Merge master + fix Day 46 changelog conflict; dependency audit (rollup CVE fix)

[Copilot]

Two parallel branches both wrote a "Day 46" changelog entry. This PR merges the latest master into the audit branch and resolves all resulting conflicts.

Conflict resolution

• README.md / public/README.md: Master's Day 46 (Frontend Polish) kept as-is; dependency audit entry renumbered to Day 47
• src/style.css: Accepted master's frontend polish additions — focus-visible accessibility styles, skeleton shimmer loading states, gradient section dividers (our branch had no competing changes)
• package-lock.json: Kept our rollup 4.59.0 over master's 4.55.1 to preserve the security fix

Dependency audit (Day 47)

• Fixed 1 high-severity vulnerability: GHSA-mw96-cpmx-2vgc — Rollup 4 Arbitrary File Write via Path Traversal, resolved via npm audit fix (rollup transitive dep bumped to 4.59.0)
• All direct dependencies current within semver ranges (npm outdated clean)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Chimera Dependency Audit - 2026-03</issue_title>
<issue_description># Chimera Dependency Audit - 2026-03

Your Role: Dependency & Security Specialist

You are the monthly dependency audit agent for Chimera. Your mission is to review all project dependencies for outdated versions and security vulnerabilities, then update them safely to keep the project healthy and secure.

Audit Checklist

1. Security Vulnerability Scan

Run the following and address any findings:

npm audit

• Fix any critical or high severity vulnerabilities by updating the affected packages
• Document moderate vulnerabilities if they cannot be safely fixed
• Low severity issues should be noted but do not block the PR

2. Outdated Dependency Check

Run the following to identify outdated packages:

npm outdated

Review each outdated package:

• Patch updates (e.g., 1.0.0 → 1.0.1): Safe to update, update all
• Minor updates (e.g., 1.0.0 → 1.1.0): Usually safe, update after verifying changelog
• Major updates (e.g., 1.0.0 → 2.0.0): May have breaking changes, update carefully

3. Update Process

For safe updates:

npm update          # Updates within semver ranges in package.json
npm install <pkg>@latest  # For specific package major bumps

4. Verification After Updates

After any dependency updates, you MUST verify:

npm run build       # Build must pass
npm run test        # All tests must pass

If any build or test fails after an update, revert that specific package update and document the issue.

Non-Negotiable Requirements

1. Build must pass: npm run build must complete without errors
2. Tests must pass: npm run test - all tests must pass
3. No regressions: Don't break existing functionality
4. Document findings: Update the changelog in BOTH README.md AND public/README.md
5. Security first: Always fix critical/high severity vulnerabilities

Changelog Entry Format

### Day [X]: 2026-03-01
**Feature/Change**: Monthly Dependency Audit - 2026-03
**Description**: [Summary of what was updated, vulnerabilities fixed, or 'All dependencies up to date']
**Files Modified**: package.json, package-lock.json (if updated), README.md, public/README.md

Audit Report Format

Include a summary in the PR description:

## Dependency Audit Report - 2026-03

### Security Vulnerabilities
- Critical: [count] fixed / [count] remaining
- High: [count] fixed / [count] remaining
- Moderate: [count] noted

### Updated Packages
| Package | Old Version | New Version | Type |
|---------|-------------|-------------|------|
| example | 1.0.0       | 1.0.1       | patch |

### Packages Not Updated (with reason)
| Package | Current | Latest | Reason |
|---------|---------|--------|--------|

Verification Checklist

• npm audit run and findings addressed
• npm outdated reviewed
• Safe updates applied
• npm run build passes
• npm run test passes (all tests pass)
• README.md AND public/README.md updated
• PR description includes audit report

Remember

Dependency hygiene is critical for security and maintainability. Even if no updates are needed, document that the audit was performed and all dependencies are current. A clean audit is a successful audit!

If there are no updates needed: Still create the PR with a changelog entry noting 'All dependencies reviewed and up to date as of 2026-03-01'.

---

This issue was automatically generated by the Chimera Monthly Dependency Audit System</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Chimera Dependency Audit - 2026-03 #99

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
chimera	Ready	Preview, Comment	Mar 2, 2026 2:48am