chore(deps): resolve npm audit findings

[eliteprox]

Summary

• Add npm overrides to pin patched minimatch.
• Upgrade tooling deps that pulled vulnerable vite/esbuild chains (Vitest/Vite, Rollup commonjs).
• Bump @testing-library/react in @naap/plugin-sdk for React 19 compatibility.
• Regenerate package-lock.json from a clean install.

Test plan

• npm install
• npm audit (expect 0 vulnerabilities)

Made with Cursor

Summary by CodeRabbit

• Chores
  • Locked a transitive linting dependency via a top-level package override.
  • Updated dev/build/test tool versions across packages for stability.
  • Reorganized runtime vs dev dependencies for infrastructure services.
• Tests
  • Added a dedicated backend test configuration to standardize test runs.
• Bug Fixes
  • Improved API response handling to ensure responses return promptly.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
naap-platform	Ready	Preview, Comment	Feb 20, 2026 11:22pm

[github-actions]

⚠️ This PR is very large (11787 lines changed). Please split it into smaller, focused PRs if possible.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Adds a root-level npm overrides to pin minimatch@10.2.2, upgrades several devDependencies (notably vitest v1→v4 and build tooling), adds a Vitest config for plugin-publisher backend, reorganizes infra service dependencies, and ensures API handler returns after sending responses.

Changes

Cohort / File(s)	Summary
Repository root overrides package.json	Added top-level overrides pinning minimatch to 10.2.2 and propagating that override to several ESLint-related packages (eslint-plugin-import, eslint-plugin-jsx-a11y, eslint-plugin-react, @typescript-eslint/typescript-estree).
Plugin SDK & frontend tooling packages/plugin-sdk/package.json, plugins/plugin-publisher/frontend/package.json	Bumped @rollup/plugin-commonjs and @testing-library/react; updated @vitejs/plugin-react and vite; minor dependency reordering in frontend package.
Vitest upgrades plugins/plugin-publisher/backend/package.json, services/base-svc/package.json, services/infrastructure-svc/package.json	Upgraded vitest from ^1.0.0 to ^4.0.18 across packages.
New Vitest config (backend) plugins/plugin-publisher/backend/vitest.config.ts	Added Vitest config exporting defineConfig with test.environment='node', globals enabled, include/exclude globs, maxWorkers=4, and parallel hook sequencing.
Infrastructure service deps & types services/infrastructure-svc/package.json	Reorganized dependencies: moved yaml and semver into devDependencies, added @types/express and @types/ws, added ws to runtime deps, and adjusted dev tooling versions.
API response behavior services/infrastructure-svc/src/api/infrastructure.ts	Made success and error response sends use explicit return to ensure the handler exits after sending responses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

scope/infra

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): resolve npm audit findings' accurately summarizes the main objective of the PR, which is to address npm audit vulnerabilities through dependency updates and overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/npm-audit-fix

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/plugin-publisher/backend/package.json`:
- Line 33: The package.json now depends on "vitest": "^4.0.18" which skips major
versions and will break tests; either pin Vitest to a compatible v3.x range or
add a vitest.config.ts to explicitly handle v4 breaking changes: replace
deprecated pool keys (use maxWorkers instead of maxThreads/maxForks), restore
previous test discovery defaults, adapt coverage settings and reporters, and
confirm hook execution order; update package.json's "vitest" version or
add/commit a vitest.config.ts that sets maxWorkers and the legacy-like
discovery/coverage/reporters options so the test suite continues to run as
before.

In `@plugins/plugin-publisher/frontend/package.json`:
- Line 32: The dependency `@vitejs/plugin-react` in package.json must be bumped to
^4.3.4 or higher for Vite 6 compatibility; open
plugins/plugin-publisher/frontend/package.json, locate the `@vitejs/plugin-react`
entry and update its version specifier to ^4.3.4 (or a newer compatible patch)
and then run your package manager (npm/yarn/pnpm) to reinstall and lock the
updated version so Vite 6 is supported.

In `@services/infrastructure-svc/package.json`:
- Line 31: Remove the extraneous DefinitelyTyped package "@types/tar" from
package.json dependencies/devDependencies to avoid conflicts with tar v7's
built-in types; locate the entry "@types/tar" in
services/infrastructure-svc/package.json and delete it, then run npm/yarn
install to update lockfile and verify TypeScript compiles using the bundled
types from the "tar" package.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

plugins/plugin-publisher/frontend/package.json (1)

15-32: Add explicit engines field for consistency with CI baseline.
The CI runs Node 20 (compatible with Vite 6), but the frontend package.json lacks an engines declaration. Add "engines": {"node": "^20.0.0"} to align local development with the CI baseline and prevent accidental use of incompatible Node versions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/plugin-publisher/frontend/package.json` around lines 15 - 32, Add an
explicit engines entry to the frontend package.json by adding an "engines" field
with "node": "^20.0.0" so local dev matches CI's Node 20 baseline; update the
root package.json object in plugins/plugin-publisher/frontend's package.json
(the same file containing dependencies and devDependencies) to include
"engines": {"node":"^20.0.0"} at top-level.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/infrastructure-svc/package.json`:
- Around line 17-34: Remove "semver" and "yaml" from the top-level
"dependencies" block in package.json and either delete them entirely or add them
to "devDependencies" (matching the style of existing dev entries) so they are
not shipped as runtime dependencies; ensure you leave "ws" in "dependencies"
since server.ts imports it and update package.json accordingly (remove
duplicate/version mismatches if any).

---

Nitpick comments:
In `@plugins/plugin-publisher/frontend/package.json`:
- Around line 15-32: Add an explicit engines entry to the frontend package.json
by adding an "engines" field with "node": "^20.0.0" so local dev matches CI's
Node 20 baseline; update the root package.json object in
plugins/plugin-publisher/frontend's package.json (the same file containing
dependencies and devDependencies) to include "engines": {"node":"^20.0.0"} at
top-level.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/infrastructure-svc/package.json`:
- Around line 25-34: The package.json devDependencies currently list "vitest":
"^4.0.18" but omit the required Vite peer; update services/infrastructure-svc's
package.json devDependencies to include "vite": "^6.0.0" (or "^7.0.0" if you
prefer) alongside "vitest" so Vitest's peer dependency is satisfied, then run
your package manager to regenerate the lockfile (npm/yarn/pnpm) and verify tests
run; this change is centered on the devDependencies section where "vitest" is
declared.