Bump dependencies

[vhpx]

Summary by CodeRabbit

• Chores
  • Upgraded various package dependencies across multiple components to improve performance, stability, and compatibility.
  • Streamlined dependency references and workspace configurations to maintain consistency and support future enhancements.

[coderabbitai]

Walkthrough

This pull request performs a series of dependency updates across multiple package.json files in both apps and packages. Changes include upgrading versions of libraries (e.g., Supabase, PostCSS, Turbo, Next, and various ESLint plugins) as well as adjustments in dependency declarations such as removals and re-additions of workspace dependencies. The modifications ensure consistency across projects and incorporate minor version improvements without altering major functionalities or control flows.

Changes

File(s)	Change Summary
apps/db/package.json	Updated supabase from ^2.9.6 to ^2.12.0.
apps/external/package.json	Updated postcss from ^8.5.1 to ^8.5.2.
apps/{mira, nova, rewise, web}/package.json	Multiple dependency updates: upgraded various @tiptap-pro extensions, modified workspace dependencies (removals/re-additions), and bumped versions for packages like @upstash/qstash, @vercel/analytics, next, react-email, remark-gfm, and ESLint-related packages.
package.json	Upgraded turbo from ^2.4.0 to ^2.4.1.
packages/{ai, eslint-config, supabase, types}/package.json	Various version bumps: updated ESLint plugins, Next, and other package-specific dependencies, including workspace adjustments and config updates.
packages/transactional/package.json	Updated react-email from ^3.0.6 to ^3.0.7.
packages/ui/package.json	Upgraded @tailwindcss/postcss and tailwindcss from ^4.0.5 to ^4.0.6, along with updates to ESLint plugins and postcss.

Possibly related PRs

• Enhance user group view #1879: Addresses a similar update by modifying the supabase dependency version, indicating a direct code-level connection.
• Resolve dependency peers #2187: Also updates the supabase dependency in apps/db/package.json, aligning with this pull request's changes.

Suggested labels

enhancement

Poem

I'm a rabbit who loves to code,
Hopping through updates on a bumpy road.
Dependencies leap to versions new,
Each little bump brings something true.
With ears perked up and a joyful beat,
I celebrate these changes—oh-so-sweet! 🐰💻

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89d23ad and 065c3a0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• apps/db/package.json (1 hunks)
• apps/external/package.json (1 hunks)
• apps/mira/package.json (6 hunks)
• apps/nova/package.json (6 hunks)
• apps/rewise/package.json (4 hunks)
• apps/web/package.json (8 hunks)
• package.json (1 hunks)
• packages/ai/package.json (2 hunks)
• packages/eslint-config/package.json (1 hunks)
• packages/supabase/package.json (2 hunks)
• packages/transactional/package.json (1 hunks)
• packages/types/package.json (1 hunks)
• packages/ui/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• packages/transactional/package.json
• apps/external/package.json
• package.json
• packages/eslint-config/package.json

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Deploy-Preview

🔇 Additional comments (9)

packages/types/package.json (1)

25-26: Verify TypeScript ESLint package versions.

Let's confirm these are the latest stable versions and check for any known issues.

✅ Verification successful

🌐 Web query:

What is the latest stable version of @typescript-eslint/eslint-plugin and @typescript-eslint/parser?

💡 Result:

The latest stable versions as of February 11, 2025 are:

@typescript-eslint/eslint-plugin
v8.24.0 released on February 10, 2025[1]

@typescript-eslint/parser
v8.24.0 released on February 10, 2025[1]

---

Key Details:

• Both packages follow synchronized versioning as part of the typescript-eslint monorepo[3][4].
• Releases occur weekly on Mondays at 1pm US Eastern time[4].
• The v8.x.x series includes support for TypeScript features up to TypeScript v5.x[2][3].

For installation:

npm install @typescript-eslint/eslint-plugin@latest @typescript-eslint/parser@latest --save-dev

Citations:

• 1: https://github.com/typescript-eslint/typescript-eslint/releases
• 2: https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md
• 3: https://typescript-eslint.io/packages/typescript-eslint/
• 4: https://typescript-eslint.io/users/releases/
• 5: https://classic.yarnpkg.com/en/package/typescript-eslint-parser
• 6: https://www.npmjs.com/package/@typescript-eslint/eslint-plugin
• 7: https://www.npmjs.com/package/@typescript-eslint/parser
• 8: https://www.npmjs.com/package/typescript-eslint/v/8.0.0-alpha.0
• 9: https://www.npmjs.com/package/typescript-eslint-parser
• 10: https://typescript-eslint.io/packages/eslint-plugin/

---

Latest stable versions confirmed.
Both @typescript-eslint/eslint-plugin and @typescript-eslint/parser are at version 8.24.0 as of February 10, 2025, matching the latest stable release. There are no known issues reported with these versions.

apps/db/package.json (1)

19-19: Verify Supabase CLI version update.

Let's check the changelog for any breaking changes or important updates between 2.9.6 and 2.12.0.

✅ Verification successful

🌐 Web query:

What are the major changes in Supabase CLI between versions 2.9.6 and 2.12.0?

💡 Result:

The Supabase CLI introduced several notable changes between versions v2.9.6 and v2.12.0, focusing on configuration flexibility, security improvements, and bug fixes:

---

Major Changes

Configuration Improvements

1. Optional Config File (v2.12.0)
   The config.toml file became optional for projects[1], simplifying setups that don’t require advanced configurations.

2. Vault Secrets Management (v2.10.0)
   Added support for updating secrets directly from configuration files using supabase vault set[1][4].

3. Captcha Configuration (v2.11.0)
   Introduced local CAPTCHA configuration support for authentication flows[1].

---

Runtime & Dependency Updates

• Edge Runtime Upgrades
  • v2.10.x: Updated to Edge Runtime v1.66–1.67 for improved edge function compatibility[1].
• Dependency Bumps
  • Golang modules (oauth2, mod, term) updated to newer versions for security/stability[1].

---

Bug Fixes

• Migration Notices (v2.10.x)
  Fixed issues where migration execution notices were not displayed[1].
• Secret Hashing (v2.11.x)
  Skipped hashing empty secret values to prevent errors[1].
• Enum Validation (v2.x)
  Improved validation when unmarshalling enum types[1].

---

Workflow Enhancements

• GitHub Integration
  Configurations in config.toml can now sync with Supabase branches via GitHub pushes[4].
• CI/CD Improvements
  Optimized for automated workflows with reduced superuser requirements for schema migrations[5][8].

---

Upgrade Recommendations

• For npm users: npm update supabase --save-dev
• For Homebrew: brew upgrade supabase
• Restart local containers after updating:

supabase stop --no-backup
supabase start

These changes emphasize configurability, security hardening, and smoother CI/CD integration[3][4][8].

Citations:

• 1: https://github.com/supabase/cli/releases
• 2: https://www.npmjs.com/package/supabase?activeTab=versions
• 3: https://www.restack.io/docs/supabase-knowledge-supabase-cli-version-guide
• 4: https://supabase.com/blog/cli-v2-config-as-code
• 5: https://supabase.com/changelog?next=Y3Vyc29yOnYyOpK0MjAyMy0xMS0wMlQwNjoxMTozMlrOAFiQFw%3D%3D&restPage=2
• 6: https://supabase.com/changelog
• 7: Upgrade guide for version 2.0.0 supabase/cli#2971
• 8: https://supabase.com/docs/guides/local-development/cli/getting-started
• 9: https://docs-mg2vilr4v-supabase.vercel.app/docs/guides/cli
• 10: https://rasa.github.io/scoop-directory/by-apps.html

---

Supabase CLI version update verified as non-breaking.

The changelog shows that between v2.9.6 and v2.12.0, the changes focus on enhanced configurability (e.g., optional config file, vault secrets management, CAPTCHA configuration), runtime and dependency upgrades, plus various bug fixes and workflow improvements. No breaking changes were noted that would adversely affect the CLI usage.

packages/ui/package.json (1)

73-73: Verify Tailwind and PostCSS versions.

Let's confirm if these are valid versions, as they seem unusually high.

Also applies to: 85-85, 87-87

✅ Verification successful

🌐 Web query:

What are the latest stable versions of tailwindcss and postcss?

💡 Result:

The latest stable versions as of February 2025 are:

Tailwind CSS:

• v4.x series (v4**.0**.0 released January 22**, 2025[1][4])
  Key improvements include:
• Up to 100x faster incremental builds[1][7]
• Zero-configuration setup with automatic content detection[1][7]
• Native support for modern CSS features like container queries and cascade layers[1][7]

PostCSS:

• v8.x series (v8.5**.2** updated hours before query time[6][10])
  Notable changes since v7:
• Native ES modules support[2]
• Improved source map handling[2]
• Deprecated legacy plugin API[2]

For Tailwind users needing PostCSS integration**,** install @tailwindcss/postcss separately**,** now at v^^^^^^^^^^^**[3][9].

Citations:

• 1: https://github.com/tailwindlabs/tailwindcss/releases
• 2: https://github.com/postcss/postcss/blob/main/CHANGELOG.md
• 3: https://www.npmjs.com/package/@tailwindcss/postcss
• 4: https://tailwindcss.com/blog/tailwindcss-v4
• 5: https://github.com/postcss/postcss/releases
• 6: [v4] It looks like you're trying to use tailwindcss directly as a PostCSS plugin. tailwindlabs/tailwindcss#15735
• 7: https://daily.dev/blog/tailwind-css-40-everything-you-need-to-know-in-one-place
• 8: https://www.npmjs.com/package/postcss
• 9: https://classic.yarnpkg.com/en/package/@tailwindcss/postcss
• 10: https://tailwindcss.com/blog/tailwindcss-v4-beta

---

Tailwind & PostCSS Versions Verified

The versions in the UI package are updated correctly. According to the latest available information as of February 2025, Tailwind CSS v4.x (including patch releases like v4.0.6) and PostCSS v8.5.2 are indeed the current stable versions. The bump for @tailwindcss/postcss to ^4.0.6 is consistent with these releases.

apps/rewise/package.json (3)

36-39: LGTM: Consistent workspace dependency management.

Good practice using workspace:* for all internal dependencies. This ensures consistent versioning across the monorepo.

Also applies to: 82-83

---

40-42: Verify security advisories for updated Vercel packages.

Let's check for any security advisories in the updated Vercel packages.

✅ Verification successful

🏁 Script executed:

#!/bin/bash
# Check for security advisories in Vercel packages
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "analytics") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 342

---

I'll now run the equivalent query for the Vercel Speed Insights package to complete our verification.

---

🏁 Script executed:

#!/bin/bash
# Check for security advisories in the Vercel Speed Insights package
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "speed-insights") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 347

Security advisories verified for updated Vercel packages.

The executed GraphQL queries for both "@vercel/analytics" and "@vercel/speed-insights" returned no vulnerabilities, confirming that the updated versions (^1.5.0 and ^1.2.0, respectively) do not have reported security advisories.

---

51-51: Verify the Next.js update and related dependencies.

The update to Next.js and its related packages (react-email, remark-gfm) should be tested to ensure compatibility.

Also applies to: 127-127, 137-137, 139-139

✅ Verification successful

🌐 Web query:

Are there any breaking changes or known issues in Next.js 15.1.7?

💡 Result:

Next.js 15.1.x introduced several notable changes and issues, with specific considerations for version 15.1.7 based on recent updates:

Breaking Changes

• React 19 Requirement: Next.js 15.1+ now requires React 19 as a minimum version due to internal error handling changes[4].
• Middleware API Changes: The geo and ip properties were removed from NextRequest, requiring migration to @vercel/functions for Vercel deployments[8].

Known Issues

• Memory Leaks:
  • Versions 15.1.3–15.1.6 exhibited significant memory spikes in Azure/AWS deployments, often linked to middleware usage or Node.js versions[2][9]. Users reported improvements after upgrading to Node.js ≥23, avoiding certain monitoring tools (e.g., Sentry), or downgrading middleware[2][9].
  • A setTimeout-related leak was patched in v15.2-canary (backported to later fixes)[9].
• Middleware Stability: Empty middleware files could trigger leaks[2], resolved partially by updates like v15.1.6[9].

Recommendations

• For stability: Upgrade Node.js (≥23) and test middleware configurations thoroughly[2][9].
• Monitor updates via Next.js’s GitHub releases for backported fixes[9].

While no explicit release notes for v15.1.7 are provided, earlier fixes (e.g., v15.1.6) addressed critical leaks, suggesting iterative improvements in minor patches[2][9].

Citations:

• 1: https://nextjs.org/blog/next-15-1
• 2: Memory spike issue with Next.js 15.1.4 on Azure vercel/next.js#74855
• 3: https://pagepro.co/blog/react-tldr/next-js-15-stable-release-is-live/
• 4: [IMPORTANT] [v7.10.0] Next.js 15.1 and React 19 are required for next-safe-action >= v7.10.0 TheEdoRan/next-safe-action#308
• 5: https://nextjs.org/blog/next-15
• 6: https://www.youtube.com/watch?v=Q1bRZ6PVzsw
• 7: https://nextjs.org
• 8: https://www.wisp.blog/blog/nextjs-15-is-out-whats-new-and-what-broke
• 9: https://github.com/vercel/next.js/releases
• 10: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-15-1-7.html

---

Next.js 15.1.7 Compatibility Requires React 19 and Middleware Review
Based on the web query results, Next.js 15.1.7 introduces a few important changes:

• It now requires React 19 as a minimum version. Please confirm that the project is upgraded accordingly.
• The Middleware API has changed (e.g., removal of geo and ip properties from NextRequest), so any custom middleware should be checked for compatibility.
• Previous memory leak issues noted in earlier 15.1.x patches have been addressed iteratively, but testing (especially with Node.js versions ≥23) is recommended.

Also, ensure that related dependencies (such as react-email and remark-gfm) are compatible with these adjustments. Overall, if your project meets the new React requirement and the middleware adjustments have been reviewed, the update appears acceptable.

apps/nova/package.json (1)

50-60: LGTM: Consistent @tiptap-pro updates.

All @tiptap-pro extensions have been updated to version ^2.17.4, maintaining consistency across the codebase.

apps/mira/package.json (1)

150-150: Verify the xlsx dependency using a local tarball.

The project uses a local tarball for xlsx (vendor/xlsx-0.20.3.tgz). Consider updating to the latest version from npm if available.

❌ Incorrect review comment

🌐 Web query:

What is the latest version of xlsx package?

💡 Result:

The latest version of the xlsx package available on npm remains 0.18.5, last published 3 years ago[2][6]. This version lock stems from SheetJS (the maintainers) ceasing npm registry updates while continuing development through alternative distribution channels like direct CDN links[1][2].

Key Details:

• npm status: Permanently frozen at v0.18.5 since March 2022[2][4]
• Security considerations: Vulnerabilities exist in older versions (e.g., ReDoS attacks in <0.20.2)[6], but npm users can't access newer patched versions through standard updates
• Workarounds:
  Developers requiring newer versions must modify package.json to use CDN-hosted builds like:

  {
    "resolutions": {
      "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"
    }
  }

  However, this bypasses npm security checks and version management[1][6].

Alternatives:

• The node-xlsx wrapper package (latest v0.24.0) uses SheetJS under hood while providing updated interfaces[7]
• Direct browser scripts via CDNs like unpkg host newer builds like v0.19.x[2][5]

For most npm-based projects, v0.18.5 remains the de facto "latest" despite known limitations[1][4]. Projects requiring security patches or modern features must weigh CDN risks against frozen npm packages[1][6].

Citations:

• 1: https://www.amcharts.com/docs/v5/tutorials/upgrading-version-of-the-xlsx-library/
• 2: https://www.npmjs.com/package/xlsx
• 3: https://cran.r-project.org/web/packages/xlsx/index.html
• 4: https://git.sheetjs.com/sheetjs/sheetjs/issues/3098
• 5: https://classic.yarnpkg.com/en/package/xlsx
• 6: https://security.snyk.io/package/npm/xlsx/0.8.0
• 7: https://www.npmjs.com/package/node-xlsx

---

xlsx dependency: Local tarball version is newer than npm’s version

The web query confirms that the latest version on npm is 0.18.5, whereas the project’s local tarball is at version 0.20.3. Since the npm version is effectively frozen and older, using the local tarball ensures you’re utilizing a more recent version.

Likely an incorrect or invalid review comment.

apps/web/package.json (1)

174-175: Verify TypeScript ESLint plugin compatibility.

The update to @typescript-eslint plugins (^8.24.0) should be verified for compatibility with the TypeScript version (^5.7.3).

Also applies to: 186-187

✅ Verification successful

🌐 Web query:

What is the minimum TypeScript version required for @typescript-eslint v8.24.0?

💡 Result:

The minimum required TypeScript version for @typescript-eslint v8.24.0 is ≥4.8.4, as specified in its supported dependency ranges[9]. This aligns with the project's policy of supporting TypeScript versions less than two years old and mirroring DefinitelyTyped's support window[9].

For context:

• The v8 release raised the minimum from ≥4.7.x to ≥4.8.x to reduce maintenance complexity[1][3][5]
• Supported TypeScript versions are explicitly listed as >=4.8.4 <5.8[9]

Always verify compatibility using npm install with exact versions if working in constrained environments[3][9].

Citations:

• 1: Enhancement: Raise minimum versions of dependencies for v8 typescript-eslint/typescript-eslint#8929
• 2: 📣 Upcoming v7 Major Release typescript-eslint/typescript-eslint#8346
• 3: https://typescript-eslint.io/blog/announcing-typescript-eslint-v8/
• 4: https://eslint.org/blog/2019/01/future-typescript-eslint/
• 5: https://typescript-eslint.io/blog/announcing-typescript-eslint-v8-beta/
• 6: https://classic.yarnpkg.com/en/package/typescript-eslint
• 7: https://github.com/typescript-eslint/typescript-eslint/releases
• 8: https://eslint.org/blog/2024/09/eslint-v8-eol-version-support/
• 9: https://typescript-eslint.io/users/dependency-versions/
• 10: https://www.npmjs.com/package/typescript-eslint/v/8.0.0-alpha.0

---

Compatibility Verified: TypeScript ^5.7.3 Meets @typescript-eslint v8.24.0 Requirements

The query confirms that @typescript-eslint v8.24.0 requires a minimum of TypeScript ≥4.8.4 and supports versions lower than 5.8. Since our project uses TypeScript ^5.7.3, it is fully compatible with @typescript-eslint v8.24.0.