fix(deps): bump activity-feed and threaded-annotations to v2

[jackiejou]

Summary

• Bump @box/activity-feed to ^2.1.5 and @box/threaded-annotations to ^2.1.3 (major version upgrade).
• Bump direct peer Box deps to satisfy new peer requirements: @box/blueprint-web ^16.1.1, @box/blueprint-web-assets ^5.1.1, @box/collaboration-popover ^2.1.1, @box/readable-time ^2.1.1, @box/user-selector ^2.1.2.

Test plan

• yarn install clean
• npx yarn-deduplicate yarn.lock applied
• CI passes

Summary by CodeRabbit

• Chores
  • Updated multiple internal platform dependency version ranges in development and peer settings (including components for activity feeds, the design system and assets, collaboration tools, and user management) to their latest compatible versions for improved stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0edeb98-04ff-4fe1-b167-b42bc1860e45

📥 Commits

Reviewing files that changed from the base of the PR and between 326f997 and 097b27b.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

Seven @box/* packages — @box/activity-feed, @box/blueprint-web, @box/blueprint-web-assets, @box/collaboration-popover, @box/readable-time, @box/threaded-annotations, and @box/user-selector — have their semver ranges bumped in both devDependencies and peerDependencies in package.json.

Changes

@box/* Dependency Version Bumps

Layer / File(s)	Summary
devDependencies and peerDependencies version bumps package.json	Updates version ranges for @box/activity-feed, @box/blueprint-web, @box/blueprint-web-assets, @box/collaboration-popover, @box/readable-time, @box/threaded-annotations, and @box/user-selector in both devDependencies (lines 127–134, 146–150) and peerDependencies (lines 297–304, 314–318). @box/cldr-data version constraints are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• box/box-ui-elements#4555: Bumps the same @box/activity-feed and @box/threaded-annotations version ranges in devDependencies and peerDependencies.
• box/box-ui-elements#4619: Modifies package.json by bumping the same @box/activity-feed and @box/threaded-annotations dependencies across devDependencies and peerDependencies.
• box/box-ui-elements#4640: Makes the same package.json dependency version-range bumps for the @box/* packages in devDependencies and peerDependencies.

Suggested labels

ready-to-merge

Suggested reviewers

• jfox-box
• jmcbgaston
• reneshen0328

Poem

🐇 Hop, hop, bump those versions high,
Seven packages reach toward the sky!
Blueprint, feeds, and readable time,
All aligned in semver rhyme.
A bunny's work is never done —
Dependency updates, freshly spun! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: bumping @box/activity-feed and @box/threaded-annotations to major version v2.
Description check	✅ Passed	Description includes all essential information: clear summary of version bumps, affected dependencies, and completed/pending test plan items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​box/​activity-feed@​1.25.10 ⏵ 2.1.5				+1
	npm/​@​box/​collaboration-popover@​1.64.13 ⏵ 2.1.1				+1
	npm/​@​box/​readable-time@​1.43.13 ⏵ 2.1.1				+1
	npm/​@​box/​threaded-annotations@​1.97.16 ⏵ 2.1.3				+1
	npm/​@​box/​user-selector@​1.78.13 ⏵ 2.1.2
	npm/​@​box/​blueprint-web@​15.10.0 ⏵ 16.1.1	+1		+1
	npm/​@​box/​blueprint-web-assets@​4.131.1 ⏵ 5.1.1

View full report

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 127-134: The `@box/cldr-data` package has inconsistent version
specifiers between devDependencies and peerDependencies: devDependencies uses
^34.2.0 while peerDependencies uses >=34.2.0. Update the peerDependencies entry
for `@box/cldr-data` to use the same caret operator constraint (^34.2.0) as
specified in devDependencies to ensure consistent semver constraints.
Additionally, review whether `@box/frontend` and `@box/languages` should be
available to consumers; if they should be, add them to the peerDependencies
section with appropriate version constraints that match their corresponding
devDependencies versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5418f296-ced7-4fcd-a2d3-6a4aa1e851e1

📥 Commits

Reviewing files that changed from the base of the PR and between 03d1427 and 326f997.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[mergify]

Queued — the merge queue status continues in this comment ↓.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-06-22 23:44 UTC · Rule: Automatic strict merge · triggered by rule Automatic merge queue
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-06-22 23:44 UTC · at 097b27bddf128f43eba006a63ff0f1e362b150a0 · squash

This pull request spent 11 seconds in the queue, including 1 second running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(deps): bump activity-feed and threaded-annotations to v2 #4643
• #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • fix(deps): bump activity-feed and threaded-annotations to v2 #4643
• github-review-decision = APPROVED [🛡 GitHub branch protection]
  • fix(deps): bump activity-feed and threaded-annotations to v2 #4643
• any of [🛡 GitHub branch protection]:
  • check-success = Summary
  • check-neutral = Summary
  • check-skipped = Summary
• any of [🛡 GitHub branch protection]:
  • check-success = lint_test_build
  • check-neutral = lint_test_build
  • check-skipped = lint_test_build
• any of [🛡 GitHub branch protection]:
  • check-success = license/cla
  • check-neutral = license/cla
  • check-skipped = license/cla
• any of [🛡 GitHub branch protection]:
  • check-success = lint_pull_request
  • check-neutral = lint_pull_request
  • check-skipped = lint_pull_request