chore(deps): major dependency upgrades and security fixes

[BenDaSpur]

Summary

Resolves the bulk of Dependabot/npm audit findings by upgrading dependencies to current major versions and adding targeted npm overrides where upstream packages lag behind.

Audit: 61 vulnerabilities → 0 (npm audit)

Major upgrades

Area	Before → After
SvelteKit	2.43 → 2.61
adapter-vercel	5.x → 6.3
Prisma	7.0 → 7.8
Vite	7.x → 8
Vitest	3.x → 4.x
Stripe SDK	19 → 22
nodemailer	7 → 8
Icons	lucide-svelte → @lucide/svelte

Notable changes

• npm overrides for cookie (^0.7) and @hono/node-server (Prisma dev tooling) until SvelteKit/Prisma ship fixed transitive deps
• Removed vite-plugin-devtools-json — no Vite 8 peer support yet (dev-only Chrome DevTools JSON; safe to drop)
• Vitest 4 browser tests use @vitest/browser-playwright with the new provider factory API
• Stripe API version updated to 2026-05-27.dahlia
• Test fix: case-create API tests now run Input/Param Zod validation before invoking handlers (matches production sveltekit-api behavior)

Verification

• npm run check — pass (0 errors)
• npm run test:unit -- --run — 677 passed
• npm run build — pass
• Dev server smoke test — GET / returns 200

Follow-ups (optional)

• Re-add devtools JSON plugin when it supports Vite 8
• Consider migrating config.kit.csrf.checkOrigin → csrf.trustedOrigins (SvelteKit deprecation warning)

  

Summary by CodeRabbit

• Chores
  • Bumped many dependencies and devDependencies (tooling and libraries) and updated Stripe API version.
  • Migrated icon package to a scoped Lucide package across the app.
• Refactor
  • Simplified and tightened API endpoint tests and updated build/test config.
• Style
  • Small copy and layout reflows across several pages and added an aria-label to a contact action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
qa-studio	Ready	Preview, Comment	May 31, 2026 11:55pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7ee82d75-d021-4d1e-a5a1-dfa9ef914a09

📥 Commits

Reviewing files that changed from the base of the PR and between ad27872 and 63ddbae.

📒 Files selected for processing (7)

• src/__tests__/api/projects/cases/create/server.test.ts
• src/lib/components/AttachmentViewer.svelte
• src/routes/+error.svelte
• src/routes/Header.svelte
• src/routes/admin/teams/+page.svelte
• src/routes/contact/+page.svelte
• src/routes/teams/[teamId]/payment-required/+page.svelte

💤 Files with no reviewable changes (1)

• src/routes/admin/teams/+page.svelte

---

Walkthrough

Bumps many dependencies, migrates icon imports from lucide-svelte to @lucide/svelte across the UI, updates Vite/Vitest Playwright wiring and chunking, refactors endpoint tests (typed POST wrapper, zod validation), replaces Redis mock shape, and tweaks a few runtime client options (Stripe apiVersion, JWT cast).

Changes

Dependency and Build Infrastructure

Layer / File(s)	Summary
Dependency upgrades and overrides package.json	Widespread devDependency and dependency version bumps; changed icon package to @lucide/svelte; expanded overrides (including @hono/node-server, cookie, nested sveltekit-api overrides).
Vite & Vitest config vite.config.ts	Removed vite-plugin-devtools-json, added Playwright provider import, updated Rollup manualChunks to target node_modules/@lucide/svelte, and switched Vitest browser provider to playwright() (removed separate environment).

Icon Library Migration

Layer / File(s)	Summary
Icon imports across UI src/lib/components/*, src/routes/**/*.svelte, src/lib/components/AttachmentViewer.svelte	Replaced lucide-svelte imports with @lucide/svelte across many components and pages; adjusted attachment icon rendering to compute component and conditionally render; minor text reflows in docs/pages.
Vite chunking for icons vite.config.ts	Updated manualChunks to produce a lucide chunk from @lucide/svelte package path.

Tests and Runtime Adjustments

Layer / File(s)	Summary
Endpoint test refactor src/__tests__/api/projects/cases/create/server.test.ts	Added typed POST helper that parses request JSON, validates route param and input via zod, throws validation errors directly, and calls handler; tests updated to expect direct promise rejections and use eventWithSuiteId helper.
Mocks and runtime tweaks src/lib/server/redis.test.ts, src/lib/server/oidc/jwt.ts, src/lib/server/stripe.ts	Redis mock replaced by MockRedis class exposing instance methods; JWK-to-PEM cast goes through unknown before crypto.JsonWebKey; Stripe client apiVersion bumped to 2026-05-27.dahlia.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

"Icons migrate under a scoped new sky,
Tests tidy up and mocks comply,
Tooling bumped and chunks re-routed,
Small edits made, the app stays rooted. ✨"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: dependency upgrades addressing security vulnerabilities. It accurately reflects the PR's primary objective of resolving Dependabot findings.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/dependency-security-updates-c058

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/components/AttachmentViewer.svelte (1)

171-174: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

♻️ Replace deprecated <svelte:component> with a capitalized dynamic component variable (Svelte 5 runes)

<svelte:component this={...} /> is deprecated in Svelte 5 runes mode; render the getAttachmentIcon(attachment.mimeType) result as a capitalized component variable instead to avoid the deprecation warning.

♻️ Render the dynamic icon directly

 <div class="text-surface-600-300">
-	<svelte:component
-		this={getAttachmentIcon(attachment.mimeType)}
-		class="h-5 w-5"
-	/>
+	{`@const` AttachmentIcon = getAttachmentIcon(attachment.mimeType)}
+	<AttachmentIcon class="h-5 w-5" />
 </div>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/AttachmentViewer.svelte` around lines 171 - 174, The
current use of <svelte:component this={getAttachmentIcon(attachment.mimeType)}
/> is deprecated in runes mode; change it to capture the result of
getAttachmentIcon(attachment.mimeType) into a capitalized component variable
(e.g., Icon) and render that variable as a normal component (ensure the
identifier is capitalized so Svelte treats it as a component) with the same
class props; update the code paths that call getAttachmentIcon and the rendering
site in AttachmentViewer.svelte accordingly and guard for a falsy return (render
nothing or a fallback) if getAttachmentIcon returns null/undefined.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/__tests__/api/projects/cases/create/server.test.ts`:
- Around line 11-14: The current test uses an unsafe "as any" cast for
POST_ENDPOINT when creating endpointHandler; replace this by importing the
endpoint module's default export directly (use "import POST_ENDPOINT from
'.../POST'") and then type the handler explicitly using the known handler
signature (associate POST_ENDPOINT/default with the function type that takes
z.infer<typeof Input> & z.infer<typeof Param> and returns Promise<PostResult>)
so you remove the "as any" assertion on endpointHandler; update references to
POST_ENDPOINT and endpointHandler accordingly to keep typesafe tests.

In `@src/routes/`+error.svelte:
- Line 3: The import line in +error.svelte imports unused icons AlertTriangle,
Frown, and ServerCrash; remove those three symbols from the import statement so
only the used icons (e.g., Bug, Home, ArrowLeft) are imported to reduce bundle
size and eliminate unused imports in the file.

In `@src/routes/admin/teams/`+page.svelte:
- Line 2: The import statement bringing in Building2, Users, Mail, Phone,
Calendar, and Shield from '`@lucide/svelte`' is unused and should be removed;
delete the line that imports these symbols (Building2, Users, Mail, Phone,
Calendar, Shield) from your +page.svelte module so ESLint warnings are resolved
and bundle size is reduced, or if any icon is later needed, reintroduce only the
specific named export(s) where they are actually used in the markup.

In `@src/routes/contact/`+page.svelte:
- Line 2: The import replaced the Github icon with CodeXml (see import line
using Mail, CodeXml, MessageCircle) but the "Report Issues" card still links to
GitHub; if you want the GitHub logo back, restore the Github symbol in the
import list (replace CodeXml with Github) and update the card markup to use
Github instead of CodeXml; if the change was intentional to avoid brand icons,
leave CodeXml but confirm the "Report Issues" card text/aria-label still clearly
indicates GitHub so users aren’t confused.

In `@src/routes/Header.svelte`:
- Line 6: The import statement in Header.svelte pulls in an unused symbol "User"
from '`@lucide/svelte`'; remove "User" from the named imports in the import line
(leaving X, Menu, LogOut) so the component only imports icons that are actually
used (verify there are no references to the User symbol elsewhere in
Header.svelte before removing).

In `@src/routes/teams/`[teamId]/payment-required/+page.svelte:
- Line 2: The import list in the component includes an unused symbol CheckCircle
from '`@lucide/svelte`'; remove CheckCircle from the import statement (leaving
CreditCard and AlertTriangle) to eliminate the unused import and associated
linter warning in the +page.svelte component.

---

Outside diff comments:
In `@src/lib/components/AttachmentViewer.svelte`:
- Around line 171-174: The current use of <svelte:component
this={getAttachmentIcon(attachment.mimeType)} /> is deprecated in runes mode;
change it to capture the result of getAttachmentIcon(attachment.mimeType) into a
capitalized component variable (e.g., Icon) and render that variable as a normal
component (ensure the identifier is capitalized so Svelte treats it as a
component) with the same class props; update the code paths that call
getAttachmentIcon and the rendering site in AttachmentViewer.svelte accordingly
and guard for a falsy return (render nothing or a fallback) if getAttachmentIcon
returns null/undefined.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8233f2af-b3d0-4acc-9b1c-6d72e88ef3aa

📥 Commits

Reviewing files that changed from the base of the PR and between 041a781 and ad27872.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (56)

• package.json
• src/__tests__/api/projects/cases/create/server.test.ts
• src/lib/components/AttachmentViewer.svelte
• src/lib/components/DraggableTestCase.svelte
• src/lib/components/ErrorDisplay.svelte
• src/lib/components/JiraIssueModal.svelte
• src/lib/components/LoadMoreButton.svelte
• src/lib/components/NestedSuiteTestCases.svelte
• src/lib/components/NestedTestSuite.svelte
• src/lib/components/PasswordRequirements.svelte
• src/lib/components/ProjectSelector.svelte
• src/lib/components/TestCaseDropZone.svelte
• src/lib/components/TestStepsViewer.svelte
• src/lib/components/ThemeToggle.svelte
• src/lib/server/oidc/jwt.ts
• src/lib/server/redis.test.ts
• src/lib/server/stripe.ts
• src/routes/+error.svelte
• src/routes/+page.svelte
• src/routes/Header.svelte
• src/routes/about/+page.svelte
• src/routes/admin/teams/+page.svelte
• src/routes/authenticators/+page.svelte
• src/routes/blog/+page.svelte
• src/routes/blog/[slug]/+page.svelte
• src/routes/contact-sales/+page.svelte
• src/routes/contact/+page.svelte
• src/routes/dashboard/+page.svelte
• src/routes/features/+page.svelte
• src/routes/invitations/[token]/+page.svelte
• src/routes/onboarding/+page.svelte
• src/routes/pricing/+page.svelte
• src/routes/privacy/+page.svelte
• src/routes/projects/+page.svelte
• src/routes/projects/[projectId]/+page.svelte
• src/routes/projects/[projectId]/cases/+page.svelte
• src/routes/projects/[projectId]/cases/[testCaseId]/+page.svelte
• src/routes/projects/[projectId]/healing/+page.svelte
• src/routes/projects/[projectId]/runs/+page.svelte
• src/routes/projects/[projectId]/runs/[runId]/+page.svelte
• src/routes/projects/new/+page.svelte
• src/routes/reports/+page.svelte
• src/routes/settings/+page.svelte
• src/routes/settings/api-keys/+page.svelte
• src/routes/settings/integrations/jira/+page.svelte
• src/routes/settings/integrations/twilio/+page.svelte
• src/routes/sms/+page.svelte
• src/routes/teams/[teamId]/+page.svelte
• src/routes/teams/[teamId]/invite/+page.svelte
• src/routes/teams/[teamId]/over-limit/+error.svelte
• src/routes/teams/[teamId]/over-limit/+page.svelte
• src/routes/teams/[teamId]/payment-required/+error.svelte
• src/routes/teams/[teamId]/payment-required/+page.svelte
• src/routes/teams/new/+page.svelte
• src/routes/terms/+page.svelte
• vite.config.ts

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider if the icon change from Github to CodeXml is intentional.

The "Report Issues" card links to GitHub Issues, but now uses the generic CodeXml icon instead of the Github icon. While this works, the GitHub logo icon was more semantically appropriate and immediately recognizable for users. If the goal was to avoid brand-specific icons, this is fine; otherwise, consider reverting to Github for better visual clarity.

Also applies to: 52-52

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/routes/contact/`+page.svelte at line 2, The import replaced the Github
icon with CodeXml (see import line using Mail, CodeXml, MessageCircle) but the
"Report Issues" card still links to GitHub; if you want the GitHub logo back,
restore the Github symbol in the import list (replace CodeXml with Github) and
update the card markup to use Github instead of CodeXml; if the change was
intentional to avoid brand icons, leave CodeXml but confirm the "Report Issues"
card text/aria-label still clearly indicates GitHub so users aren’t confused.