chore(deps): upgrade dependencies to fix security vulnerabilities

[halvaradop]

Description

This pull request upgrades dependencies to address security vulnerabilities reported by GitHub Dependabot and the pnpm audit command.

The changes include direct dependency upgrades where compatible fixes are available. In cases where vulnerabilities originate from transitive dependencies, package overrides have been added to package.json and pnpm-workspace.yaml to enforce secure versions across the workspace.

Note

These changes are focused on security remediation and dependency maintenance. No functional changes to the application code are intended.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth	Ready	Preview, Comment	Jun 11, 2026 11:50pm

[coderabbitai]

Warning

Review limit reached

@halvaradop, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 38a91a02-9bca-4e67-8fbb-07ef3f540604

📥 Commits

Reviewing files that changed from the base of the PR and between 7d66cab and 283f9c9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• apps/astro/package.json
• apps/nuxt/package.json
• apps/react-router/package.json
• package.json
• pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

This PR updates dependency versions across the workspace and individual apps. Workspace-level catalogs and overrides in pnpm-workspace.yaml and root package.json are bumped first, followed by dependency updates in Astro, Nuxt, TanStack, Docs, and Express packages. No functional code changes are introduced.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Workspace catalog and override definitions pnpm-workspace.yaml, package.json	Catalogs for next, react-router, vite, and typescript are bumped in pnpm-workspace.yaml. Root workspaces.catalogs entries for next, vite, hono, and react-router are updated. The overrides section is expanded with new/changed pins for dompurify, lodash, lodash-es, serialize-javascript, h3, brace-expansion, uuid, and qs. Root-level devDependencies (tsdown, turbo) and dependencies (oxlint) are bumped.
Individual app and package dependency updates apps/astro/package.json, apps/nuxt/package.json, apps/tanstack-start/package.json, docs/package.json, packages/express/package.json	Astro packages (@astrojs/node, @astrojs/react, astro) are updated. Nuxt, Vue, and Vue Router versions are bumped. TanStack ecosystem packages are refreshed. Docs dependencies (mermaid, postcss) are increased. Express package devDependencies are reordered and @types/supertest is updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• aura-stack-ts/auth#118: Updates Astro and related packages in apps/astro/package.json with dependency version bumps similar to this PR.

Poem

🐰 A curious rabbit hops through the forest of versions,
Gathering shiny new packages, each a small treasure,
Catalogs arranged, overrides in place,
Dependencies dancing in perfect upgrade grace,
No breaking changes, just safer ground to trace!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of the changeset: upgrading multiple dependencies across the monorepo to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/patch-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

pnpm-workspace.yaml (1)

29-29: ⚡ Quick win

Confirm intentional pinning of react-router version.

The react-router catalog uses 7.15.0 without a caret prefix, creating an exact pin rather than a semver range. Most other catalogs use caret ranges (e.g., ^16.2.6 for next, ^7.3.2 for vite). Verify this exact pin is intentional.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` at line 29, The catalog entry "react-router: 7.15.0" is
an exact pin while other catalogs use caret ranges; confirm whether this exact
pin is intentional and either change it to a semver range (e.g., update
"react-router: 7.15.0" to "react-router: ^7.15.0") or add a short comment/PR
description explaining why the exact pin must be used so future maintainers
understand the rationale.

package.json (1)

93-93: ⚡ Quick win

Confirm intentional exact pinning in workspaces.catalogs.

Both hono (line 93) and react-router (line 103) use exact version pins (4.12.21 and 7.15.0) without caret prefixes, unlike other catalog entries. This matches pnpm-workspace.yaml, but verify this strict pinning is intentional rather than an oversight.

Also applies to: 103-103

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 93, Confirm whether the exact version pins for
workspaces.catalogs entries "hono" and "react-router" are intentional; if they
should be flexible, update the entries in workspaces.catalogs to use caret-range
notation (e.g., add a leading ^) for "hono" and "react-router", otherwise keep
the exact pins but add a brief justification either as a package.json comment or
in the PR description indicating why strict pinning is required so reviewers
understand the intent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/astro/package.json`:
- Around line 17-21: Update the migration/version validation to target Astro
v6.0.0 as the breaking baseline (not v6.1.10) and ensure the app meets Node
>=22.12.0 in package.json; specifically, adjust any code that checks the
installed astro version or migration gates to compare against "6.0.0" and
confirm engines.node is ">=22.12.0", and when validating deps note that
`@astrojs/node` requires astro ^6.0.0 while `@astrojs/react` has no astro peerDep so
no additional checks are needed for it.

In `@package.json`:
- Line 68: Update the catalog entries in package.json's workspaces.catalogs to
match the versions declared in pnpm-workspace.yaml: change the "`@types/node`"
entry to "^24.13.2" and the "typescript" entry to "^5.9.3" so both files declare
identical catalog versions; locate and edit the workspaces.catalogs block in
package.json (the entries for "`@types/node`" and "typescript") and update their
version strings to exactly match pnpm-workspace.yaml.

---

Nitpick comments:
In `@package.json`:
- Line 93: Confirm whether the exact version pins for workspaces.catalogs
entries "hono" and "react-router" are intentional; if they should be flexible,
update the entries in workspaces.catalogs to use caret-range notation (e.g., add
a leading ^) for "hono" and "react-router", otherwise keep the exact pins but
add a brief justification either as a package.json comment or in the PR
description indicating why strict pinning is required so reviewers understand
the intent.

In `@pnpm-workspace.yaml`:
- Line 29: The catalog entry "react-router: 7.15.0" is an exact pin while other
catalogs use caret ranges; confirm whether this exact pin is intentional and
either change it to a semver range (e.g., update "react-router: 7.15.0" to
"react-router: ^7.15.0") or add a short comment/PR description explaining why
the exact pin must be used so future maintainers understand the rationale.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9fbd87e7-b7f2-46f9-8dfc-cefb4e79f6a6

📥 Commits

Reviewing files that changed from the base of the PR and between 9a8fb34 and 7d66cab.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• apps/astro/package.json
• apps/nuxt/package.json
• apps/tanstack-start/package.json
• docs/package.json
• package.json
• packages/express/package.json
• pnpm-workspace.yaml