobuf.js).


Updates `protobufjs` from 7.5.4 to 7.5.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.4...protobufjs-v7.5.5)

---
updated-dependencies:
- dependency-name: protobufjs
dependency-version: 7.5.5
dependency-type: indirect
dependency-group: prod-security
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps facebook/threatexchange/hma from 1.1.3 to 1.1.4.

---
updated-dependencies:
- dependency-name: facebook/threatexchange/hma
dependency-version: 1.1.4
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

This patch breaks the DRY principle and doesn't use YAML aliases because
they are not supported by Dependabot [0].

[0] https://github.com/dependabot/dependabot-core/issues/1582

* [Vulnerabilities] Upgrade Kysely to latest

* fix lint

* code review

* [Kysely] migrate rule-engine queries and related jobs to Kysely (phase 1)

* fixes

* fix lint by organizing errors to a file for simplifications

* lint fix again

* fix test

* [Kysely] Remove knex migrate backtest pagination and takeLast to Kysely (#226)

* [Kysely] Remove knex migrate backtest pagination and takeLast to Kysely

* code revie fix

* simplify enum uses

* [Vulnerabilities] Upgrade Kysely to latest

* fix lint

* code review

Bumps node from 24.14.0 to 24.14.1.

---
updated-dependencies:
- dependency-name: node
dependency-version: 24.14.1
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps node from 24.14.0-bullseye-slim to 24.14.1-bullseye-slim.

---
updated-dependencies:
- dependency-name: node
dependency-version: 24.14.1-bullseye-slim
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps node from 24.14.0-bullseye-slim to 24.14.1-bullseye-slim.

---
updated-dependencies:
- dependency-name: node
dependency-version: 24.14.1-bullseye-slim
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps node from 24.14.0-bullseye-slim to 24.14.1-bullseye-slim.

---
updated-dependencies:
- dependency-name: node
dependency-version: 24.14.1-bullseye-slim
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Vulnerabilities] Remove lodash by migrating from better mutation to plugin-functional and fix minor lint wwarnings

* remove bad merge main

* server: Replace error classes no longer provided by Apollo

* server: Remove no longer available DataSource base class

* server: Remove no longer necessary gql tag

* server: Upgrade Apollo packages

* server: Refactor API server bootstrap

* server: Remove Apollo packages that reached end-of-life

* server/client: Bump graphql package version

* fixup! server: Refactor API server bootstrap

* fixup! server: Remove Apollo packages that reached end-of-life

* fixup! server: Refactor API server bootstrap

* fixup! server: Replace error classes no longer provided by Apollo

* fix merge main and final code review changes

* lint fixes

---------

Co-authored-by: Juan S. Mrad <juansmrad@gmail.com>

* Fix unbounded queries causing dashboard crashes under high queue depth

* add load test script for testing

* code review comments

* change comment to 5000

Bumps facebook/threatexchange/hma from 1.1.2 to 1.1.3.

---
updated-dependencies:
- dependency-name: facebook/threatexchange/hma
dependency-version: 1.1.3
dependency-type: direct:production
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* clean up integrations in enum definition to remove unused ones

* add model card details to zentropi manifest

* revert model card learn more URL to general MC educational resource

* Regenerate GraphQL files

* merge main and reinstall npm

* actually add regenerated graphql files

* revert package-lock.json to main

* include package-lock.json changes for consistent codegen

* [Vulnerability][Patches] Apply patch to vulnerable dependencies

* [Vulnerabilities] Upgrade @graphql-codegen packages and @apollo/client to fix vulnerabilities (#178)

* [Simplification] Remove Content Proxy as not needed reference

* add comment on env.example

* [dependabot] Configure to prevent major bump of node

* code review changes

This was using an absolute path which didn't work for the mdbook version. Switch to relative, and make the link name consistent with the target page title.

* Setting GraphQL depth limit to 10

* Set env var for GraphQL depth

Used safe var helper to ensure proper integer is being used for GraphQL depth

Using Node 24.14.0, as directed to make CI happy

* Cleared merge conflict

* Logging error instead of throwing error

* Use jsonStringify for logging invalid env var

This change addresses ESLint warning about type safety of JSON.stringify.

Co-authored-by: Paweł Wieczorek <pawiecz@collabora.com>

* [Code Simplification][Vulnerabilities] Remove Betterer and upgrade ESLint to v9

* [Vulnerabilities] Upgrade AWS SDK to fix fast-xml-parser vulnerabilities

* remove unused package

* [Code Simplification][Vulnerabilities] Remove Betterer and upgrade ESLint to v9

* code review fixes

* fix ci

* fix for realz now

I was browsing the docs and noticed this looked weird/inconsistent :)

* Fix ClickHouse outage crashing all dashboard pages

* fix betterer

* add logging on warehouse error to let back-end know. given empty returns are to prevent front-end issues

* [Vulnerabilities] Migrate from CRA Storybook to Vite compatible Storybook main

* fix button

* fix betterer and eslint

* fix eslint

* use coop style

* remove sample exchanges

* [HMA][Exchanges] Configure HMA exchanges directly from coop

* tests

* capitalize first value of the keys

* fix tests

* code review changes

* fix eslint

* fix eslint

* fix for real now

* ci: Realign Betterer results file with current code base state

Fixes: #116

* chore: Lock Node version to v24.14.0 to prevent inconsistency

Version selection was delegated to ".nvmrc" file where applicable.

Fixes: #111

* client: Install Vite dependencies

* client: Add minimal Vite configuration

* client: Add vite-env.d.ts

* client: Update index.html

* client: Update tsconfig.json

* client: Call lazy loader explicitly instead of interpolating imported paths

* client: Migrate server proxy configuration

* client: Migrate transforming SVGs into React components

* client: Migrate env variables

Variable "NODE_ENV" is no longer used in client. It's been replaced with
Vite-specific "MODE" which can be adjusted with "--mode" command line argument
and defaults to:
- "development" for plain "vite" call
- "production" for "build" and "preview" calls

Even though server still uses "GOOGLE_PLACES_API_KEY" variable, client now uses
"VITE_GOOGLE_PLACES_API_KEY" ("VITE_"-prefixed). This way Vite can access this
information.

* client: Replace craco commands with vite(st)

* client: Remove react-scripts/craco and unused configuration

* client: Add a note on slow client start

* client: Fix linter errors after migrating to Vite

* client: Fix betterer errors after migrating to Vite

* client: Add missing Vite plugin configuration

* client: Remove unused Jest configuration

* ci: Realign Betterer results file with current code base state

* fix dockerignore

---------

Co-authored-by: Juan S. Mrad <juansmrad@gmail.com>

* Upgrade roost packages ( Types, db-migrator ) and use Types model cards

* remove unneeded casting

* upgrade example integration.

* [Code Simplification] Replace Kafka with BullMQ for item submission processing

* [Security] Bump sequelize and undici to fix high-severity vulnerabilities

- sequelize 6.32.1 → 6.37.8: fixes SQL injection via JSON column cast type (GHSA)
- undici 7.19.0 → 7.24.5: fixes WebSocket memory/DoS, CRLF injection, and HTTP smuggling
- Lockfile-only changes, no package.json or source code modifications

* Raise minimum versions for sequelize and undici in package.json

npm's sigstore provenance verification requires `repository.url` in
package.json to match the GitHub repo URL from the provenance bundle.
Both `@roostorg/types` and `@roostorg/db-migrator` were missing this
field, causing publish to fail with a 422 error.