chore: update package dependencies and configurations

[eliteprox]

Summary

This PR refreshes workspace dependencies and tooling (aligned with clearing npm audit noise and keeping CI green), and includes small build/CI fixes so web-next, shell tests, and lifecycle BDD specs stay reliable after the lockfile and hoisting changes.

The diff is large because package-lock.json is regenerated across the monorepo.

Dependency and tooling updates

• Root / workspace: Bumped Nx to ^22.6.5, Vite to 8.0.8, @vitejs/plugin-react to ^6.0.1, and related pins; tightened Node engines to >=20.19.0 || >=22.12.0.
• Nx: Set analytics: false in nx.json.
• Cross-cutting: Version bumps and lockfile cleanup for apps, examples, plugins, workflows, and shared packages (including cache / ioredis-related adjustments where noted in commits).

CI and build fixes (included in this branch)

@naap/web-next (Next.js 15 + Webpack)

• Ably: Client bundles were resolving the Node entry (ably-node.js) and failing on missing got. Added a client-only NormalModuleReplacementPlugin so the browser build (ably.js) is used for the client compilation; server code (e.g. token route using Ably.Rest) still uses the Node build.
• Transitive gaps: Declared got, postal-mime, and svix on apps/web-next so server bundling matches what Ably and Resend expect when the lockfile does not materialize every nested install.

@naap/plugin-sdk (CLI / lifecycle BDD)

• @inquirer/prompts pulls nested @inquirer/core copies that were missing hoisted siblings (@inquirer/ansi, @inquirer/figures, @inquirer/type), which made npx tsx …/cli/index.ts --help crash before Commander ran (empty stdout, errors on stderr). Adding those packages as direct SDK dependencies restores a resolvable tree and fixes tests/lifecycle-bdd/plugin-lifecycle.feature.test.ts CLI discoverability tests.

Type

• CI / Tooling
• Dependencies
• Feature
• Bug fix (product)
• Refactor
• Documentation
• Plugin (new or update)

Testing

• Lifecycle BDD: npx vitest run --dir tests/lifecycle-bdd
• apps/web-next production build (next build)
• Shell / related CI jobs (as applicable on the branch)

Breaking changes

None intended. Reviewers should call out anything that should be treated as breaking for consumers of @naap/plugin-sdk or app deploys.

Notes for reviewers

• Size: Label size/XL is expected; most churn is lockfile.
• Prefer reviewing package.json / next.config.js / nx.json and spot-checking a few representative workspaces rather than reading the whole lockfile diff.

Summary by CodeRabbit

• Chores
  • Updated build tooling and frontend toolchain across projects (Vite, plugin-react, Next.js) and pinned select versions.
  • Updated many package manifests, added some runtime dependencies, and reordered entries for consistency.
  • Added/updated Node.js engine requirement to ^20.19.0 || >=22.12.0 and pinned CI workflow Node versions.
  • Disabled workspace analytics setting.
  • Fixed client bundling to ensure the browser runtime uses the appropriate Ably build.

[coderabbitai]

📝 Walkthrough

Walkthrough

Client Webpack now replaces Ably's Node entry with its browser bundle for client builds; Node engine constraints and numerous devtool/vite/plugin-react versions were pinned or upgraded across many package.json files; workspace analytics disabled.

Changes

Cohort / File(s)	Summary
Client Webpack change apps/web-next/next.config.js	Client-side Webpack adds NormalModuleReplacementPlugin to resolve Ably's ably-node.js → ably.js (only when isServer is false).
apps/web-next manifest apps/web-next/package.json	Updated runtime deps: added/adjusted dompurify, got, postal-mime, svix; bumped Next.js to ^15.5.15.
Root workspace / tooling package.json, nx.json	Added `engines.node: ^20.19.0
Vite / plugin-react bumps apps/.../package.json, examples/.../frontend/package.json, plugins/*/frontend/package.json, packages/.../package.json	Bumped @vitejs/plugin-react to ^6.0.1 and pinned vite to 8.0.8 across many frontend/build manifests.
Package additions & pins packages/cache/package.json, packages/plugin-sdk/package.json, packages/plugin-build/package.json	Added runtime/dev deps (@ioredis/commands, @inquirer/*, @rollup/plugin-terser, etc.), added/pinned vite@8.0.8, and added engines.node to plugin-build.
Examples / plugins dependency edits examples/..., plugins/... (various package.json files)	Added/reordered UI libs (class-variance-authority, framer-motion, lucide-react) in some frontends; updated dev tooling versions and vitest pins.
CI / workflow Node pinning packages/plugin-sdk/templates/.../.github/workflows/*.yml, packages/plugin-sdk/cli/commands/*.ts	Pinned workflow NODE_VERSION and generated workflow content from 20 → 20.19; updated CLI diagnostics to enforce `^20.19.0
Miscellaneous manifests services/infrastructure-svc/package.json, examples/.../backend/package.json, plugins/.../backend/package.json	Removed vite from one devDeps, reordered or pinned vitest@4.1.4 and minor dependency reorders across backends.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(deps): resolve npm audit findings #138 — also modifies root package.json overrides/pins for minimatch and related ESLint overrides.

Suggested labels

scope/infra

Suggested reviewers

• eliteprox

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: update package dependencies and configurations' accurately describes the main change of the PR: refreshing workspace dependencies, tooling, and configurations across the monorepo.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ This PR is very large (23823 lines changed). Please split it into smaller, focused PRs if possible.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
naap-platform	Ready	Preview, Comment	Apr 21, 2026 8:21pm

[github-actions]

⏳ Review reminder — This PR has been waiting for review for over 24 hours.

@team — this PR needs a review.

[eliteprox]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Only repository collaborators, contributors, or members can run CodeRabbit commands.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

packages/plugin-sdk/package.json (1)

97-97: Is vite actually used by this package?

vitest@^4 brings Vite in transitively, and I don't see a vite.config.* or a vite script in this package. If this was added purely to satisfy a peer/hoisting constraint it's fine, but otherwise it's dead weight that will drift over time. Consider removing if not required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/plugin-sdk/package.json` at line 97, package.json currently lists
"vite": "8.0.8" but there is no vite.config.* or vite scripts in this package;
either remove the "vite" dependency entry from package.json to avoid unnecessary
transitive weight, or if Vite is intentionally required, add a minimal vite
config (vite.config.js/ts) and/or an npm script (e.g., "dev" or "build") that
references Vite so its presence is justified; update package.json's dependencies
accordingly and run install/lockfile update to reflect the change.

plugins/marketplace/frontend/package.json (1)

26-27: Nit: stray blank line inside devDependencies.

Same cosmetic inconsistency as plugins/community/frontend/package.json; consider removing for consistency with the other manifests in this PR.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/marketplace/frontend/package.json` around lines 26 - 27, Remove the
stray blank line inside the devDependencies block of
plugins/marketplace/frontend/package.json to match the formatting used in other
manifests; locate the devDependencies section and ensure entries like
"@vitejs/plugin-react": "^6.0.1" are adjacent to the surrounding dependency
lines with no extra blank line so the JSON formatting is consistent with
plugins/community/frontend/package.json.

plugins/community/frontend/package.json (1)

27-28: Nit: stray blank line inside devDependencies.

Line 28 is an empty line in the middle of the devDependencies object. Valid JSON, but inconsistent with the other workflow package.json files in this PR.

Proposed cleanup

     "@vitejs/plugin-react": "^6.0.1",
-
     "autoprefixer": "^10.4.27",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/community/frontend/package.json` around lines 27 - 28, Remove the
stray blank line inside the devDependencies object in
plugins/community/frontend/package.json by deleting the empty line immediately
after the "@vitejs/plugin-react" entry so the devDependencies entries are
contiguous and match the formatting used in other package.json files; ensure the
JSON remains valid and run a quick lint/format (e.g., prettier) to confirm
consistent spacing.

packages/plugin-build/package.json (1)

6-8: Align engines.node with the root workspace to prevent installation of incompatible Node versions.

The root workspace specifies >=20.19.0 || >=22.12.0, and Vite 8 (in use here) mandates the same range. The current >=20 allows consumers to install with unsupported Node versions (e.g., 20.10) that will fail at runtime.

Proposed alignment

   "engines": {
-    "node": ">=20"
+    "node": ">=20.19.0 || >=22.12.0"
   },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/plugin-build/package.json` around lines 6 - 8, The package's
engines.node field currently allows ">=20", which is too permissive; update the
engines.node value in package.json (the "engines" -> "node" entry) to match the
root workspace/Vite requirement ">=20.19.0 || >=22.12.0" so consumers cannot
install with unsupported Node versions.

apps/web-next/package.json (1)

9-9: Migrate next lint as part of the Next 15.5 bump and align eslint-config-next version.

Line 47 moves the app to Next.js 15.5.x, but line 9 still uses next lint, which is deprecated in Next 15.5 and removed in Next 16. Also align eslint-config-next (line 80) from 15.5.12 to ^15.5.15 to match the bumped Next.js version.

Since no ESLint configuration file exists, use the official next-lint-to-eslint-cli codemod to migrate the script safely. Alternatively, update manually:

♻️ Manual changes (if not using codemod)

-    "lint": "next lint",
+    "lint": "eslint",
...
-    "eslint-config-next": "15.5.12",
+    "eslint-config-next": "^15.5.15",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web-next/package.json` at line 9, The package.json still defines the
deprecated "lint" script as "next lint" and pins eslint-config-next to 15.5.12;
update the scripts and dependency to match Next.js 15.5 migration by running the
official next-lint-to-eslint-cli codemod (recommended) or manually replacing the
"lint" script with an ESLint CLI command (e.g., run eslint against src and pages
with proper extensions) and bumping "eslint-config-next" to ^15.5.15; ensure you
remove any reliance on "next lint" and verify the new "lint" script target paths
and extensions so ESLint runs correctly in the CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 33-35: Update all user-facing Node version references to match the
root engines constraint ">=20.19.0 || >=22.12.0": in
packages/plugin-sdk/cli/commands/doctor.ts replace any hardcoded checks/messages
that say "Node 18" with a runtime check and user message against the root
constraint (adjust the validate logic in the doctor command/run or
validateNodeVersion helper to require >=20.19.0 || >=22.12.0); in
packages/plugin-build/package.json tighten the "engines.node" entry to include
the same patch-level constraint (use ">=20.19.0 || >=22.12.0"); in
packages/plugin-sdk/cli/commands/github.ts update the workflow template
generator (around the function that builds the YAML at line ~299) to set the
Node version to the explicit patch-level(s) or a matrix that matches the root
constraint; and in docs/sso-oauth-google-github.md update the prose that
currently states "Node 18+" to state the new required versions (>=20.19.0 ||
>=22.12.0) so documentation, CLI checks, package engines, and workflow templates
are consistent.
- Around line 37-48: The package.json currently lists build/test tools
"@rollup/plugin-terser" and "vitest" under dependencies; move them into
devDependencies instead by removing these entries from the dependencies object
and adding them with the same versions to devDependencies so they are not
installed in production; update any CI/npm scripts if they reference package
locations, and verify package.json's JSON remains valid after the change.

---

Nitpick comments:
In `@apps/web-next/package.json`:
- Line 9: The package.json still defines the deprecated "lint" script as "next
lint" and pins eslint-config-next to 15.5.12; update the scripts and dependency
to match Next.js 15.5 migration by running the official next-lint-to-eslint-cli
codemod (recommended) or manually replacing the "lint" script with an ESLint CLI
command (e.g., run eslint against src and pages with proper extensions) and
bumping "eslint-config-next" to ^15.5.15; ensure you remove any reliance on
"next lint" and verify the new "lint" script target paths and extensions so
ESLint runs correctly in the CI.

In `@packages/plugin-build/package.json`:
- Around line 6-8: The package's engines.node field currently allows ">=20",
which is too permissive; update the engines.node value in package.json (the
"engines" -> "node" entry) to match the root workspace/Vite requirement
">=20.19.0 || >=22.12.0" so consumers cannot install with unsupported Node
versions.

In `@packages/plugin-sdk/package.json`:
- Line 97: package.json currently lists "vite": "8.0.8" but there is no
vite.config.* or vite scripts in this package; either remove the "vite"
dependency entry from package.json to avoid unnecessary transitive weight, or if
Vite is intentionally required, add a minimal vite config (vite.config.js/ts)
and/or an npm script (e.g., "dev" or "build") that references Vite so its
presence is justified; update package.json's dependencies accordingly and run
install/lockfile update to reflect the change.

In `@plugins/community/frontend/package.json`:
- Around line 27-28: Remove the stray blank line inside the devDependencies
object in plugins/community/frontend/package.json by deleting the empty line
immediately after the "@vitejs/plugin-react" entry so the devDependencies
entries are contiguous and match the formatting used in other package.json
files; ensure the JSON remains valid and run a quick lint/format (e.g.,
prettier) to confirm consistent spacing.

In `@plugins/marketplace/frontend/package.json`:
- Around line 26-27: Remove the stray blank line inside the devDependencies
block of plugins/marketplace/frontend/package.json to match the formatting used
in other manifests; locate the devDependencies section and ensure entries like
"@vitejs/plugin-react": "^6.0.1" are adjacent to the surrounding dependency
lines with no extra blank line so the JSON formatting is consistent with
plugins/community/frontend/package.json.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a6e9c559-360b-459d-a6a1-4a0f9d9ac610

📥 Commits

Reviewing files that changed from the base of the PR and between 4bd3039 and 0c381c7.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !package-lock.json

📒 Files selected for processing (26)

• apps/web-next/next.config.js
• apps/web-next/package.json
• apps/workflows/capacity-planner-web/package.json
• apps/workflows/community-web/package.json
• apps/workflows/developer-web/package.json
• apps/workflows/marketplace-web/package.json
• examples/daydream-video/backend/package.json
• examples/daydream-video/frontend/package.json
• examples/intelligent-dashboard/frontend/package.json
• examples/my-dashboard/frontend/package.json
• examples/my-wallet/frontend/package.json
• nx.json
• package.json
• packages/cache/package.json
• packages/plugin-build/package.json
• packages/plugin-sdk/package.json
• plugins/capacity-planner/frontend/package.json
• plugins/community/frontend/package.json
• plugins/dashboard-data-provider/frontend/package.json
• plugins/developer-api/frontend/package.json
• plugins/lightning-client/frontend/package.json
• plugins/marketplace/frontend/package.json
• plugins/plugin-publisher/frontend/package.json
• plugins/service-gateway/backend/package.json
• plugins/service-gateway/frontend/package.json
• services/infrastructure-svc/package.json

💤 Files with no reviewable changes (1)

• services/infrastructure-svc/package.json

[seanhanca]

Review Summary

Thanks for the cleanup — the overall direction (Vite 8, Vitest 4, Nx 22.6, Next 15.5.15, tightened engines, Nx analytics off, lockfile regen, Ably client/server split) is solid and all CI (Build, Lint & TypeCheck, Shell Tests, SDK Tests, SDK Compat × 5, Lifecycle BDD, Audit, Quality Gates, CodeQL, Vercel preview) is green.

Not blocking on runtime behavior, but calling out a few real drift / hygiene issues before merge:

Should fix before merge

1. Build/test tools in root dependencies instead of devDependencies
@rollup/plugin-terser, vitest, and arguably next were added under "dependencies" in the root package.json. They're build/test-only and should live in devDependencies so the root's production dependency surface stays clean. vitest is already covered by overrides, so the direct pin doesn't need to be in runtime deps. Same applies to redis-errors and standard-as-callback at root — those are ioredis internals, not app runtime deps.

2. naap doctor and generated GitHub workflows still advertise Node 18
   The root engines bumped to >=20.19.0 || >=22.12.0, but:

   • packages/plugin-sdk/cli/commands/doctor.ts (L45–59) still recommends/requires "Node.js 18 LTS". A user on Node 18 will pass doctor and then hit install failures.
   • packages/plugin-sdk/cli/commands/github.ts (~L299) emits NODE_VERSION: '20' without a patch pin in generated CI templates; given Vite 8 requires ≥20.19, this should be '20.19' (or a matrix) for parity.

3. packages/plugin-build/package.json engines set to >=20
   Allows installs on 20.10/20.11 that will then fail against Vite 8. Align with root: >=20.19.0 || >=22.12.0.

Minor / nits

4. apps/web-next/package.json version drift: next moves to ^15.5.15 but eslint-config-next stays pinned at 15.5.12. Bump to ^15.5.15 for consistency. "lint": "next lint" is also deprecated in Next 15.5 — worth migrating in a follow-up.

5. packages/cache/package.json now declares ioredis's transitive deps directly (@ioredis/commands, cluster-key-slot, debug, denque, lodash.defaults, lodash.isarguments, redis-errors, redis-parser, standard-as-callback). If this is a workaround for broken hoisting, please add a one-line comment in the PR body or a README note so future contributors don't strip these as "redundant". Otherwise consider removing and fixing hoist root cause.

6. packages/plugin-sdk adds vite@8.0.8 as devDep but has no vite.config.* / vite scripts. It's already pulled in by vitest@^4. Either drop the direct listing or add a comment for why it's pinned.

7. got@^11.8.5 on apps/web-next is EOL (v14 current). Acceptable since it matches what Ably's Node build needs transitively, but flag for future bump.

8. Stray blank lines inside devDependencies in plugins/capacity-planner/frontend/, plugins/community/frontend/, and plugins/marketplace/frontend/ package.json. Cosmetic, but inconsistent with siblings.

9. Redundant engines range >=20.19.0 || >=22.12.0 is semantically equivalent to >=20.19.0. Common stylistic choice to signal supported LTS lines; fine to keep if intentional.

Notes

• ~37k-line PR label is almost entirely the regenerated lockfile; the non-lockfile surface is ~650 lines and reviewed as such.
• Ably browser/Node webpack split in next.config.js is the right fix and scopes the replacement to client builds only.
• Override additions (esbuild, vite, vitest, minimatch 10.2.5) match root direct deps and keep the tree consistent — nice.

Happy to approve once items 1–3 are addressed (or explicitly justified in a reply). Items 4–9 can roll into a follow-up if preferred.

[coderabbitai]

Only repository collaborators, contributors, or members can run CodeRabbit commands.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 33-35: The engines.node semver range currently ("engines" ->
"node") is too broad and permits unsupported Node 21.x and early 22.x versions;
update the constraint to restrict the 20.x range with a caret and require 22.12+
(for example use ^20.19.0 || >=22.12.0) so Node 21 and 22.0–22.11 are excluded
and the project matches Vite/doctor expectations.

In `@packages/plugin-sdk/cli/commands/doctor.ts`:
- Around line 43-67: The code currently treats Node 20.0–20.18 and 22.0–22.11 as
warnings; instead, change the logic so any Node version that does not satisfy
the meetsRequirement check is treated as a failure. Update the branch around
meetsRequirement/nodeSpinner: remove or replace the else-if warning branch (the
block that checks majorVersion >= 20 and calls nodeSpinner.warn and pushes a
'warn' result) so that the else case handles all non-meeting versions as
failures (use nodeSpinner.fail and push a 'fail' result into results with the
same required-version message/suggestion). Reference symbols: meetsRequirement,
nodeSpinner, results, and the 'Node.js version' result object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5a0e4b7e-ce6c-4906-9401-c5e41023782a

📥 Commits

Reviewing files that changed from the base of the PR and between 0c381c7 and d72c797.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !package-lock.json

📒 Files selected for processing (7)

• package.json
• packages/plugin-build/package.json
• packages/plugin-sdk/cli/commands/create.ts
• packages/plugin-sdk/cli/commands/doctor.ts
• packages/plugin-sdk/cli/commands/github.ts
• packages/plugin-sdk/templates/frontend-only/.github/workflows/publish-plugin.yml
• packages/plugin-sdk/templates/full-stack/.github/workflows/publish-plugin.yml

✅ Files skipped from review due to trivial changes (2)

• packages/plugin-sdk/templates/frontend-only/.github/workflows/publish-plugin.yml
• packages/plugin-build/package.json

[qianghan]

Approving — all items 1–3 from my prior review are addressed in d72c797:

1. Root build/test tools moved to devDependencies

• Moved @rollup/plugin-terser, next, vitest from dependencies → devDependencies.
• Dropped redis-errors, standard-as-callback from root (they're ioredis internals; packages/cache already declares them).
• Lockfile regenerated: no top-level package removals, only dev: true flag shifts (-155 lines net after npm dedup).

2. naap doctor + generated CI templates aligned with root engines

• packages/plugin-sdk/cli/commands/doctor.ts: Node check now requires >=20.19.0 || >=22.12.0 (previously "Node 18 LTS"). Handles major/minor parsing explicitly (20.19+, 22.12+, or >22).
• cli/commands/github.ts, cli/commands/create.ts, and the committed templates/{frontend-only,full-stack}/.github/workflows/publish-plugin.yml: NODE_VERSION: '20' → '20.19' so generated workflows satisfy Vite 8's 20.19 floor.

3. packages/plugin-build engines tightened

• engines.node: >=20 → >=20.19.0 || >=22.12.0 (matches root + Vite 8 requirement).

Verification

• Local tsc --noEmit on packages/plugin-sdk: clean.
• Pre-push validation hook (SDK tests, Vercel safety) passed.
• All 34 remote CI checks green (Build, Lint & TypeCheck, Shell/SDK Tests, SDK Compat × 5, Lifecycle BDD, Audit, CodeQL, Quality Gates, Vercel preview).
• No snapshot or test files referenced the changed strings, so no test breakage risk.

The remaining minor items from my earlier review (next/eslint-config-next version drift, redis transitive-dep hoisting note, got@11 EOL, stray blank lines, next lint deprecation) are non-blocking and can ship as a follow-up.

Note: @coderabbitai's earlier review was on commit 0c381c7; its concerns on items 1–3 are now addressed on d72c797. Feel free to dismiss that stale review or @coderabbitai review to refresh.

[qianghan]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Only repository collaborators, contributors, or members can run CodeRabbit commands.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

36-93: ⚠️ Potential issue | 🔴 Critical

CI is red: regenerate package-lock.json before merging.

The CI job GitHub Actions: CI is failing with Lockfile sync failed — package-lock.json is out of sync with package.json. Given this PR touches the root devDependencies (Nx ^22.6.5, @vitejs/plugin-react ^6.0.1, next 15.5.15, vitest 4.1.4, @rollup/plugin-terser 1.0.0) plus new overrides entries for esbuild, vite, vitest, and bumped minimatch, the lockfile must be regenerated on the exact Node version declared in engines (Node 20.19.x or ≥22.12.x) so the override tree is deterministic.

Please run locally and push:

rm -rf node_modules package-lock.json
npm install
git add package-lock.json

Separately, the SDK Compatibility job is failing with No frontend package.json found for 'plugin-publisher' under plugins/ or examples/. That's not strictly caused by this file, but since the root workspaces glob includes plugins/*/frontend (line 101), any plugin missing a frontend/package.json will both break the workspace resolution and this SDK check. Worth confirming whether plugin-publisher was intentionally moved/renamed and whether the workspace glob or the SDK Compatibility job needs adjusting.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 36 - 93, Regenerate and commit a fresh lockfile
and verify workspace globs: delete node_modules and package-lock.json then run
npm install on the exact Node engine used in CI (per engines in package.json) so
the new package-lock.json reflects the updated dependencies/overrides (ensure
changes to devDependencies like "@nx/*" and "@vitejs/plugin-react", "next",
"vitest", and overrides for "esbuild", "vite", "vitest", "minimatch" are
captured), git-add/package-lock.json and push; additionally, confirm the
workspace glob that includes plugins/*/frontend (the workspace entry) and either
restore or add the missing plugins/plugin-publisher/frontend/package.json (or
adjust the workspace/job configuration) so the SDK Compatibility job can find a
frontend package.json for plugin-publisher.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 77: The override in package.json forcing "esbuild": "0.28.0" raises
runtime OS requirements and may break CI/self-hosted runners; verify and update
CI and builds accordingly: check the package.json entry for "esbuild": "0.28.0"
and confirm all CI runner images meet the new minimums (GitHub-hosted
ubuntu-24.04 and macos-14 are OK; verify any self-hosted Linux/macOS runners),
run a full local CI smoke (npm ci && nx run-many --target=build --all) and
confirm web-next production build succeeds with the override, and if any runner
fails, either pin to a compatible esbuild version or update the failing runner
images before merging.

---

Outside diff comments:
In `@package.json`:
- Around line 36-93: Regenerate and commit a fresh lockfile and verify workspace
globs: delete node_modules and package-lock.json then run npm install on the
exact Node engine used in CI (per engines in package.json) so the new
package-lock.json reflects the updated dependencies/overrides (ensure changes to
devDependencies like "@nx/*" and "@vitejs/plugin-react", "next", "vitest", and
overrides for "esbuild", "vite", "vitest", "minimatch" are captured),
git-add/package-lock.json and push; additionally, confirm the workspace glob
that includes plugins/*/frontend (the workspace entry) and either restore or add
the missing plugins/plugin-publisher/frontend/package.json (or adjust the
workspace/job configuration) so the SDK Compatibility job can find a frontend
package.json for plugin-publisher.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0d341ecb-b7eb-4212-87fc-7e57d70b5f96

📥 Commits

Reviewing files that changed from the base of the PR and between d72c797 and db262d6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !package-lock.json

📒 Files selected for processing (3)

• package.json
• packages/plugin-build/package.json
• packages/plugin-sdk/cli/commands/doctor.ts

✅ Files skipped from review due to trivial changes (1)

• packages/plugin-build/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/plugin-sdk/cli/commands/doctor.ts

[qianghan]

Re-approving on db262d68 after addressing CodeRabbit's two follow-up nits on d72c797:

1. Tightened root + packages/plugin-build engines.node to ^20.19.0 || >=22.12.0 so Node 21.x and Node 22.0–22.11 (non-LTS / pre-Vite-8 supported) are excluded.
2. Collapsed doctor.ts warn-branch into a hard fail for versions that don't meet the engines requirement — those versions would fail Vite 8 install/build anyway, so reporting them as a warn was misleading.

All CI checks are green on db262d68:

• Build, Lint & TypeCheck, Shell Tests, SDK Tests, Lifecycle BDD, SDK Compat × 5, Plugin Tests × 5, Quality Gates, Audit, CodeQL, Vercel preview.

Both commits (d72c797, db262d68) are low-risk:

• Moving root @rollup/plugin-terser/next/vitest to devDependencies and dropping redis-errors/standard-as-callback from root changes only the dev: true flag in the lockfile; no top-level package is removed and no workspace dependency graph changes.
• The engines tightening and doctor fail-branch change align runtime checks with what npm install will already enforce via the engines field.
• NODE_VERSION: '20.19' in generated workflow templates affects newly generated plugin CI workflows only, not this repo's CI.

Approving.

Stale: CodeRabbit flagged Lockfile Sync and SDK Compat -- plugin-publisher as failing, but all 35 CI checks are SUCCESS on db262d6. The esbuild 0.28.0 override is unchanged from main and pre-existing; GitHub-hosted runners are fine. Items 1-3 from the earlier review are addressed, engines and doctor were further tightened per CodeRabbit's follow-up, and this review's content does not reflect the actual state of the PR.

[seanhanca]

Re-approving on db262d68 after addressing CodeRabbit's two follow-up nits on d72c797:

1. Tightened root + packages/plugin-build engines.node to ^20.19.0 || >=22.12.0 so Node 21.x and Node 22.0–22.11 (non-LTS / pre-Vite-8 supported) are excluded.
2. Collapsed doctor.ts warn-branch into a hard fail for versions that don't meet the engines requirement — those versions would fail Vite 8 install/build anyway, so reporting them as a warn was misleading.

All CI checks are green on db262d68:

• Build, Lint & TypeCheck, Shell Tests, SDK Tests, Lifecycle BDD, SDK Compat × 5, Plugin Tests × 5, Quality Gates, Audit, CodeQL, Vercel preview.

Both commits (d72c797, db262d68) are low-risk:

• Moving root @rollup/plugin-terser/next/vitest to devDependencies and dropping redis-errors/standard-as-callback from root changes only the dev: true flag in the lockfile; no top-level package is removed and no workspace dependency graph changes.
• The engines tightening and doctor fail-branch change align runtime checks with what npm install will already enforce via the engines field.
• NODE_VERSION: '20.19' in generated workflow templates affects newly generated plugin CI workflows only, not this repo's CI.

Approving.

[eliteprox]

Passing tests for me as well, merging