chore(deps): update dependencies to address security vulnerabilities

[halvaradop]

Description

This pull request updates dependency versions to address security vulnerabilities reported by Dependabot in the GitHub repository. The update ensures that affected packages are upgraded to safer versions while maintaining compatibility with the existing codebase.

Additionally, this PR recreates the pnpm-lock.yaml file. Recently, the lockfile has been producing inconsistencies due to Zod version mismatches across the monorepo. Regenerating the lockfile helps stabilize dependency resolution and ensures consistent installations across development and CI environments.

Issues

• [BUG]: unresolved Zod version mismatches #119

Summary by CodeRabbit

• Chores

  • Upgraded frameworks: Astro → v6.0.5, Nuxt → v4.4.2, Hono → v4.12.8
  • Added TypeScript and tightened Node engine requirement to >=22.12.0
  • Introduced curated dependency catalogs and dependency overrides (including zod variants)
  • Updated tooling versions (Vitest) and bumped mermaid

• Tests

  • Excluded a flaky test from the default test run (temporary)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth	Ready	Preview, Comment	Mar 18, 2026 5:57pm
auth-nextjs-demo	Error		Mar 18, 2026 5:57pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3d2e06e1-4c85-4a9b-865b-98099d553dc9

📥 Commits

Reviewing files that changed from the base of the PR and between 636853f and 5f2a6bd.

⛔ Files ignored due to path filters (3)

• bun.lock is excluded by !**/*.lock
• deno.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• packages/core/vitest.config.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Dependency and workspace catalog updates across multiple apps, Astro tooling upgraded to v6 with a Node engine constraint, several framework dependency bumps, zod catalogs added and referenced, generated route type string-quote normalization, and one vitest exclude added.

Changes

Cohort / File(s)	Summary
Astro Framework Updates apps/astro/package.json	Bumped astro to ^6.0.5, updated @astrojs/* packages to newer majors, added typescript ^5.9.3, and set Node engine to >=22.12.0.
App Framework Dependency Updates apps/elysia/package.json, apps/hono/package.json, apps/nuxt/package.json	Version bumps: elysia ^1.4.25 → ^1.4.28 (reordered deps), hono ^4.12.0 → ^4.12.8, nuxt ^4.3.0 → ^4.4.2 and vue ^3.5.27 → ^3.5.30.
Docs & Root Dependencies docs/package.json, package.json	Updated mermaid ^11.12.2 → ^11.13.0; bumped vitest ^4.0.14 → ^4.1.0; replaced/expanded overrides (dompurify, file-type, undici, path-to-regexp, serialize-javascript, tar, lodash variants, etc.).
Zod Catalog Configuration pnpm-workspace.yaml, packages/core/package.json, apps/tanstack-start/package.json	Added zod-v3 and zod-v4 catalogs; switched packages/core zod dep to catalog:zod-v4; added zod: catalog:zod-v4 to apps/tanstack-start.
Generated Route Type Formatting apps/tanstack-start/src/routeTree.gen.ts	Normalized double quotes to single quotes in many exported route type declarations and module augmentation—no semantic changes.
Test Configuration packages/core/vitest.config.ts	Added an exclude entry to skip test/actions/signIn/signIn.test.ts (with TODO comment referencing an issue).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(ci): enable turborepo remote caching #110: Similar edits to apps/tanstack-start/src/routeTree.gen.ts (quote normalization) and related auth export changes.
• chore(tsconfig): add per-integration TypeScript configuration files #113: Related TypeScript config and tsconfig preset updates affecting multiple apps.
• chore(release): bump package versions #94: Changes touching packages/core/package.json zod dependency; aligns with zod catalog modifications.

Suggested labels

chore

Poem

🐇 I nibble at packages, tidy the tree,

Upgraded and cataloged, neat as can be.
Single quotes hopping where doubles once played,
Zod found a home in the workspace glade.
A tiny hop, a joyous commit parade. 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): update dependencies to address security vulnerabilities' directly and accurately describes the main objective of the pull request—updating multiple dependencies across the monorepo to address security vulnerabilities, as confirmed by the PR summary and changeset analysis.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/patch-deps

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

package.json (1)

46-46: Consider aligning Vitest ecosystem versions explicitly.

Line [46] bumps vitest to ^4.1.0 while @vitest/coverage-v8 remains declared as ^4.0.14 (Line [40]). It will likely resolve fine, but keeping them explicitly in sync improves upgrade clarity.

Proposed alignment

-    "@vitest/coverage-v8": "^4.0.14",
+    "@vitest/coverage-v8": "^4.1.0",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 46, The package.json currently lists "vitest": "^4.1.0"
while "@vitest/coverage-v8" remains at "^4.0.14"; update the dependency versions
so they match (e.g., set "@vitest/coverage-v8" to "^4.1.0" or pin both to the
same target version) by editing package.json entries for "vitest" and
"@vitest/coverage-v8" and then reinstalling dependencies (npm/yarn) to ensure
the lockfile reflects the aligned versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/astro/package.json`:
- Around line 16-18: Add an "engines" field to the package.json in the Astro app
to require Node.js >=22.12.0 (e.g., add an "engines": { "node": ">=22.12.0" }
entry) so the Astro dependencies (`@astrojs/node` v10, `@astrojs/react` v5 and Astro
v6) have the required runtime; update the root of apps/astro/package.json where
dependencies are listed to include this new "engines" object.

In `@apps/nuxt/package.json`:
- Around line 20-23: Remove the unused dependency "vue-route" from the apps/nuxt
package.json dependencies (the entry "vue-route": "^1.5.1") since the project
uses Nuxt's built-in routing and already has "vue-router"; update package.json
to delete that dependency and run package manager cleanup (npm/yarn/pnpm install
or prune) to ensure lockfile and node_modules are consistent.

In `@package.json`:
- Around line 89-97: The pnpm.overrides entries use open-ended >= ranges which
allow accidental major upgrades; update each override for dompurify, file-type,
undici, seroval, lodash, lodash-es, tar, path-to-regexp, and
serialize-javascript to include safe upper bounds (for example replace ">=3.3.2"
with a caret range like "^3.3.2" or an explicit upper bound like ">=3.3.2
<4.0.0") so that regenerating the pnpm lockfile cannot pull breaking major
versions; apply the same pattern for each package name in the diff (dompurify,
file-type, undici, seroval, lodash, lodash-es, tar, path-to-regexp,
serialize-javascript).

---

Nitpick comments:
In `@package.json`:
- Line 46: The package.json currently lists "vitest": "^4.1.0" while
"@vitest/coverage-v8" remains at "^4.0.14"; update the dependency versions so
they match (e.g., set "@vitest/coverage-v8" to "^4.1.0" or pin both to the same
target version) by editing package.json entries for "vitest" and
"@vitest/coverage-v8" and then reinstalling dependencies (npm/yarn) to ensure
the lockfile reflects the aligned versions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f1ba305-9ee1-4574-b1af-a27627bd26b9

📥 Commits

Reviewing files that changed from the base of the PR and between 540bb30 and 419df3c.

⛔ Files ignored due to path filters (3)

• bun.lock is excluded by !**/*.lock
• deno.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• apps/astro/package.json
• apps/elysia/package.json
• apps/hono/package.json
• apps/nuxt/package.json
• docs/package.json
• package.json

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

zod-analysis.txt (1)

1-116: Consider excluding generated analysis output from version control.

This file is generated output from zod.sh and will become stale as dependencies change. Including it in the repository adds maintenance burden and commit noise.

Consider either:

1. Adding zod-analysis.txt to .gitignore and running the script on-demand
2. Keeping it temporarily for this PR's review, then removing before merge

If the intent is to document the dependency state for historical reference, a summary in the PR description or commit message might be more appropriate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@zod-analysis.txt` around lines 1 - 116, The file zod-analysis.txt is
generated output from the zod.sh script and should not be committed long-term;
either add "zod-analysis.txt" to .gitignore (so future zod.sh runs don't clutter
commits) or remove this file from the PR and keep it only for temporary review.
If you need a stable record, capture a short summary in the PR description or a
dedicated changelog entry instead of committing the full generated output.

zod.sh (1)

7-9: Address shell script robustness issues.

Static analysis flagged two issues that could cause unexpected behavior:

1. Line 7: The bare redirection > "$log" lacks a command. Use : > "$log" for portability.
2. Line 9: Iterating over ls output is fragile with special characters in paths. Use a glob pattern directly.

♻️ Proposed fix

 # Clear the log file
-> "$log"
+: > "$log"

-for pkg in $(ls -d $pkg_apps/*/); do
+for pkg in "$pkg_apps"/*/; do
     pkg_name=$(basename "$pkg")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@zod.sh` around lines 7 - 9, Replace the bare redirection and fragile ls-based
loop: change the empty truncation line that currently uses > "$log" to use a
portable no-op truncation (use : > "$log") and replace the command substitution
loop for pkg (for pkg in $(ls -d $pkg_apps/*/); do) with a direct glob iteration
over the pkg_apps directory (for pkg in "$pkg_apps"/*/; do), ensuring you quote
expansions like "$pkg" inside the loop to safely handle spaces and special
characters.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/astro/package.json`:
- Around line 33-35: The current engines.node constraint in package.json
("node": ">=24.11.1") is too restrictive; update the engines field to allow
Node.js versions compatible with Astro v6 by changing the node constraint to
">=22.12.0" (or a range that includes 22.12.0+), i.e., modify the "engines" →
"node" entry in package.json to use ">=22.12.0" so CI and production systems on
Node 22/23 are supported.

---

Nitpick comments:
In `@zod-analysis.txt`:
- Around line 1-116: The file zod-analysis.txt is generated output from the
zod.sh script and should not be committed long-term; either add
"zod-analysis.txt" to .gitignore (so future zod.sh runs don't clutter commits)
or remove this file from the PR and keep it only for temporary review. If you
need a stable record, capture a short summary in the PR description or a
dedicated changelog entry instead of committing the full generated output.

In `@zod.sh`:
- Around line 7-9: Replace the bare redirection and fragile ls-based loop:
change the empty truncation line that currently uses > "$log" to use a portable
no-op truncation (use : > "$log") and replace the command substitution loop for
pkg (for pkg in $(ls -d $pkg_apps/*/); do) with a direct glob iteration over the
pkg_apps directory (for pkg in "$pkg_apps"/*/; do), ensuring you quote
expansions like "$pkg" inside the loop to safely handle spaces and special
characters.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9138a2c5-22e8-4064-a79d-884862439f5f

📥 Commits

Reviewing files that changed from the base of the PR and between 419df3c and db69182.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• apps/astro/package.json
• apps/nuxt/package.json
• package.json
• packages/core/package.json
• pnpm-workspace.yaml
• zod-analysis.txt
• zod.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/tanstack-start/package.json`:
- Around line 35-36: The pipeline failed because package.json now includes the
new dependency specifier "zod": "catalog:zod-v4" but the lockfile is not
updated; run pnpm install locally to update pnpm-lock.yaml, verify the new zod
entry is present, and commit the updated pnpm-lock.yaml alongside the
package.json change so the lockfile and the "zod": "catalog:zod-v4" entry stay
in sync.

In `@packages/core/vitest.config.ts`:
- Around line 11-12: Fix the temporary test exclusion and the Zod schema issue:
change the comment above exclude to "Temporary" and add a tracking TODO like "//
TODO(`#123`): Temporarily skipping failing auth tests until signIn zod fix" so the
exclusion of "test/actions/signIn/signIn.test.ts" is tracked; do not permanently
remove the test—only keep exclusion until the underlying bug is fixed; locate
the signIn action/schema where z.stringbool() is used and replace it with the
correct Zod v4 API (e.g., use z.string(), z.boolean(), or z.union([z.string(),
z.boolean()]) as appropriate) in the signIn handler/function so the test can be
re-enabled, then run the test suite and remove the exclude once passing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8a657463-444c-4aaa-ae17-9fe2b425f5b0

📥 Commits

Reviewing files that changed from the base of the PR and between db69182 and 636853f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/astro/package.json
• apps/tanstack-start/package.json
• apps/tanstack-start/src/routeTree.gen.ts
• packages/core/vitest.config.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/astro/package.json