CI Security Audit Bypass Exposes Production to 99 Vulnerabilities Including 2 Critical Flaws

A configuration flaw in the continuous integration pipeline allows critical and high-severity security vulnerabilities to pass undetected into production. In `.github/workflows/ci.yml` (lines 144-148), both the backend and frontend security audit steps are configured with `continue-on-error: true`, suppressing any failures that npm audit would normally trigger.

The affected workflow runs `npm audit --audit-level=high` while explicitly instructing the pipeline to continue regardless of what is found. Current scans reveal 99 unaddressed vulnerabilities across both packages: 2 critical and 57 high-severity issues exist in the dependency tree while the CI build reports success. The configuration negates the purpose of automated security scanning, creating a false assurance that dependencies meet security standards.

The risk is compounded by the absence of enforceable thresholds. Without `continue-on-error` disabled, critical vulnerabilities can accumulate without any mechanism to halt deployment. Security teams treating these audits as blocking checks have no indication that vulnerabilities exist, since the pipeline exits with a green status. The issue is not new—it reportedly overlaps with a prior report (#63)—yet the vulnerability count persists, suggesting the gap between detection and remediation remains unbridged.