chore(deps): update dependencies to latest versions

[JoachimLK]

• Updated @better-auth/sso from ^1.6.9 to ^1.6.16
• Updated better-auth from ^1.6.1 to ^1.6.16
• Updated nuxt from ^4.4.4 to ^4.4.8
• Updated @crowdin/cli from ^4.14.0 to ^4.14.2
• Updated @playwright/test from ^1.58.2 to ^1.60.0
• Updated @types/node from ^25.2.3 to ^25.9.3
• Updated tsx from ^4.21.0 to ^4.22.4
• Updated vitest from ^4.1.0 to ^4.1.8
• Updated vue-tsc from ^3.2.5 to ^3.3.4
• Updated wait-on from ^9.0.4 to ^9.0.10
• Updated fast-xml-parser from 5.7.1 to 5.8.0

Summary

• What does this PR change?
• Why is this needed?

Type of change

• Bug fix
• Feature
• Refactor
• Docs
• Chore

Validation

• I tested locally
• I added/updated relevant documentation
• I verified multi-tenant scoping and auth behavior for affected API paths

DCO

• All commits in this PR are signed off (Signed-off-by) via git commit -s

Summary by CodeRabbit

Chores

• Updated Node.js runtime to version 22.22 across development, testing, and deployment environments
• Updated project dependencies and development tools to latest stable versions for improved compatibility

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates Dependabot merge behavior and upgrades the Node.js runtime from version 20 to 22.22 across CI workflows and Docker, along with corresponding bumps to application and development dependencies.

Changes

Dependabot Merge Strategy

Layer / File(s)	Summary
Dependabot automerge merge strategy .github/workflows/dependabot-automerge.yml	Three automerge conditions now execute gh pr merge --merge instead of --squash for eligible direct development dependency minor/patch updates, GitHub Actions minor/patch updates, and direct production patch-only updates.

Node.js Runtime Upgrade and Dependencies

Layer / File(s)	Summary
Node.js version updates in CI and Docker .github/workflows/e2e-tests.yml, .github/workflows/pr-validation.yml, Dockerfile	E2E and PR validation CI workflows and both Dockerfile stages (builder and runner) now use Node.js 22.22-alpine instead of 20-alpine, establishing the new runtime baseline.
Package dependency updates package.json	Production dependencies better-auth and @better-auth/sso are bumped to 1.6.16, dev toolchain packages (@playwright/test, @types/node, tsx, vitest, vue-tsc, wait-on) are upgraded, nuxt is updated to 4.4.8, and fast-xml-parser override is increased to 5.8.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• reqcore-inc/reqcore#184: Both PRs modify package.json dependency pins in the overrides section, specifically for fast-xml-parser.

Poem

🐰 From Node 20 to 22 we hop,
Dependencies dance without a stop,
Merge squash to merge, the workflow's delight,
Infrastructure updated, everything right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides a detailed list of dependency updates but leaves critical template sections empty ("What does this PR change?" and "Why is this needed?") and all validation checkboxes unchecked.	Fill in the "Summary" section explaining what changed and why, check the appropriate "Type of change" checkbox (Chore), and confirm validation steps or provide justification for unchecked items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly describes the main change—updating dependencies to latest versions—and follows Conventional Commits format as required.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/zero-pr-dependency-cleanup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[railway-app]

🚅 Deployed to the reqcore-pr-198 environment in applirank

Service	Status	Web	Updated (UTC)
applirank	✅ Success (View Logs)		Jun 11, 2026 at 7:20 am

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Line 39: The Dependabot automerge step currently uses the command invocation
gh pr merge --auto --merge "$PR_URL" which creates merge commits and may not
produce the squash-style commit/title semantics that release-please expects (see
.github/pull_request_template.md and .github/workflows/pr-title-lint.yml);
update the workflow to either (A) change the invocations of gh pr merge --auto
--merge "$PR_URL" (appearing in the dependabot-automerge workflow) to gh pr
merge --auto --squash "$PR_URL" to restore squash-merge semantics, or (B) if you
verify that --merge nevertheless produces the required squash-style
conventional-commit signals for release-please, add a concise inline comment
above the gh pr merge lines explaining why --merge is acceptable and how it
preserves release-please behavior; ensure the chosen approach is applied to all
occurrences of the command in the workflow.

In @.github/workflows/e2e-tests.yml:
- Line 73: Update the Node.js pin so CI and Docker use the exact same SemVer;
change the actions/setup-node `node-version` value from `22.22` to `22.22.3` and
ensure the Docker build stage uses the matching official image tag (e.g.,
replace `node:22.22-alpine` with `node:22.22.3-alpine3.22` or the intended
distro like `node:22.22.3-bookworm`) so `actions/setup-node` and the Docker
image are aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 39fc0ed8-08e8-4cf0-8e8c-45ccfe0501fa

📥 Commits

Reviewing files that changed from the base of the PR and between a5da708 and 60a723d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .github/workflows/dependabot-automerge.yml
• .github/workflows/e2e-tests.yml
• .github/workflows/pr-validation.yml
• Dockerfile
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if there's a documented merge strategy preference in contributing docs or other workflows

# Search for merge strategy documentation
rg -i -C3 'merge.*strategy|squash.*merge|--squash|--merge|--rebase' \
  --glob '*.md' \
  --glob '.github/**/*.yml' \
  --glob 'CONTRIBUTING*' \
  --glob 'docs/**/*'

# Check other workflows for merge patterns
rg -n "gh pr merge" --glob '.github/workflows/*.yml'

Repository: reqcore-inc/reqcore

Length of output: 712

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Find any explicit guidance about squash vs merge (docs/contributing/README)
rg -n --hidden --no-ignore-vcs \
  '(--squash|--merge|squash-merge|merge strategy|pr merge)' \
  --glob '*.md' \
  --glob '.github/**/*.yml' \
  --glob 'CONTRIBUTING*' \
  --glob 'docs/**/*' || true

# 2) Find all usage of `gh pr merge` and see which flags are used elsewhere
rg -n --hidden --no-ignore-vcs \
  'gh pr merge' .github/workflows/*.yml || true

# 3) Specifically check dependabot-related workflows for merge/squash settings
rg -n --hidden --no-ignore-vcs \
  '(dependabot|automerge|merge strategy|--squash|--merge)' \
  .github/workflows/*.yml || true

Repository: reqcore-inc/reqcore

Length of output: 1474

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/pull_request_template.md (around line 6) ==="
sed -n '1,40p' .github/pull_request_template.md

echo "=== .github/workflows/pr-title-lint.yml (around line 1-30) ==="
sed -n '1,120p' .github/workflows/pr-title-lint.yml

echo "=== Search for gh pr merge usage and flags across workflows ==="
rg -n --hidden --no-ignore-vcs 'gh pr merge' .github/workflows/*.yml || true

echo "=== Search for explicit --squash / squash-merge mentions across repo ==="
rg -n --hidden --no-ignore-vcs '(--squash|squash-merge|squash-merged)' \
  --glob '*.md' --glob '.github/**/*.yml' --glob 'docs/**/*' || true

Repository: reqcore-inc/reqcore

Length of output: 3230

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for any --squash usage in workflows ==="
rg -n --hidden --no-ignore-vcs '--squash|squash-merge' .github/workflows/*.yml || true

echo "=== List and inspect release-please configs (if present) ==="
ls -la .github 2>/dev/null || true
ls -la .github/workflows 2>/dev/null || true
fd -a 'release-please' .github -t f 2>/dev/null || true

# Print likely release-please config files if they exist
for f in .github/release-please-config.json .github/release-please-config.* .github/release-please*.json .github/*.json; do
  if [ -f "$f" ]; then
    echo "=== $f (first 200 lines) ==="
    sed -n '1,200p' "$f"
  fi
done

echo "=== Search for release-please workflow/config references ==="
rg -n --hidden --no-ignore-vcs 'release-please|squash-merged|merge-commit|target-branch|changelog' .github/workflows/**/*.yml .github/**/*.json .github/**/*.md || true

Repository: reqcore-inc/reqcore

Length of output: 6717

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/dependabot-automerge.yml (full) ==="
sed -n '1,220p' .github/workflows/dependabot-automerge.yml

echo "=== .github/workflows/release-please.yml (first 220 lines) ==="
sed -n '1,220p' .github/workflows/release-please.yml

echo "=== .github/workflows/release-verification.yml (first 260 lines) ==="
sed -n '1,260p' .github/workflows/release-verification.yml

echo "=== Search for 'squash' and 'merge-commit' references in .github/workflows ==="
rg -n --hidden --no-ignore-vcs 'squash-merged|squash|merge-commit|--squash|--merge' .github/workflows/*.yml || true

Repository: reqcore-inc/reqcore

Length of output: 11265

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .release-please-manifest.json (first 220 lines) ==="
sed -n '1,220p' .release-please-manifest.json

echo "=== Search for release-please merge-type / squash mention in repo ==="
rg -n --hidden --no-ignore-vcs '(release-please|squash-merged|squash-merge|merge-commit|merge commit|merge strategy)' \
  .github .release-please-manifest.json .  || true

echo "=== Check .github/dependabot.yml (first 220 lines) ==="
sed -n '1,220p' .github/dependabot.yml

Repository: reqcore-inc/reqcore

Length of output: 5576

---

Fix Dependabot automerge merge strategy to match release-please expectations

This repo explicitly relies on squash-merged commit/title semantics for release-please (see .github/pull_request_template.md and .github/workflows/pr-title-lint.yml), but .github/workflows/dependabot-automerge.yml now uses gh pr merge --auto --merge "$PR_URL" (lines 39/52/70), which creates merge commits instead.

• Confirm --merge still produces the “squash-merged” conventional-commit signal that release-please expects; otherwise switch Dependabot automerge back to --squash (or adjust the release-please workflow/process accordingly).
• Add a brief comment in the workflow explaining why --merge is chosen (and how it preserves the release-please behavior).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-automerge.yml at line 39, The Dependabot
automerge step currently uses the command invocation gh pr merge --auto --merge
"$PR_URL" which creates merge commits and may not produce the squash-style
commit/title semantics that release-please expects (see
.github/pull_request_template.md and .github/workflows/pr-title-lint.yml);
update the workflow to either (A) change the invocations of gh pr merge --auto
--merge "$PR_URL" (appearing in the dependabot-automerge workflow) to gh pr
merge --auto --squash "$PR_URL" to restore squash-merge semantics, or (B) if you
verify that --merge nevertheless produces the required squash-style
conventional-commit signals for release-please, add a concise inline comment
above the gh pr merge lines explaining why --merge is acceptable and how it
preserves release-please behavior; ensure the chosen approach is applied to all
occurrences of the command in the workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the correct Node.js version format for actions/setup-node, and what are the latest available Node.js 22.x versions as of June 2026?

💡 Result:

In the actions/setup-node GitHub Action, the node-version input accepts values based on Semantic Versioning (SemVer) syntax, as well as specific aliases [1][2]. Supported formats include: - Major versions: e.g., 22, 24 [1] - Specific versions: e.g., 22.17.1, 24.8.0 [1] - NVM LTS syntax: e.g., lts/jod, lts/* [1] - Aliases: latest, current, node, or * [1] As of June 11, 2026, the latest available Node.js 22.x version is 22.22.3 [3][4]. This release, codenamed 'Jod', was published on May 13, 2026 [3][5]. Node.js 22.x is currently in the Maintenance LTS phase [6][7].

Citations:

• 1: https://github.com/actions/setup-node?tab=readme-ov-file
• 2: https://github.com/actions/setup-node/blob/c45882a6eaaa69d42dbf1b6c7e3ae5dbb81e1f29/README.md
• 3: https://github.com/nodejs/node/releases/tag/v22.22.3
• 4: 2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito nodejs/node#63250
• 5: https://nodejs.org/en/download/archive/v22
• 6: https://github.com/nodejs/Release?hss_channel=tw-91985735
• 7: https://github.com/nodejs/lts/blob/master/README.md

---

🏁 Script executed:

#!/bin/bash
# Description: Verify Node.js 22.22 availability in Docker

curl -s "https://hub.docker.com/v2/repositories/library/node/tags?page_size=100&name=22" | \
  jq -r '.results[].name' | grep -E '^22\.[0-9]+' | sort -V | tail -10

Repository: reqcore-inc/reqcore

Length of output: 246

---

Align Node.js pin across CI and Docker: 22.22.3

• actions/setup-node accepts SemVer values for node-version; the latest Node.js 22.x as of Jun 2026 is 22.22.3.
• Docker Hub official node image tags available for this series are 22.22.3-* (e.g., 22.22.3-alpine3.22, 22.22.3-bookworm), so node:22.22-alpine is likely not a valid reference—pin the Docker stage to 22.22.3 (and the intended variant/distro) to keep CI + Docker consistent.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-tests.yml at line 73, Update the Node.js pin so CI and
Docker use the exact same SemVer; change the actions/setup-node `node-version`
value from `22.22` to `22.22.3` and ensure the Docker build stage uses the
matching official image tag (e.g., replace `node:22.22-alpine` with
`node:22.22.3-alpine3.22` or the intended distro like `node:22.22.3-bookworm`)
so `actions/setup-node` and the Docker image are aligned.