fix(security): update vulnerable dependencies

[duyet]

Summary

• upgrade Clerk packages to resolve the @clerk/shared middleware bypass advisory
• remove remaining audit findings with direct dependency upgrades and pinned safe transitive overrides
• migrate Cloudflare Vitest config and stabilize rate-limit/tag tests under the upgraded runner

Verification

• bun audit
• bun run lint
• bun run typecheck
• bunx tsc --noEmit -p packages/dashboard/tsconfig.json
• WRANGLER_LOG_PATH=/private/tmp/agentstate-wrangler-logs bun run test
• bun run build

[sourcery-ai]

Sorry @duyet, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[coderabbitai]

Warning

Rate limit exceeded

@duyet has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 33 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dd34904e-b1bd-41ee-ab77-0735a3d62ee2

📥 Commits

Reviewing files that changed from the base of the PR and between 91899cc and 7affc22.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (14)

• package.json
• packages/api/package.json
• packages/api/src/middleware/project-creation-rate-limit.ts
• packages/api/src/middleware/rate-limit.ts
• packages/api/src/services/projects.ts
• packages/api/test/projects.test.ts
• packages/api/test/rate-limit.test.ts
• packages/api/test/setup.ts
• packages/api/test/tags.test.ts
• packages/api/vitest.config.mts
• packages/api/vitest.config.ts
• packages/api/wrangler.test.jsonc
• packages/dashboard/package.json
• packages/sdk/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-critical-cves

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates numerous dependencies across the monorepo, including Hono, Vitest, and Clerk, and introduces configurable rate limits for API requests and project creation via environment variables. The test suite has been improved with a new Vitest configuration, more robust tag filtering tests, and automated database cleanup during setup. Feedback from the reviewer suggests implementing safer parsing for environment variables to prevent rate limits from defaulting to zero and optimizing test performance by batching database deletion operations.

[gemini-code-assist]

Using Number() to parse environment variables can lead to unexpected behavior because Number("") and Number(" ") both evaluate to 0. If the environment variable is set to an empty string, the rate limit will be effectively set to zero, blocking all project creations. It is safer to validate that the parsed value is a positive finite number before using it, falling back to the default otherwise.

  const rawRateLimit = (c.env as { PROJECT_CREATION_RATE_LIMIT_MAX?: string }).PROJECT_CREATION_RATE_LIMIT_MAX;
  const configuredRateLimit = rawRateLimit ? Number(rawRateLimit) : NaN;
  const rateLimit = Number.isFinite(configuredRateLimit) && configuredRateLimit > 0
    ? configuredRateLimit
    : PROJECT_CREATION_RATE_LIMIT;

[gemini-code-assist]

Similar to the project creation rate limit, parsing the environment variable with Number() without checking for positive values can result in a 0 rate limit if the variable is an empty string. This would block all API traffic. Consider ensuring the limit is a positive number.

Suggested change

	const configuredRateLimit = Number((c.env as { RATE_LIMIT_MAX?: string }).RATE_LIMIT_MAX);
	const rateLimit = Number.isFinite(configuredRateLimit) ? configuredRateLimit : RATE_LIMIT;
	const rawRateLimit = (c.env as { RATE_LIMIT_MAX?: string }).RATE_LIMIT_MAX;
	const configuredRateLimit = rawRateLimit ? Number(rawRateLimit) : NaN;
	const rateLimit = Number.isFinite(configuredRateLimit) && configuredRateLimit > 0 ? configuredRateLimit : RATE_LIMIT;

[gemini-code-assist]

Performing 18 separate DELETE operations in a loop results in 18 sequential roundtrips to the database during test setup. While this works for local testing, it can slow down the test suite as it grows. Consider using db.batch() (if using Drizzle) or env.DB.batch() (D1 API) to execute these deletions in a single batch operation for better performance.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​esbuild@​0.27.4 ⏵ 0.28.0	+1		+1
	npm/​@​cloudflare/​vitest-pool-workers@​0.16.7
	npm/​eslint@​10.4.0
	npm/​drizzle-kit@​0.31.10

View full report