chore(deps): bump swiper, sha.js, and cipher-base

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Bump dependencies to solve CVEs.

Issue(s)

https://rocketchat.atlassian.net/browse/SB-987

Steps to test or reproduce

N/A

Further comments

N/A

Summary by CodeRabbit

• Chores
  • Updated Swiper to 12.1.3 (may affect carousel behavior and styling).
  • Pinned and adjusted dependency resolutions to ensure consistent sub-dependency versions.
  • Storybook asset resolution updated so component previews load Swiper assets via standard package imports.
  • Improved local type resolution for Swiper to reduce development/type-checking issues.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: de44d20

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 22c49cdf-cc13-4811-926e-4b0bb3fc3fc7

📥 Commits

Reviewing files that changed from the base of the PR and between ce398af and de44d20.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

✅ Files skipped from review due to trivial changes (1)

• package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

Removed Storybook webpack aliases for Swiper CSS, upgraded Swiper from 11.1.14 to 12.1.3, added package resolutions pinning several cipher-related sub-dependencies, and added TypeScript path aliases mapping specific Swiper module imports to their .d.ts declarations.

Changes

Cohort / File(s)	Summary
Storybook Configuration apps/meteor/.storybook/main.ts	Removed explicit resolve.alias entries that mapped swiper/...css imports so resolution falls back to default module resolution.
Dependency Updates apps/meteor/package.json	Replaced patched Swiper 11.1.14 entry with unpatched npm 12.1.3.
Package Resolutions package.json	Added/updated resolutions to pin cipher-base@1.0.7 for sub-dependencies (under browserify-aes, browserify-des, create-hash, create-hmac) and pinned create-hash/sha.js & create-hmac/sha.js to 2.4.12; preserved form-data@npm:^4.0.5.
TypeScript Config apps/meteor/tsconfig.json	Added path mappings so imports like swiper/modules/index.mjs and swiper/swiper-react.mjs resolve to the package-provided .d.ts files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: bumping swiper (from 11.1.14 to 12.1.3), adding cipher-base resolutions (pinned to 1.0.7), and adding sha.js resolutions (pinned to 2.4.12).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SB-987: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

89-92: Resolutions look correct — pins address the cipher-base advisory effectively.

cipher-base@1.0.7 is the current latest release and patched version for GHSA-cpq7-6gpm-g9rc (missing input type checks in ≤1.0.4). The four parent-scoped pins force all consumers through 1.0.7, and verification confirms all dependency paths resolve correctly to this version.

A few optional considerations:

1. PR scope: This commit bundles swiper and cipher-base bumps. Per the repo's dependency management preferences, consider splitting unrelated dependency updates into separate chore commits/PRs for easier bisecting and reverting.
2. Documentation: A brief comment in this resolutions block (or in the commit message) noting the GHSA reference would help future maintainers understand why these pins exist and when they can be removed (once all parents publish releases with semver ranges ≥1.0.5).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 89 - 92, Add a short explanatory comment in
package.json's resolutions block (adjacent to the entries
"browserify-aes/cipher-base", "browserify-des/cipher-base",
"create-hash/cipher-base", "create-hmac/cipher-base") referencing
GHSA-cpq7-6gpm-g9rc and noting these pins force cipher-base@1.0.7 to mitigate
the advisory (and when they can be removed once parents publish semver ranges
≥1.0.5); alternatively, if preferred, split this chore into two commits/PRs so
the swiper bump and the cipher-base resolutions are separate for easier
bisecting and reverting.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/package.json`:
- Line 296: Update ImageGallery.tsx to use Swiper v12 stable export paths:
replace any imports from 'swiper/modules/index.mjs' with 'swiper/modules', and
switch 'swiper/swiper-react' or 'swiper/swiper-react.mjs' imports to
'swiper/react'; also replace 'swiper/modules/zoom.css' with 'swiper/css/zoom'.
In the Swiper initialization (look for the Swiper component and props like
navigation, nextEl, prevEl in ImageGallery.tsx) prevent duplicate arrows by
either providing empty elements for nextEl/prevEl or disabling Swiper's default
SVG arrows (e.g., supply custom navigation elements or set the appropriate
navigation parameter), and confirm any prior yarn patch related to swiper is no
longer required. Ensure all references (imports and the navigation props wired
to .rcx-swiper-next-button / .rcx-swiper-prev-button) are updated accordingly.

---

Nitpick comments:
In `@package.json`:
- Around line 89-92: Add a short explanatory comment in package.json's
resolutions block (adjacent to the entries "browserify-aes/cipher-base",
"browserify-des/cipher-base", "create-hash/cipher-base",
"create-hmac/cipher-base") referencing GHSA-cpq7-6gpm-g9rc and noting these pins
force cipher-base@1.0.7 to mitigate the advisory (and when they can be removed
once parents publish semver ranges ≥1.0.5); alternatively, if preferred, split
this chore into two commits/PRs so the swiper bump and the cipher-base
resolutions are separate for easier bisecting and reverting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d8b15be6-ec3c-47ff-a131-540759900348

📥 Commits

Reviewing files that changed from the base of the PR and between ceefff9 and e7f71e4.

⛔ Files ignored due to path filters (2)

• .yarn/patches/swiper-npm-11.1.14-8126fa478a.patch is excluded by !**/.yarn/**
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• apps/meteor/.storybook/main.ts
• apps/meteor/package.json
• package.json

💤 Files with no reviewable changes (1)

• apps/meteor/.storybook/main.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.83%. Comparing base (ceefff9) to head (de44d20).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40320      +/-   ##
===========================================
+ Coverage    69.81%   69.83%   +0.01%     
===========================================
  Files         3296     3296              
  Lines       119173   119173              
  Branches     21479    21503      +24     
===========================================
+ Hits         83197    83219      +22     
+ Misses       32668    32644      -24     
- Partials      3308     3310       +2     

Flag	Coverage Δ
e2e	59.75% <ø> (+0.03%)	⬆️
e2e-api	46.23% <ø> (ø)
unit	70.58% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rc-layne]

✅ Layne — scan passed

No security issues found on latest push.

[julio-rocketchat]

/layne exception-approve LAYNE-fdac70e4e7045771 LAYNE-ba8c270db027b128 LAYNE-fcafeb9d4e0e34c0 reason: false positives

[rc-layne]

✅ Exception recorded for LAYNE-fdac70e4e7045771, LAYNE-ba8c270db027b128, LAYNE-fcafeb9d4e0e34c0 by @julio-rocketchat: "false positives". Re-running scan...

[d-gubert]

Bumps + passing CI = LGTM

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.4.1-40320
git cherry-pick 9498359451f4d516bcf27028316f37495615f269
// solve the conflict
git push

after that just run /backport 8.4.1 again

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Pull request #40373 added to Project: "Patch 8.4.1"

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.3.3-40320
git cherry-pick 9498359451f4d516bcf27028316f37495615f269
// solve the conflict
git push

after that just run /backport 8.3.3 again

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Pull request #40396 added to Project: "Patch 8.3.3"

[julio-rocketchat]

/backport 8.2.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.2.3-40320
git cherry-pick 9498359451f4d516bcf27028316f37495615f269
// solve the conflict
git push

after that just run /backport 8.2.3 again

[julio-rocketchat]

/backport 8.2.3

[dionisio-bot]

Pull request #40454 added to Project: "Patch 8.2.3"