chore: fix npm audit issues

[ymc9]

Summary by CodeRabbit

• Chores
  • Updated development dependencies including security patches for core packages and latest stable versions of framework libraries (Next.js, Nuxt, SvelteKit, Svelte) to improve stability and security.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: npm audit fixes

Todo List:

• Read repository guidelines (CLAUDE.md)
• Analyze package.json changes
• Review auth-adapters/better-auth package changes
• Review server package changes
• Examine pnpm-lock.yaml changes
• Review pnpm-workspace.yaml changes
• Provide comprehensive feedback on security, quality, and best practices
• Final review summary

Analysis Summary:

Based on my analysis of the changes, this PR addresses npm audit vulnerabilities through dependency updates and package manager overrides. Here's my detailed review:

✅ Security Improvements

Pnpm Overrides Added (package.json:55-59):

• cookie@<0.7.0: >=0.7.0 - Addresses CVE-2024-47764 cookie parsing vulnerability
• lodash@>=4.0.0 <=4.17.22: >=4.17.23 - Fixes multiple lodash vulnerabilities
• lodash-es@>=4.0.0 <=4.17.22: >=4.17.23 - Same fix for ES module version

These overrides are a good security practice when transitive dependencies contain vulnerabilities.

📦 Dependency Updates

Better Auth Dependencies (packages/auth-adapters/better-auth/package.json):

• Updated from 1.4.17 → 1.4.19 (patch release)
• ✅ Conservative patch-level update, low risk
• ✅ Maintains compatibility with peer dependency range ^1.3.0

Server Framework Dependencies (packages/server/package.json):

• @sveltejs/kit: ^2.48.3 → catalog: (now uses workspace catalog)
• h3: ^1.15.4 → ^1.15.5 (patch update)
• hono: ^4.6.3 → ^4.11.10 (minor update)

Catalog Updates (pnpm-workspace.yaml):

• Multiple framework updates: Next.js, Nuxt, Svelte, etc.
• All are within reasonable version bounds

⚠️ Areas of Concern

1. Package Manager Version Discrepancy:

   • CLAUDE.md specifies pnpm@10.12.1
   • package.json:5 specifies pnpm@10.23.0
   • Recommendation: Update CLAUDE.md or align versions for consistency

2. Large Lock File Changes:

   • 1765 additions / 1904 deletions in pnpm-lock.yaml
   • This is expected for security updates but makes manual verification challenging
   • ✅ Changes appear to be legitimate dependency resolution updates

🔍 Code Quality Assessment

✅ Good Practices Followed:

• Used pnpm overrides instead of unsafe resolutions
• Conservative version updates (mostly patches/minors)
• Maintained peer dependency compatibility
• Used workspace catalog for consistency

✅ Repository Conventions:

• Follows monorepo structure with pnpm workspaces
• Aligns with ZenStack's dependency management patterns
• Maintains TypeScript and build tooling versions

🚨 Security Considerations

Low Risk: The updated packages are well-maintained frameworks with good security track records:

• Better Auth: Authentication library with regular security updates
• SvelteKit, Hono, H3: Popular web frameworks
• Framework version updates typically include security patches

Recommended Actions:

1. ✅ Security overrides properly address known CVEs
2. ✅ Version updates are conservative and within safe ranges
3. ⚠️ Consider running pnpm audit after merge to verify all issues resolved

📋 Testing Considerations

Potential Impact Areas:

• Better Auth integration (minor patch update should be safe)
• Server framework adapters (especially Hono's minor version jump)
• Build process (esbuild and other tooling updates)

Recommended Testing:

• Run full test suite: pnpm test
• Verify build process: pnpm build
• Test server adapters, especially Hono and SvelteKit integrations

🏁 Final Recommendation

APPROVE - This is a well-executed security maintenance PR that:

• ✅ Addresses legitimate security vulnerabilities
• ✅ Uses conservative update strategy
• ✅ Follows repository conventions
• ✅ Maintains compatibility constraints

The only minor issue is the pnpm version discrepancy between docs and package.json, which should be addressed in a follow-up.

---

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates dependency versions across configuration files, including pnpm overrides for security patches, version bumps for framework dependencies (Next.js, Nuxt, SvelteKit), and adds new zod validation dependencies to the workspace catalog.

Changes

Cohort / File(s)	Summary
Root Configuration & Security Overrides package.json, pnpm-workspace.yaml	Added pnpm overrides for cookie, lodash, and lodash-es security patches. Updated workspace catalog versions: Next.js (16.0.10→16.1.6), Nuxt (4.2.2→4.3.1), SvelteKit (2.49.1→2.53.2), Svelte (5.45.6→5.53.5), tmp (^0.2.3→^0.2.4). Added zod ^4.0.0 and zod-validation-error ^4.0.1 dependencies.
Package-level Dependencies packages/auth-adapters/better-auth/package.json, packages/server/package.json	Updated @better-auth suite (1.4.17→1.4.19). Updated server dependencies: @sveltejs/kit to catalog reference, h3 (^1.15.4→^1.15.5), hono (^4.6.3→^4.11.10).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With whiskers twitching, I hop with glee,
Dependencies patched for security!
From cookie crumbs to lodash delight,
Versions bumped—the code shines bright! ✨
New zod friends join the catalog crew,
Hopping forward with updates anew! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: fix npm audit issues' accurately describes the primary purpose of the changeset, which involves updating package versions to resolve dependency vulnerabilities and security issues across multiple package.json files and the pnpm workspace configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/dependabot-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

5-5: ⚠️ Potential issue | 🟠 Major

Update packageManager to the required version.

Line 5 must use pnpm@10.12.1 per repository policy, but currently specifies pnpm@10.23.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 5, Update the packageManager field in package.json to
the repository-required version by replacing the current value "pnpm@10.23.0"
with "pnpm@10.12.1" so the packageManager entry matches the enforced policy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@package.json`:
- Line 5: Update the packageManager field in package.json to the
repository-required version by replacing the current value "pnpm@10.23.0" with
"pnpm@10.12.1" so the packageManager entry matches the enforced policy.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca8f437 and 896231f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• package.json
• packages/auth-adapters/better-auth/package.json
• packages/server/package.json
• pnpm-workspace.yaml