Abandoned dependency: `font-mfizz@^2.4.1`

"font-mfizz": "^2.4.1",

font-mfizz (technology/brand icon font) was last released around 2014. The repository is archived/dormant. While an icon font is a low-severity attack surface on its own, abandoned packages are exactly the targets attackers acquire and republish (cf. event-stream, coa, ua-parser-js patterns). Replace with material-icons (already present in this manifest) or simple-icons/devicons.

1. npm view font-mfizz time.modified — confirm last release date.
2. Inventory components that import font-mfizz CSS class names.
3. Replace with an actively-maintained icon font and remove the dependency.

Low direct exploitability, but the package is an attractive target for maintainer-account takeover; if compromised, a malicious version would be loaded by every page that uses the icon font.

The font-mfizz dependency is indeed present at line in frontend/package.json ("font-mfizz": "^2.4.1"), and the package is verifiably abandoned — its last npm publish was in 2014/2015 and the upstream repo has been dormant for ~10 years. The caret range would happily pull in a malicious 2.x republish if the maintainer account were compromised, which is precisely the supply-chain risk pattern the finding describes. The scope explicitly tells us to treat findings as if this were a real production application, so an abandoned, replaceable icon font (especially when material-icons is already in the same manifest) is a legitimate hygiene/supply-chain finding to fix. Severity is low and direct exploitability requires a separate compromise, but the abandoned-dependency claim itself is factually correct.

The finding flags font-mfizz@^2.4.1 in frontend/package.json as a dormant package — there is no currently exploitable sink in the code, only the supply-chain risk that an attacker takes over the abandoned namespace and publishes a malicious version. AC is High because exploitation requires the attacker to first acquire/compromise the upstream maintainer account (a precondition outside the normal attack flow); AV is Network and UI is Required because impact would only materialize when an end-user loads a page importing the icon font. PR is None (no app auth involved in pulling the package). Scope stays Unchanged and C/I are scored Low (A: None) to reflect that as written this is an icon font with low direct attack surface — a hijacked release could plausibly ship CSS/font payloads or an install script, but nothing in the manifest shows it being trusted with elevated privileges beyond the frontend bundle itself.