📦 deps(nx): upgrade Nx to 22.6.0, deduplicate workspace deps, and restore Docker hardening

[cteyton]

Explanation

Upgrades Nx from 21.6.8 to 22.6.0, deduplicates workspace dependencies across packages, and restores Docker security hardening that was inadvertently dropped.

Relates to #270

Type of Change

• Bug fix
• New feature
• Improvement/Enhancement
• Refactoring
• Documentation
• Breaking change

Affected Components

• Domain packages affected: all packages (jest.config.ts, package.json deduplication)
• Frontend / Backend / Both: Both
• Breaking changes (if any): None

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing completed
• Test coverage maintained or improved

Test Details:

• All 4 app builds pass (api, frontend, cli, mcp-server)
• All tests pass with --no-experimental-strip-types
• All 29 lint targets pass

Changes Summary

Nx 22.6.0 upgrade

• Bumped all @nx/* packages from 21.6.8 → 22.6.0
• Added @nx/vitest plugin; testTargetName: "test" now owned by vitest plugin in nx.json
• Converted all jest.config.ts files from ESM to CJS for Node 24 compatibility
• Added ESLint override to permit require() in Jest config files

Dependency deduplication (#270)

• Hoisted shared dependencies to workspace root package.json
• Removed redundant per-package declarations across all domain packages
• Reduced package-lock.json by ~6700 lines

Docker hardening fixes (Greptile P1 + P2 from #270)

• P1: Restored rm -rf /sbin/apk ... in Dockerfile.api and Dockerfile.mcp after apk add to prevent runtime package installation
• P2: Fixed misleading comment in docker.yml — build-scan-push only runs on main and release branches
• P2: Added missing newline at end of .gitignore

Storybook 10 migration

• Updated Story files and .storybook/main.ts
• Added eslint-plugin-storybook@10

TODO List

• CHANGELOG Updated
• Documentation Updated

Reviewer Notes

• The APK hardening removal (P1 Greptile finding on ⬆️ chore: upgrade Node.js from 22.17.0 to 24.14.1 #270) is now fixed — both production Dockerfiles again remove /sbin/apk and related dirs after package installation.
• jest.config.ts files are all CJS (require()-based) — this is intentional for Node 24 compatibility, not a regression.

[greptile-apps]

Greptile Summary

This PR upgrades Nx from 21.6.8 to 22.6.0, migrates Storybook from v9 to v10, converts all jest.config.ts files from ESM to CJS for Node 24 compatibility, deduplicates ~6700 lines from package-lock.json by hoisting shared deps to the workspace root, and restores Docker APK hardening (rm -rf /sbin/apk …) that was accidentally dropped in the previous PR.

Key changes:

• All @nx/* packages uniformly pinned to 22.6.0; @nx/vitest plugin added and testTargetName: \"test\" moved from @nx/vite/plugin to the dedicated @nx/vitest plugin — correct Nx 22 pattern
• All jest.config.ts files converted to CJS (require() / module.exports) and @typescript-eslint/no-require-imports disabled for those files via an ESLint override
• Docker hardening (rm -rf /sbin/apk /etc/apk /lib/apk /usr/share/apk /var/cache/apk) correctly restored in both Dockerfile.api and Dockerfile.mcp after apk add
• Storybook 10 migration: stories import Meta/StoryObj from @storybook/react-vite, main.ts uses getAbsolutePath(import.meta.resolve(…)) per the v10 requirement, and eslint-plugin-storybook@10 integrated
• Dependency deduplication: packages like validator, react-router, @react-router/*, diff, bullmq, jsonwebtoken, and many CodeMirror language packages are now declared only at the workspace root
• .gitignore updated to exclude .claude/worktrees and .claude/settings.local.json
• Misleading comment in docker.yml corrected to accurately describe the job's branch-gating behavior

Confidence Score: 5/5

This PR is safe to merge — all changes are well-scoped infrastructure upgrades with no remaining P1 findings.

All previously flagged P1 security findings (APK hardening removal) are now addressed. The Nx 22 upgrade, jest CJS conversion, Storybook 10 migration, and dep deduplication are all consistent and internally validated (builds pass, tests pass, 29 lint targets pass). No logic bugs, data integrity issues, or breaking changes were identified during review.

No files require special attention.

Important Files Changed

Filename	Overview
dockerfile/Dockerfile.api	Restores rm -rf /sbin/apk … after apk add to prevent runtime package installation; previously dropped fix is now correctly in place.
dockerfile/Dockerfile.mcp	Same APK hardening restoration as Dockerfile.api; rm -rf /sbin/apk … correctly chained after the apk add layer.
nx.json	Adds @nx/vitest plugin with testTargetName: "test" and removes the same option from @nx/vite/plugin; both @nx/jest/plugin and @nx/vitest use "test" but detect projects via separate config-file patterns, so no conflict.
package.json	Upgrades all @nx/* packages to 22.6.0, adds @nx/vitest, migrates Storybook from 9.x to 10.3.3, adds eslint-plugin-storybook@10.3.3, pins SWC packages to versions already in lockfile, and hoists shared workspace deps from per-package to root.
eslint.config.mjs	Adds ESLint override to disable @typescript-eslint/no-require-imports for all jest.config.ts files, enabling the CJS-style require() calls introduced by the Node 24 compatibility conversion.
apps/api/jest.config.ts	Converted from ESM (import/export default) to CJS (require/module.exports) for Node 24 compatibility; representative of all 20+ identical jest.config.ts conversions across the monorepo.
packages/ui/.storybook/main.ts	Adds getAbsolutePath helper using import.meta.resolve for Storybook 10 framework resolution; fileURLToPath/dirname imports added; framework name switched to the resolved absolute path.
packages/ui/eslint.config.mjs	Integrates eslint-plugin-storybook@10 using flat config format; storybook.configs["flat/recommended"] appended at end of config array, targeting story files as per the plugin's built-in file patterns.
packages/ui/package.json	Removes many CodeMirror language packages (dompurify, lang-cpp, lang-go, etc.) from per-package deps, hoisting them to the workspace root; only a subset of language packages remain (lang-json, lang-xml, lang-rust).
.github/workflows/docker.yml	Fixes misleading comment on build-scan-push job — old comment claimed "scan on all branches" while the if condition already restricted it to main/release branches.
apps/frontend/package.json	Removes @react-router/* packages, react-router, and validator (hoisted to root); keeps react-router-dom locally since it is not in the root; nprogress/@types/nprogress remain local.
packages/ui/src/lib/components/content/PMBadge/PMBadge.stories.tsx	Import source updated from @storybook/react to @storybook/react-vite for Meta/StoryObj types; representative of all ~20 story file updates in this PR.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR #271 Changes] --> B[Nx 21.6.8 → 22.6.0]
    A --> C[jest.config.ts ESM → CJS]
    A --> D[Docker Hardening Restored]
    A --> E[Dependency Deduplication]
    A --> F[Storybook 9 → 10]

    B --> B1["All @nx/* pinned to 22.6.0"]
    B --> B2["@nx/vitest plugin added to nx.json"]
    B --> B3["testTargetName moved from @nx/vite → @nx/vitest"]

    C --> C1["import → require()"]
    C --> C2["export default → module.exports"]
    C --> C3["ESLint override: no-require-imports off for jest.config.ts"]

    D --> D1["Dockerfile.api: rm -rf /sbin/apk …"]
    D --> D2["Dockerfile.mcp: rm -rf /sbin/apk …"]

    E --> E1["Hoisted: react-router, validator, diff, bullmq…"]
    E --> E2["~6700 lines removed from package-lock.json"]

    F --> F1["Stories: @storybook/react → @storybook/react-vite"]
    F --> F2["main.ts: getAbsolutePath(import.meta.resolve)"]
    F --> F3["eslint-plugin-storybook@10 added"]

Loading

_{Reviews (1): Last reviewed commit: "🔒️ security(docker): restore apk harden..." | Re-trigger Greptile}