chore(deps): combine 3 remaining major Dependabot PRs (React 19, Vite 8, Tailwind 4)

[Copilot]

Combines the 3 major-version Dependabot PRs (#489, #555, #556) that were excluded from the previous consolidation PR (#590) due to required migration work. All three are bundled here since their peer-dependency chains are intertwined.

Dependency bumps

Package	From	To	Notes
react / react-dom	^18.3.1	^19.0.0	#489
@types/react / @types/react-dom	^18 / ^18	^19.0.0	aligned to runtime
next-themes	^0.3.0	^0.4.0	v0.4 adds ^19 to peer range
react-day-picker	^8.10.1	^8.10.2	v8.10.2 adds ^19 to peer range
vaul	^0.9.9	^1.1.2	v1.x adds ^19 to peer range
vite	^7.3.2	^8.0.0	#555
tailwindcss	^3.4.17	^4.0.0	#556

Tailwind v4 migration

Tailwind 4 processes CSS via its own compiler (Lightning CSS); PostCSS and a separate config file are no longer the canonical path for Vite projects.

• vite.config.ts — add @tailwindcss/vite plugin; Tailwind now processes CSS in-process during Vite transforms
• postcss.config.js — remove tailwindcss plugin (redundant with Vite plugin)
• tailwind.config.ts — remove darkMode and tailwindcss-animate plugin entries; referenced via @config bridge from CSS
• src/index.css — migrate directives and declare dark-mode variant:

/* before */
@tailwind base;
@tailwind components;
@tailwind utilities;

/* after */
@import "tailwindcss";
@import "tw-animate-css";           /* replaces tailwindcss-animate */
@config "../tailwind.config.ts";    /* bridges existing theme/keyframe config */
@custom-variant dark (&:where([data-theme="dark"], [data-theme="dark"] *));

tailwindcss-animate → tw-animate-css (the maintained v4 successor, covers every animate-in/out, fade-*, zoom-*, slide-* class used across the shadcn/ui components). Placed in devDependencies alongside tailwindcss — both are build-time only.

Original prompt

please do the same with the 3 remainings dependent bot prs

**Chronological Review:** This conversation spans a long multi-task session in the FalkorDB/QueryWeaver repo. The prior context (summarized) covered: CVE-2026-10130 auth-bypass fix (PR #581), AI-review fixes (PR #583), and staging→main promotion conflict resolution (PR #582 with authlib bump). All those tasks were COMPLETE and merged/green.

The CURRENT task (the focus of all recent activity) is: "combine all dependent bot prs into one pr that pass all the ci checkes, do a rubber duck review on that."

The conversation in this segment progressed through:

1. Environment/toolchain check
2. Setting up todo tracking via SQL
3. Creating combined branch + starting FalkorDB
4. Applying Python (uv) dependency bumps
5. Applying GitHub Actions SHA bumps
6. Applying npm minor-patch bumps
7. Verifying safe set (build, tests, lint all green)
8. Committing safe set
9. Attempting major bumps (React 19, Vite 8, Tailwind 4) — discovered they cascade into breaking changes
10. Asked user how to handle majors → user chose "exclude"
11. Pushed branch, opened PR chore(deps): combine compatible Dependabot bumps #590
12. Ran rubber-duck review
13. Fixed dependency-review-action comment nit flagged by rubber-duck
14. Monitoring CI checks

Intent Mapping:
The most recent explicit user request: "can you please combine all dependent bot prs into one pr that pass all the ci checkes, do a rubber duck review on that"

Technical Inventory:

• Python/uv dependency management (uv 0.11.17)
• Node 26 / npm 11.12.1, Vite/React frontend in app/
• GitHub Actions SHA-pinned workflows
• gh CLI for PR operations
• SQL todos table for tracking
• rubber-duck task agent for code review

Code Archaeology:

• pyproject.toml: bumped 5 Python constraints
• uv.lock: regenerated
• 3 workflow files: SHA pins
• app/package.json + package-lock.json: npm bumps

Progress Assessment:
12 of 15 Dependabot PRs combined into PR #590, all core CI green, rubber-duck done, comment nit fixed. Task essentially COMPLETE, just waiting for final CI confirmation (flaky Playwright pending).

Recent Commands Analysis:
The very last command was a bash call: sleep 150 && gh pr checks 590 which returned "The execution of this tool, or a previous tool was interrupted." This was waiting for the remaining CI jobs (unit-tests, sdk-tests, Playwright) to report on the re-triggered run after the comment-fix push.

1. Conversation Overview

• Primary Objectives: The active task is the user's request: "can you please combine all dependent bot prs into one pr that pass all the ci checkes, do a rubber duck review on that". Prior completed tasks in this session: CVE-2026-10130 fix (PR fix(auth): prevent signup token issuance for existing accounts (CVE-2026-10130) #581), AI-review fixes (PR fix: address AI review findings on staging promotion (#582) #583), staging→main conflict resolution + authlib bump (PR Staging #582).

• Session Context: This is the tail end of a long session. All prior tasks are merged/green. The current segment focused entirely on combining 15 open Dependabot PRs (all targeting staging) into one CI-green PR.

• User Intent Evolution: Moved from security/CVE work → PR conflict resolution → AI review handling → now dependency consolidation. The user, when asked, explicitly chose to exclude the 3 major-version bumps rather than attempt risky migrations.

2. Technical Foundation

• Repo: FalkorDB/QueryWeaver — Python/FastAPI Text2SQL SDK + React/TS frontend in app/
• Default branch: staging (main only receives squashed promotion PRs; main ⊆ staging)
• uv 0.11.17 at $HOME/.local/bin — Python deps; server deps are optional extras (uv sync --extra all / --all-extras)
• Node 26.0.0 / npm 11.12.1 — Vite/React frontend; build = cd app && npm run build
• Direct push to staging works via admin bypass (enforce_admins=false). Only build is a REQUIRED status check; required_approving_review_count=1. Playwright test job is NOT required and is flaky.
• CI (tests.yml) build job runs: uv sync --locked --all-extras (lock MUST match pyproject), cd app && npm ci (lock MUST match package.json), npm run build, unit tests, make lint (pylint must score 10.00 + eslint).

3. Codebase Status

• pyproject.toml — Bumped 5 Python constraints: falkordb~=1.6.1, pymysql~=1.2.0, graphiti-core>=0.29.1 (2 occurrences: memory + server extras), python-multipart~=0.0.29, pytest-playwright~=0.8.0 (2 occurrences: optional-deps.dev + dependency-groups.dev). authlib already at ~=1.7.0 (1.7.2 in lock).

• uv.lock — Regenerated via uv lock + uv lock --upgrade-package urllib3. Final versions verified: falkordb 1.6.1, graphiti-core 0.29.1, pymysql 1.2.0, pytest-playwright 0.8.0, python-multipart 0.0.29, urllib3 2.7.0. Project version bumped 0.2.0→0.3.0.

• .github/workflows/publish-docker.yml — docker/login-action→650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4, docker/metadata-action→80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6, docker/build-push-action→`f9f3042f7e2789586610d6e8b85c...

Created from Copilot CLI via the copilot delegate command.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 6 package(s) with unknown licenses.
• ⚠️ 4 packages with OpenSSF Scorecard issues.

View full job summary

The merge-base changed after approval.

The merge-base changed after approval.

The merge-base changed after approval.