fix: Remediate non-high dependency alert chains

[LucasSantana-Dev]

Summary

• upgrade desktop test toolchain chain to remove vulnerable esbuild path
• upgrade web Jest/JSDOM chain to remove vulnerable @tootallnate/once path
• refresh lockfile and add changelog entry for issue Track non-high dependency alerts after high remediation (esbuild, @tootallnate/once) #448 security follow-up

Dependency outcomes

• vitest -> ^4.0.18
• @vitest/coverage-v8 -> ^4.0.18
• jest -> ^30.3.0
• jest-environment-jsdom -> ^30.3.0
• @types/jest -> ^30.0.0

Validation

• npm run lint
• npm run type-check
• npm run test
• npm run build

Closes #448

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
siza-web	Ready	Preview, Comment	Mar 11, 2026 7:21pm

[coderabbitai]

Warning

Rate limit exceeded

@LucasSantana-Dev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4dcfd68a-f0c3-4687-95d3-5871bbdbe476

📥 Commits

Reviewing files that changed from the base of the PR and between 1f54e11 and bd5b069.

⛔ Files ignored due to path filters (2)

• CHANGELOG.md is excluded by !**/*.md
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• apps/desktop/package.json
• apps/web/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/siza-issue-448-dependency-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[LucasSantana-Dev]

Critical Issues (Must Fix)

• None.

Warnings (Should Fix)

• None.

Suggestions (Consider)

• This is a major test-toolchain jump (Vitest 4, Jest/JSDOM 30). After merge, run one release-path smoke cycle on desktop/web CI templates to catch any latent runner-specific mismatch not visible locally.

Summary

• Reviewed diff scope (CHANGELOG.md, desktop/web package manifests, lockfile) and local validation evidence. No blocking findings for security or runtime behavior; dependency-only remediation scope is preserved.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance