chore: update dependencies to fix vulnerabilities

[pepol]

Summary by CodeRabbit

• Chores

  • Updated Lerna-lite dev tools to 4.11.4 for improved monorepo tooling and dev workflows.
  • Upgraded the Next.js runtime in the studio to 15.4.11 for minor runtime updates and stability fixes.
  • Bumped the tar dependency used by the CLI to 7.5.11 for maintenance and security updates.
  • Updated nodemailer to ^7.0.11 for dependency maintenance.

• Bug Fixes

  • Server now rejects requests with malformed Content-Type headers early, returning a 400 response.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

Walkthrough

Bumped several dependency versions and added a Fastify onRequest hook in controlplane/src/core/build-server.ts that rejects requests whose Content-Type header contains a tab (responds 400). The new hook references an undefined identifier (values) and will cause a runtime error.

Changes

Cohort / File(s)	Summary
Lerna-lite dependency bumps package.json	Updated devDependencies: @lerna-lite/cli, @lerna-lite/publish, @lerna-lite/version 4.1.1 → 4.11.4.
Studio Next.js runtime bump studio/package.json	Updated Next.js runtime dependency from 15.4.10 → 15.4.11.
CLI tar dependency bump cli/package.json	Updated tar dependency from 7.4.3 → 7.5.11.
Controlplane nodemailer bump controlplane/package.json	Updated nodemailer dependency from ^7.0.7 → ^7.0.11.
Controlplane request validation hook controlplane/src/core/build-server.ts	Added a Fastify onRequest hook that parses Content-Type header and rejects values containing a tab with HTTP 400. The hook contains a reference to an undefined identifier (values) which will throw at runtime.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: upgrade NextJS #2410 — also updates studio/package.json Next.js versions (sequential Next.js bumps).
• fix: vulnerabilities by updating packages #2339 — earlier controlplane/package.json nodemailer bump (same dependency area).

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary changes: it is a dependency update PR addressing multiple vulnerability remediations across the monorepo packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-d62795defd4d041dc72b141d1bd303b15794ea47-nonroot

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.42%. Comparing base (ead3683) to head (2aa28ca).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
controlplane/src/core/build-server.ts	75.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2644   +/-   ##
=======================================
  Coverage   46.42%   46.42%           
=======================================
  Files        1046     1046           
  Lines      141488   141496    +8     
  Branches     9679     9683    +4     
=======================================
+ Hits        65680    65690   +10     
+ Misses      74095    74094    -1     
+ Partials     1713     1712    -1     

Files with missing lines	Coverage Δ
controlplane/src/core/build-server.ts	75.50% <75.00%> (-0.02%)	⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@studio/package.json`:
- Line 98: package.json was updated to "next": "15.4.11" but pnpm-lock.yaml
still resolves to 15.4.10; run pnpm install to regenerate the lockfile so
pnpm-lock.yaml and package.json are in sync, then commit the updated
pnpm-lock.yaml (ensure the "next" entry in pnpm-lock.yaml reflects 15.4.11 and
no stale resolutions remain).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 69418b55-2770-492b-8222-dc4486d2965b

📥 Commits

Reviewing files that changed from the base of the PR and between 86ba45f and 86bcb91.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• studio/package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cli/package.json`:
- Line 83: The package.json currently pins "@types/tar" to an outdated v6 while
"tar" is v7; either update the "@types/tar" dependency to "7.0.87" to match
tar@7, or remove the "@types/tar" entry entirely if tar's bundled types
suffice—then run TypeScript build/tests and verify the import in
cli/src/commands/grpc-service/commands/init.ts (where { extract, t } from "tar"
is used) still type-checks; apply the change by editing the "@types/tar"
dependency in package.json and adjusting lockfile (npm/yarn) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a80a0070-c831-4e58-8505-d33ab037476d

📥 Commits

Reviewing files that changed from the base of the PR and between 86bcb91 and fead4e2.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• cli/package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@controlplane/src/core/build-server.ts`:
- Around line 184-185: The Content-Type header check currently calls
includes('\t') on request.headers['content-type'] which can be an array and will
not detect tabs inside string elements; update the validation in build-server.ts
where contentType is read (variable contentType) to first normalize: if
Array.isArray(contentType) iterate elements and reject if any
element.includes('\t'), otherwise if typeof contentType === 'string' check
contentType.includes('\t'); ensure the guard treats missing/undefined headers
safe and returns the same error/response path when a tab is found.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a3c97ce-3a14-48bf-a8e6-04e68e837d45

📥 Commits

Reviewing files that changed from the base of the PR and between fead4e2 and 53ae79d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• controlplane/package.json
• controlplane/src/core/build-server.ts

✅ Files skipped from review due to trivial changes (1)

• controlplane/package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@controlplane/src/core/build-server.ts`:
- Around line 185-186: The code uses the wrong variable name: change the check
that references values to use the declared contentTypeValues variable (i.e.,
replace any use of values with contentTypeValues in the block around the
content-type handling), ensuring the Array.isArray/contentType normalization
logic (contentTypeValues) is the one being inspected for tabs; also scan for any
other stray uses of values in the same function (e.g., in build-server.ts around
the contentType handling) and update them to contentTypeValues so TypeScript
compiles.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6aeea665-27a3-48b9-9dd1-0178c04755db

📥 Commits

Reviewing files that changed from the base of the PR and between 53ae79d and b078e63.

📒 Files selected for processing (1)

• controlplane/src/core/build-server.ts

[endigma]

lgtm(cli), please fix or resolve the coderabbot comment

[comatory]

Tried running build for controlplane + studio, all seems to pass. studio also runs fine and tried running release-preview (dry run).
It seems fine (not sure about the emails)