Update all dependencies and devDependencies to latest versions

[iamkabelomoobi]

• Bumped versions for @bull-board, @logtail, axios, argon2, class-validator, compression, cors, csrf-csrf, ejs, env-cmd, envalid, express, express-rate-limit, helmet, ioredis, jest-stare, joi, jsonwebtoken, mailgen, morgan, nodemailer, pg, swagger-jsdoc, tslib, ua-parser-js.
• Updated devDependencies for @nx packages, @swc/helpers, @types packages, @typescript-eslint packages, esbuild, eslint, jest, maildev, nx, prettier, ts-jest, ts-node, typescript.

Summary by Sourcery

Update runtime and development dependencies to their latest major and minor versions across the project.

Build:

• Upgrade core runtime packages (e.g., Express, Axios, Argon2, Redis, JWT, Nodemailer, Joi, Swagger tooling) to current versions.
• Refresh tooling, linting, and TypeScript stack (Nx, ESLint, Jest, Prettier, ts-jest, ts-node, TypeScript, and related @types packages) to the latest releases.

[sourcery-ai]

Reviewer's Guide

This pull request updates all runtime dependencies and devDependencies to their latest versions, most notably upgrading Express from v4 to v5, TypeScript to v6, Prettier to v3, ESLint to v10, and aligning related @types and Nx/Jest tooling versions, with all changes captured in package.json and package-lock.json.

File-Level Changes

Change	Details	Files
Upgrade core HTTP stack and validation/auth libraries to latest major versions.	Bumped Express from 4.x to 5.x along with @types/express from 4.x to 5.x, which may introduce breaking changes in middleware signatures, route handlers, and type definitions. Updated class-validator, joi, csrf-csrf, and envalid to newer major/minor versions that can affect validation schemas and request/response typing. Upgraded jsonwebtoken, argon2, cors, compression, and helmet to newer releases that may change defaults or require small integration adjustments.	package.json package-lock.json
Update infrastructure/IO-related dependencies (email, Redis, PostgreSQL, HTTP client, logging, job UI).	Upgraded nodemailer (6.x to 8.x) and @types/nodemailer, which may affect transport configuration or typings. Bumped pg, ioredis, axios, mailgen, morgan, ua-parser-js, swagger-jsdoc, jest-stare, and logtail packages to their latest versions for bug fixes and compatibility. Updated @bull-board/api and @bull-board/express to 7.x, which may require minor integration changes with Bull queues.	package.json package-lock.json
Refresh build, lint, and test toolchain to current ecosystem versions.	Updated Nx packages (@nx/* and nx) within the 22.x line, which can modify workspace defaults or generator behavior. Upgraded TypeScript from 5.9 to 6.0, along with @types/node to 25.x, which may surface new type errors or lib changes. Bumped ESLint to 10.x, @typescript-eslint packages to 8.x, and eslint-config-prettier, potentially altering lint rule behavior and requiring config adjustments. Upgraded Jest and related packages (jest, jest-environment-node, jest-util, ts-jest) which may affect test config or mocks. Updated Prettier from 2.x to 3.x, which can introduce formatting changes and require config or ignore adjustments. Bumped esbuild, ts-node, @swc/helpers and various @types/* packages to align with the new runtime and tooling versions.	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The jump from express 4.x/@types/express 4.x to express 5.x/@types/express 5.x is potentially breaking; please verify that your route handlers, error middleware, and any code relying on the old callback-based APIs are updated to the new signatures and behavior.
• Upgrading to TypeScript 6.x along with @types/node 25.x and the latest @typescript-eslint/eslint-plugin/eslint may require tsconfig and lint config tweaks (e.g., lib/target, strictness options, parserOptions) to avoid new type or lint errors; consider committing those configuration changes alongside this dependency bump.
• Several runtime libs were bumped across major versions (e.g., nodemailer 6→8, csrf-csrf 3→4, env-cmd 10→11); it may be safer to split these into separate PRs by concern (transport/email, security/middleware, tooling) so that any incompatibilities are easier to isolate and roll back.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The jump from express 4.x/@types/express 4.x to express 5.x/@types/express 5.x is potentially breaking; please verify that your route handlers, error middleware, and any code relying on the old callback-based APIs are updated to the new signatures and behavior.
- Upgrading to TypeScript 6.x along with @types/node 25.x and the latest @typescript-eslint/eslint-plugin/eslint may require tsconfig and lint config tweaks (e.g., lib/target, strictness options, parserOptions) to avoid new type or lint errors; consider committing those configuration changes alongside this dependency bump.
- Several runtime libs were bumped across major versions (e.g., nodemailer 6→8, csrf-csrf 3→4, env-cmd 10→11); it may be safer to split these into separate PRs by concern (transport/email, security/middleware, tooling) so that any incompatibilities are easier to isolate and roll back.

## Individual Comments

### Comment 1
<location path="package.json" line_range="38" />
<code_context>
+        "ejs": "^6.0.1",
+        "env-cmd": "^11.0.0",
+        "envalid": "^8.1.1",
+        "express": "5.2.1",
+        "express-rate-limit": "^8.5.2",
+        "helmet": "^8.2.0",
</code_context>
<issue_to_address>
**issue (bug_risk):** Express 5 is a major bump and may require code changes for middleware and routing.

Express 5 introduces subtle breaking changes (async handler behavior, error-handling middleware signatures, removed/changed APIs). Please verify that custom middleware, error handlers, and any use of `next('route')` or deprecated Express 4 APIs have been updated so routes and error flows behave as expected at runtime.
</issue_to_address>

### Comment 2
<location path="package.json" line_range="34" />
<code_context>
-        "express-rate-limit": "^7.5.0",
-        "helmet": "^8.1.0",
+        "cors": "^2.8.6",
+        "csrf-csrf": "^4.0.3",
+        "ejs": "^6.0.1",
+        "env-cmd": "^11.0.0",
</code_context>
<issue_to_address>
**🚨 issue (security):** The csrf-csrf v4 upgrade may change how tokens/cookies are generated and validated.

Since this is a major version upgrade of a security-sensitive library, please double-check our CSRF setup against the v4 docs: cookie names/paths, token extraction, same-site behavior, and secret management. Any change in defaults or token format could either break valid requests or silently reduce CSRF protection, so confirming compatibility is important.
</issue_to_address>

### Comment 3
<location path="package.json" line_range="79" />
<code_context>
+        "@types/joi": "^17.2.3",
+        "@types/jsonwebtoken": "^9.0.10",
+        "@types/morgan": "^1.9.10",
+        "@types/node": "~25.9.1",
+        "@types/nodemailer": "^8.0.0",
         "@types/swagger-jsdoc": "^6.0.4",
</code_context>
<issue_to_address>
**question (bug_risk):** Node 25 type definitions might not match the actual Node runtime version in use.

If your prod/dev Node versions are older than 25, these types may expose APIs that don’t exist at runtime, leading to type-safe code that still fails in production. Consider setting `@types/node` to the minimum Node version you actually support so the type surface matches your runtime capabilities.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Express 5 is a major bump and may require code changes for middleware and routing.

Express 5 introduces subtle breaking changes (async handler behavior, error-handling middleware signatures, removed/changed APIs). Please verify that custom middleware, error handlers, and any use of next('route') or deprecated Express 4 APIs have been updated so routes and error flows behave as expected at runtime.

[sourcery-ai]

🚨 issue (security): The csrf-csrf v4 upgrade may change how tokens/cookies are generated and validated.

Since this is a major version upgrade of a security-sensitive library, please double-check our CSRF setup against the v4 docs: cookie names/paths, token extraction, same-site behavior, and secret management. Any change in defaults or token format could either break valid requests or silently reduce CSRF protection, so confirming compatibility is important.

[sourcery-ai]

question (bug_risk): Node 25 type definitions might not match the actual Node runtime version in use.

If your prod/dev Node versions are older than 25, these types may expose APIs that don’t exist at runtime, leading to type-safe code that still fails in production. Consider setting @types/node to the minimum Node version you actually support so the type surface matches your runtime capabilities.