chore(deps): minimatch and rollup package vulnerabilities

[sriramveeraghanta]

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Summary by CodeRabbit

• Chores
  • Upgraded package manager to pnpm@10.30.2, added engine/packageManager metadata, bumped Turbo tooling and its schema, and expanded dependency overrides for improved resolution.
• Chores
  • Removed Sentry integration and startup instrumentation across apps; related Sentry packages and initialization were deleted.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removed Sentry instrumentation and related packages across multiple apps, bumped Turbo and Storybook versions, added node/ packageManager fields and expanded pnpm.overrides in the root manifest, and updated TURBO_VERSION ARGs and turbo.json schema reference.

Changes

Cohort / File(s)	Summary
Root manifest & tooling package.json, turbo.json	Added engines.node and packageManager, extended pnpm.overrides, updated root packageManager lock spec, and updated Turbo schema URL in turbo.json.
Docker build args apps/*/Dockerfile.*	Bumped TURBO_VERSION ARG from 2.6.3 to 2.8.12 in multiple app Dockerfiles.
Workspace Storybook updates packages/propel/package.json, packages/ui/package.json	Bumped Storybook devDependency from 9.1.17 to 9.1.19.
Client entrypoints (Sentry removal) apps/admin/app/entry.client.tsx, apps/space/app/entry.client.tsx, apps/web/app/entry.client.tsx	Removed @sentry/* imports and deleted Sentry.init blocks from client entry files.
Error boundaries (Sentry capture removal) apps/admin/app/root.tsx, apps/space/app/root.tsx, apps/web/app/root.tsx	Removed @sentry/react-router imports and removed calls that captured exceptions; error boundaries now render fallback without reporting to Sentry.
App dependency removals & lint script tweaks apps/admin/package.json, apps/space/package.json, apps/live/package.json	Removed Sentry dependencies (@sentry/react-router, @sentry/node, @sentry/profiling-node) and small check:lint max-warnings increments in admin/space.
Live app instrumentation & startup apps/live/src/instrument.ts, apps/live/src/start.ts	Deleted instrument.ts (removed exported setupSentry) and removed its import/invocation from start.ts, stopping server-side Sentry initialization.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant User as User
participant Client as Client App (ErrorBoundary)
participant Server as Server (Live)
participant Sentry as Sentry (External)
Note over Client,Sentry: Old flow (before PR)
User->>Client: Trigger runtime error
Client->>Sentry: captureException(error)
Sentry-->>Client: ack/ingest
Note over Server,Sentry: Old server-side flow (before PR)
Server->>Sentry: setupSentry / initialize
Sentry-->>Server: ack/ingest
Note over Client,Server: New flow (after PR)
User->>Client: Trigger runtime error
Client-->>Client: render fallback UI (no capture)
Server-->>Server: start without Sentry initialization

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through code and nudged the trace away,
Quieted the beacons that once watched each day.
Tooling bumped and stories bright,
Servers start with simpler light.
A rabbit’s hop — tidy, small, and gay.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete; only the 'Type of Change' checkbox is provided while required sections like Description, Test Scenarios, and References are entirely missing.	Add a detailed description of the changes, explain test scenarios performed to verify the vulnerability fixes, and include references to related issues or security advisories.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly aligns with the primary objective—addressing minimatch and rollup package vulnerabilities through dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-vulnerabilities-minimatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates dependency resolutions to address reported vulnerabilities (notably around minimatch and rollup) by adding/pinning pnpm.overrides, refreshing the lockfile, and bumping Storybook patch versions in workspace packages.

Changes:

• Add multiple pnpm.overrides pins (Ajv, markdown-it, minimatch, rollup, serialize-javascript) and update the repo packageManager pnpm version.
• Bump storybook from 9.1.17 → 9.1.19 in packages/ui and packages/propel.
• Regenerate pnpm-lock.yaml to reflect the new overrides and updated transitive dependency graph.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
pnpm-lock.yaml	Lockfile refresh reflecting new override pins (minimatch/rollup and additional transitive updates).
packages/ui/package.json	Bumps Storybook patch version.
packages/propel/package.json	Bumps Storybook patch version.
package.json	Adds new pnpm.overrides pins and updates the pinned pnpm packageManager version.

[Copilot]

The pnpm override "ajv@7": "8.18.0" maps an Ajv v7 selector to an Ajv v8 version. If any dependency (now or later) actually requires Ajv 7.x, this override can cause peer-dependency conflicts or runtime incompatibilities. Consider removing this override (since the lockfile currently only includes Ajv 6 and 8), or pinning ajv@7 to an actual 7.x release if needed.

Suggested change

	"ajv@7": "8.18.0",
	"ajv@7": "7.2.4",

[Copilot]

PR title/description mentions minimatch/rollup vulnerabilities, but this change set also introduces additional overrides (Ajv, markdown-it, serialize-javascript) and bumps Storybook + the pnpm version. Either narrow the PR scope (drop unrelated upgrades) or update the PR title/description to reflect the full set of dependency/security changes so reviewers know what’s being risk-assessed.

[Copilot]

@isaacs/brace-expansion is still listed in pnpm overrides, but it no longer appears anywhere in the lockfile dependency graph. Keeping unused overrides makes it harder to understand which pins are actually required for security/compatibility; consider removing this override if nothing depends on it anymore.

Suggested change

"@isaacs/brace-expansion": "5.0.1",

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/ui/package.json (1)

62-71: ⚠️ Potential issue | 🟠 Major

Align Storybook to catalog-managed version and fix major version mismatch.

Line 81 pins storybook to 9.1.19 directly; per coding guidelines, external dependencies should use catalog:. More critically, storybook@9.1.19 is incompatible with the @storybook/*@8.1.1 packages (lines 62-71)—a major version gap that will cause breakage. Additionally, storybook is missing from the catalog in pnpm-workspace.yaml.

Resolve by: (1) adding storybook to the catalog in pnpm-workspace.yaml aligned with @storybook/* major version, and (2) updating line 81 to use catalog: instead of the direct pin.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/package.json` around lines 62 - 71, The Storybook dependency is
incorrectly pinned to storybook@9.1.19 and not sourced from the catalog,
creating a major version mismatch with existing `@storybook/`*@8.1.1 entries;
change the package.json entry for "storybook" to use catalog: and match the
major version 8 (so it resolves alongside `@storybook/`*@8.1.1), and add a
corresponding "storybook" entry to the catalog section of pnpm-workspace.yaml so
the catalog reference resolves correctly.

packages/propel/package.json (1)

88-89: ⚠️ Potential issue | 🟠 Major

Add all Storybook packages to catalog and align major versions.

Per the coding guidelines, use catalog: for external dependencies. Additionally, @storybook/addon-designs (10.0.2) is at a major version ahead of the other Storybook packages (9.1.10–9.1.19). While peer dependencies are satisfied, consider aligning to the same major version for consistency. Add all Storybook packages to pnpm-workspace.yaml catalog:

  catalog:
+   "@storybook/addon-designs": "9.0.1"
+   "@storybook/addon-docs": "9.1.10"
+   "@storybook/react-vite": "9.1.10"
+   "storybook": "9.1.19"

Then update packages/propel/package.json to use catalog::

-    "@storybook/addon-designs": "10.0.2",
-    "@storybook/addon-docs": "9.1.10",
-    "@storybook/react-vite": "9.1.10",
-    "storybook": "9.1.19",
+    "@storybook/addon-designs": "catalog:",
+    "@storybook/addon-docs": "catalog:",
+    "@storybook/react-vite": "catalog:",
+    "storybook": "catalog:",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/propel/package.json` around lines 88 - 89, Update the Storybook
dependency management: add every Storybook package (e.g.,
"@storybook/addon-docs", "@storybook/react-vite", "@storybook/addon-designs",
etc.) to the pnpm-workspace.yaml "catalog" section so they can be referenced via
catalog:, then change the Storybook entries in packages/propel/package.json to
use catalog: references instead of exact versions; also align major versions
across Storybook packages by either downgrading "@storybook/addon-designs" to
the 9.x line or upgrading the 9.x packages to 10.x so all Storybook packages
share the same major version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 79-81: The package.json override "ajv@7" currently pins to
"8.18.0" which performs a major-version jump; confirm whether this is
intentional and either (a) revert the "ajv@7" override to a compatible v7
version (e.g., a 7.x semver) if dependents require AJV v7 API, or (b) keep the
override but update project docs/tests and run integration tests to ensure all
packages depending on "ajv@7" tolerate AJV v8; locate the "ajv@7" override entry
in package.json to make the change and update related dependency constraints or
add a comment explaining the deliberate break.

---

Outside diff comments:
In `@packages/propel/package.json`:
- Around line 88-89: Update the Storybook dependency management: add every
Storybook package (e.g., "@storybook/addon-docs", "@storybook/react-vite",
"@storybook/addon-designs", etc.) to the pnpm-workspace.yaml "catalog" section
so they can be referenced via catalog:, then change the Storybook entries in
packages/propel/package.json to use catalog: references instead of exact
versions; also align major versions across Storybook packages by either
downgrading "@storybook/addon-designs" to the 9.x line or upgrading the 9.x
packages to 10.x so all Storybook packages share the same major version.

In `@packages/ui/package.json`:
- Around line 62-71: The Storybook dependency is incorrectly pinned to
storybook@9.1.19 and not sourced from the catalog, creating a major version
mismatch with existing `@storybook/`*@8.1.1 entries; change the package.json entry
for "storybook" to use catalog: and match the major version 8 (so it resolves
alongside `@storybook/`*@8.1.1), and add a corresponding "storybook" entry to the
catalog section of pnpm-workspace.yaml so the catalog reference resolves
correctly.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 779f5e2 and 20802fd.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• package.json
• packages/propel/package.json
• packages/ui/package.json

[coderabbitai]

🧹 Nitpick comments (2)

apps/space/Dockerfile.space (1)

16-16: Use ARG TURBO_VERSION here as well for consistency.

At Line 16, this is the same hardcoded Turbo pinning pattern that can drift over time; align with an ARG-based version pin.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/space/Dockerfile.space` at line 16, Replace the hardcoded turbo version
in the RUN pnpm add -g turbo@2.8.12 line with the ARG-based variable: introduce
or use the existing ARG TURBO_VERSION and change the command to reference
turbo@$TURBO_VERSION (and ensure ARG TURBO_VERSION has a sensible default if not
already declared) so the Dockerfile uses the same pinning mechanism as other
images.

apps/admin/Dockerfile.admin (1)

16-16: Parameterize Turbo version to align with existing Dockerfile patterns.

At Line 16, use ARG TURBO_VERSION instead of hardcoding the version. This pattern is already established in apps/web/Dockerfile.web and apps/live/Dockerfile.live, making version bumps centralized and reducing drift.

Proposed diff

 FROM base AS builder
+ARG TURBO_VERSION=2.8.12
-RUN pnpm add -g turbo@2.8.12
+RUN pnpm add -g turbo@${TURBO_VERSION}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/admin/Dockerfile.admin` at line 16, Replace the hardcoded Turbo install
in the Dockerfile.admin with a build argument: add an ARG named TURBO_VERSION
near the top if not present, then change the RUN that executes pnpm add -g
turbo@2.8.12 to use turbo@${TURBO_VERSION}; ensure the ARG name matches the
pattern used in apps/web/Dockerfile.web and apps/live/Dockerfile.live so version
bumps are centralized and consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/admin/Dockerfile.admin`:
- Line 16: Replace the hardcoded Turbo install in the Dockerfile.admin with a
build argument: add an ARG named TURBO_VERSION near the top if not present, then
change the RUN that executes pnpm add -g turbo@2.8.12 to use
turbo@${TURBO_VERSION}; ensure the ARG name matches the pattern used in
apps/web/Dockerfile.web and apps/live/Dockerfile.live so version bumps are
centralized and consistent.

In `@apps/space/Dockerfile.space`:
- Line 16: Replace the hardcoded turbo version in the RUN pnpm add -g
turbo@2.8.12 line with the ARG-based variable: introduce or use the existing ARG
TURBO_VERSION and change the command to reference turbo@$TURBO_VERSION (and
ensure ARG TURBO_VERSION has a sensible default if not already declared) so the
Dockerfile uses the same pinning mechanism as other images.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70a4a1a and fc886c3.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• apps/admin/Dockerfile.admin
• apps/live/Dockerfile.live
• apps/space/Dockerfile.space
• apps/web/Dockerfile.web
• package.json
• turbo.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/space/package.json`:
- Line 13: The lint script's threshold was increased in the "check:lint" npm
script (the "check:lint" entry in package.json) which weakens the lint gate;
revert the "--max-warnings=676" change back to the original "--max-warnings=675"
in the "check:lint" script and then locate and fix the newly introduced lint
warning(s) reported by oxlint (run the restored script locally to see the
failing rule and amend the code to satisfy the linter instead of raising the
threshold).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 09a46d0 and 8885101.

📒 Files selected for processing (3)

• apps/admin/app/entry.client.tsx
• apps/admin/package.json
• apps/space/package.json

💤 Files with no reviewable changes (1)

• apps/admin/app/entry.client.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/admin/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid raising lint-warning budget to absorb new warnings

Bumping --max-warnings from 675 to 676 weakens the lint gate and can hide a regression. Please keep the previous threshold and fix the newly introduced warning instead.

Suggested change

-    "check:lint": "oxlint --max-warnings=676 .",
+    "check:lint": "oxlint --max-warnings=675 .",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"check:lint": "oxlint --max-warnings=676 .",
	"check:lint": "oxlint --max-warnings=675 .",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/space/package.json` at line 13, The lint script's threshold was
increased in the "check:lint" npm script (the "check:lint" entry in
package.json) which weakens the lint gate; revert the "--max-warnings=676"
change back to the original "--max-warnings=675" in the "check:lint" script and
then locate and fix the newly introduced lint warning(s) reported by oxlint (run
the restored script locally to see the failing rule and amend the code to
satisfy the linter instead of raising the threshold).