POST endpoints (/api/outdated, /api/bulk) now reject bodies over 1 MB using http.MaxBytesReader. Upstream metadata reads (npm, pypi, composer, nuget, pub) now use io.LimitReader capped at 50 MB to prevent OOM from unexpectedly large responses.