update deps

[nextify2025]

Summary by cubic

Bump dependencies across all apps and packages to current minor/patch versions for stability and compatibility. No functional or API changes; internal packages are patch-released.

• Dependencies
  • Runtime/libs: better-auth 1.3.13, hono 4.9.8, zod 4.1.11, @trpc/* 11.5.1, shiki 3.13.0, motion 12.23.16
  • Web: next 15.5.3, ai 5.0.48, @tanstack/react-query (+devtools) 5.89.0, react-hook-form 7.63.0, @hookform/resolvers 5.2.2, posthog-js/node updates
  • Cloudflare/edge: @cloudflare/workers-types 4.20250921.0, @opennextjs/cloudflare 1.8.3, @scalar/hono-api-reference 0.9.19
  • UI/DX: tailwindcss and @tailwind plugins 4.1.13, react-router-dom 7.9.1, react-day-picker 9.11.0, tw-animate-css 1.3.8
  • Docs/search: fumadocs (core/ui/mdx) updates, @orama/* 3.1.14
  • Tooling: @babel/runtime beta.2, @changesets/cli 2.29.7, knip 5.63.1, types packages; bun.lock regenerated

Summary by CodeRabbit

• Chores
  • Updated dependencies across apps and packages to improve stability and compatibility (including Tailwind, React Hook Form, React Router, Zod, Hono, React Query, Next, PostHog, Shiki, Orama, Better Auth, Cloudflare Workers Types, and related tooling).
  • Incremented app/package versions to reflect patch updates; no functional changes.
• Documentation
  • Changelogs updated for all affected apps and packages to record dependency upgrades and patch releases.

[coderabbitai]

Walkthrough

Project-wide maintenance update: bumped package versions and dependencies across apps, packages, and the root workspace, and added corresponding changelog entries. No source code, control flow, or public API changes are introduced.

Changes

Cohort / File(s)	Summary of Changes
Changelogs (apps) apps/builder/CHANGELOG.md, apps/cdn/CHANGELOG.md, apps/deploy-workflow/CHANGELOG.md, apps/deploy/CHANGELOG.md, apps/dispatcher/CHANGELOG.md, apps/docs/CHANGELOG.md, apps/email/CHANGELOG.md, apps/screenshot/CHANGELOG.md, apps/web/CHANGELOG.md	Added new patch version entries noting dependency updates; no functional changes.
Changelogs (packages) packages/auth/CHANGELOG.md, packages/better-auth-cloudflare/CHANGELOG.md, packages/better-auth-stripe/CHANGELOG.md, packages/common/CHANGELOG.md, packages/email/CHANGELOG.md, packages/shikicode/CHANGELOG.md, packages/ui/CHANGELOG.md	Added patch changelog entries indicating dependency bumps; no API changes.
App manifests apps/builder/package.json, apps/cdn/package.json, apps/deploy-workflow/package.json, apps/deploy/package.json, apps/dispatcher/package.json, apps/docs/package.json, apps/email/package.json, apps/screenshot/package.json, apps/web/package.json	Version bumps and dependency updates (e.g., hono, zod, react-hook-form, react-router-dom, @scalar/hono-api-reference, motion, @tanstack/react-*; tooling types and Tailwind/Vite/CF plugins). No script or config logic changes.
Package manifests packages/auth/package.json, packages/better-auth-cloudflare/package.json, packages/better-auth-stripe/package.json, packages/common/package.json, packages/email/package.json, packages/shikicode/package.json, packages/ui/package.json	Version bumps; updated deps/peerDeps/devDeps (e.g., better-auth, TRPC 11.5.1, zod 4.1.11, shiki 3.13.0, Tailwind-related). No code changes.
Root manifest package.json	Updated workspace devDeps/deps (e.g., @babel/runtime beta.2, @biomejs/biome 2.2.4, @changesets/cli 2.29.7, CF workers types, Node/React types, zod). No scripts/engines changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paws—new versions bloom,
Carrots of semver scent the room.
Changelogs rustle, tidy and bright,
Packages hop to a higher height.
No code paths twist, no features sway—
Just fresher greens for build day. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title "update deps" is related to the changeset (the PR primarily bumps dependency versions across many packages) but is too generic to be useful to reviewers or future readers. It does not indicate the scope, affected packages, or that this is a chore/non-functional change, so it fails to communicate the primary change clearly. Per the guidance that vague titles like "misc updates" are inconclusive, this title should be treated as inconclusive.	Please update the PR title to a concise, descriptive form such as "chore(deps): bump dependency versions across monorepo" or a more specific variant like "chore(deps): bump zod, hono, @cloudflare/workers-types and apps/web" that names the scope or key packages; prefer the "chore(deps):" prefix and list a few high-impact packages or affected apps to aid reviewers. After updating the title, re-run the checks or request a quick review to confirm clarity.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 20250921

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR updates various dependencies across multiple packages and applications in the monorepo. The changes include version bumps for UI libraries, authentication packages, development tools, and other core dependencies.

Key changes:

• Updates across 18 different packages/apps with patch version increments
• Dependencies updated include TailwindCSS, React libraries, Better Auth, tRPC, and various development tools
• All changes are accompanied by appropriate CHANGELOG.md entries

Reviewed Changes

Copilot reviewed 33 out of 34 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
packages/ui/package.json	Updates TailwindCSS, React components, and UI-related dependencies
packages/shikicode/package.json	Updates Shiki syntax highlighting library
packages/email/package.json	Updates Zod validation library
packages/common/package.json	Updates tRPC packages for API communication
packages/better-auth-stripe/package.json	Updates Better Auth and Better Call dependencies
packages/better-auth-cloudflare/package.json	Updates Better Auth and Cloudflare worker types
packages/auth/package.json	Updates Better Auth CLI tools
package.json	Updates root-level dev dependencies including Babel, Biome, and Node types
apps/web/package.json	Updates AI SDKs, React Query, Next.js, and various UI dependencies
apps/screenshot/package.json	Updates Hono framework and API reference tools
apps/email/package.json	Updates React Email dependencies
apps/docs/package.json	Updates Fumadocs and Orama search dependencies
apps/dispatcher/package.json	Updates Hono and API tooling
apps/deploy/package.json	Updates Hono and development dependencies
apps/deploy-workflow/package.json	Updates Hono and API reference tools
apps/cdn/package.json	Updates Hono and API reference dependencies
apps/builder/package.json	Updates React Router, TailwindCSS, and Vite tooling
All CHANGELOG.md files	Adds version entries documenting the dependency updates

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[cubic-dev-ai]

1 issue found across 34 files

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="apps/builder/package.json">

<violation number="1" location="apps/builder/package.json:59">
The `@types/node` version in this package is inconsistent with the monorepo&#39;s requirement of Node.js v24+. This can lead to incorrect type definitions and build errors.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

The @types/node version in this package is inconsistent with the monorepo's requirement of Node.js v24+. This can lead to incorrect type definitions and build errors.

Prompt for AI agents

Address the following comment on apps/builder/package.json at line 59:

<comment>The `@types/node` version in this package is inconsistent with the monorepo&#39;s requirement of Node.js v24+. This can lead to incorrect type definitions and build errors.</comment>

<file context>
@@ -32,45 +32,45 @@
   &quot;devDependencies&quot;: {
-    &quot;@types/node&quot;: &quot;^22.18.0&quot;,
-    &quot;@types/react&quot;: &quot;^19.1.12&quot;,
+    &quot;@types/node&quot;: &quot;^22.18.6&quot;,
+    &quot;@types/react&quot;: &quot;^19.1.13&quot;,
     &quot;@types/react-dom&quot;: &quot;^19.1.9&quot;,
</file context>

Suggested change

	"@types/node": "^22.18.6",
	"@types/node": "^24.5.2",

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (13)

packages/common/CHANGELOG.md (1)

3-8: Changelog entry OK; add date and specifics for traceability.

Consider adding the release date and listing bumped packages/versions (e.g., trpc packages -> ^11.5.1) instead of just “update deps”.

packages/shikicode/CHANGELOG.md (1)

3-8: Changelog is minimal; prefer explicit dependency list.

Add the release date and enumerate key updated deps to aid consumers scanning changes.

packages/better-auth-stripe/CHANGELOG.md (1)

3-8: Entry looks good; make bumps explicit.

Suggest noting better-auth -> ^1.3.13 (and dev: better-call -> ^1.0.19) for quick auditing.

packages/better-auth-cloudflare/CHANGELOG.md (1)

3-8: Looks good; include exact version bumps for auditing.

Recommend noting better-auth -> ^1.3.13 and peer bumps (@cloudflare/workers-types, @opennextjs/cloudflare) in the entry.

packages/email/package.json (1)

6-7: Minor: “main” and “types” point to .ts sources.

Since this package is private, this is fine. If you ever publish it, switch to built JS and .d.ts outputs to avoid consumer toolchain issues.

apps/web/package.json (3)

9-9: Broken clean script.

"clean": "rm -rf " has no target and does nothing. Fix or remove.

-    "clean": "rm -rf ",
+    "clean": "rm -rf .next .turbo node_modules",

---

21-21: Typo in fix script (knif → knip).

This prevents running the intended tool.

-    "fix": "bun knif",
+    "fix": "bun knip",

---

61-61: Align Next and bundle analyzer versions.

Next is ^15.5.3 but @next/bundle-analyzer is 15.4.2; recommend matching patch to avoid plugin/APIs mismatch.

-    "@next/bundle-analyzer": "15.4.2"
+    "@next/bundle-analyzer": "15.5.3"

Also applies to: 82-82

apps/deploy-workflow/CHANGELOG.md (1)

3-11: Add date and PR link for traceability

Include the release date (YYYY-MM-DD) and PR #28 to improve auditability of this entry.

apps/screenshot/CHANGELOG.md (1)

3-11: Changelog hygiene: add date/PR reference

Mirror other entries by adding the release date and PR #28 for this 1.0.8 patch.

apps/cdn/CHANGELOG.md (1)

3-10: Good: aligns with @libra/[email protected]

Entry accurately reflects the auth bump. Consider adding the release date and PR #28 for consistency.

apps/deploy/CHANGELOG.md (1)

3-11: Entry looks correct; add metadata

The dependency bumps match the PR scope. Add date and PR #28 for traceability.

apps/screenshot/package.json (1)

17-29: Optional: switch internal workspace deps from "" to "workspace:"

Using workspace:* improves resolution and avoids accidentally pulling published versions during installs.

Apply in this file’s dependencies block:

-    "@libra/auth": "*",
-    "@libra/common": "*",
-    "@libra/db": "*",
-    "@libra/middleware": "*",
-    "@libra/sandbox": "*",
-    "@libra/templates": "*",
-    "@libra/typescript-config": "*",
+    "@libra/auth": "workspace:*",
+    "@libra/common": "workspace:*",
+    "@libra/db": "workspace:*",
+    "@libra/middleware": "workspace:*",
+    "@libra/sandbox": "workspace:*",
+    "@libra/templates": "workspace:*",
+    "@libra/typescript-config": "workspace:*",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d527abd and 203900d.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (33)

• apps/builder/CHANGELOG.md (1 hunks)
• apps/builder/package.json (2 hunks)
• apps/cdn/CHANGELOG.md (1 hunks)
• apps/cdn/package.json (2 hunks)
• apps/deploy-workflow/CHANGELOG.md (1 hunks)
• apps/deploy-workflow/package.json (2 hunks)
• apps/deploy/CHANGELOG.md (1 hunks)
• apps/deploy/package.json (2 hunks)
• apps/dispatcher/CHANGELOG.md (1 hunks)
• apps/dispatcher/package.json (2 hunks)
• apps/docs/CHANGELOG.md (1 hunks)
• apps/docs/package.json (2 hunks)
• apps/email/CHANGELOG.md (1 hunks)
• apps/email/package.json (2 hunks)
• apps/screenshot/CHANGELOG.md (1 hunks)
• apps/screenshot/package.json (2 hunks)
• apps/web/CHANGELOG.md (1 hunks)
• apps/web/package.json (3 hunks)
• package.json (1 hunks)
• packages/auth/CHANGELOG.md (1 hunks)
• packages/auth/package.json (2 hunks)
• packages/better-auth-cloudflare/CHANGELOG.md (1 hunks)
• packages/better-auth-cloudflare/package.json (2 hunks)
• packages/better-auth-stripe/CHANGELOG.md (1 hunks)
• packages/better-auth-stripe/package.json (2 hunks)
• packages/common/CHANGELOG.md (1 hunks)
• packages/common/package.json (2 hunks)
• packages/email/CHANGELOG.md (1 hunks)
• packages/email/package.json (2 hunks)
• packages/shikicode/CHANGELOG.md (1 hunks)
• packages/shikicode/package.json (2 hunks)
• packages/ui/CHANGELOG.md (1 hunks)
• packages/ui/package.json (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Code Quality & Type Checking
• GitHub Check: Publish to Cloudflare Workers
• GitHub Check: Code Quality & Validation
• GitHub Check: Code Quality & Validation
• GitHub Check: Code Quality & Validation
• GitHub Check: Publish Docs to Cloudflare Workers

🔇 Additional comments (29)

packages/common/package.json (2)

3-3: Approved — package.json version matches CHANGELOG (1.0.3). packages/common/package.json = 1.0.3; packages/common/CHANGELOG.md latest header = 1.0.3.

---

26-29: tRPC v11 — remove duplicate @trpc/react-query or justify coexistence; confirm TS/React peers

• packages/common/package.json currently lists both @trpc/react-query and @trpc/tanstack-react-query (both ^11.5.1) — remove @trpc/react-query or document why both are required. (packages/common/package.json: lines 26–29)
• Workspace @tanstack/react-query is v5 (apps/web: ^5.89.0; apps/vite-shadcn-template: ^5.84.1; apps/builder: ^5.89.0) — compatible with tRPC v11 adapter.
• TypeScript: most packages use ^5.9.2; exceptions packages/middleware and apps/opennext-cache use ^5.8.3 — verify these satisfy tRPC v11 peer requirements and that React peer versions across apps match tRPC v11 expectations.

apps/email/CHANGELOG.md (1)

3-10: Changelog: record exact dependency versions and link this PR

• apps/email/CHANGELOG.md: keep the explicit bump but make package.json and changelog consistent — apps/email/package.json currently has "@libra/email": "*" so either pin it to "1.0.5" or change the changelog to match.
• Drop the zod suggestion — apps/email/package.json has no zod dependency (jq returned null).
• Add a link to this PR in the changelog for traceability.

Likely an incorrect or invalid review comment.

packages/email/CHANGELOG.md (1)

3-8: Version note OK — package.json aligned; zod upgraded

packages/email/package.json is v1.0.5 (was 1.0.4); CHANGELOG entry matches. Dependency change: zod ^4.1.5 → ^4.1.11 (no other deps changed in this diff).

apps/docs/CHANGELOG.md (1)

3-8: Changelog entry looks good.

Patch entry clearly states “update deps”; nothing else to do.

packages/ui/CHANGELOG.md (1)

3-8: LGTM on changelog.

Patch entry matches the dependency hygiene theme of the PR.

packages/shikicode/package.json (1)

3-3: Version bump recorded; good.

No public API surface here; safe patch.

packages/auth/package.json (2)

3-3: Version bump is fine.

No behavioral change implied here.

---

31-31: @better-auth/cli upgrade — re-run codegen and confirm auth schema is unchanged.

Sandbox couldn't run bun (bun: command not found). Run locally:
bunx @better-auth/cli generate --config packages/auth/auth-server.ts --output packages/auth/db/schema/auth-schema.ts -y
and verify git shows no changes to packages/auth/db/schema/auth-schema.ts.

apps/builder/CHANGELOG.md (1)

3-8: Changelog entry is consistent with the PR scope.

Good to merge.

packages/email/package.json (2)

3-3: Version bump confirmed — changelog entry present for 1.0.5.
packages/email/CHANGELOG.md contains a "## 1.0.5" Patch Changes entry; no action required.

---

21-21: Peer deps OK — @t3-oss/env-nextjs ^0.13.8 accepts Zod v4

packages/email/package.json uses @t3-oss/env-nextjs ^0.13.8 whose peerDependencies list "zod": "^3.24.0 || ^4.0.0-beta.0"; semver allows stable 4.x to satisfy that comparator, so zod ^4.1.11 is compatible (the original note about env-nextjs 0.11.1 is outdated).

apps/email/package.json (2)

3-3: Resolved — 1.0.1 changelog entry present. apps/email/CHANGELOG.md contains a "## 1.0.1" Patch Changes section listing dependency updates (includes @libra/[email protected]).

---

12-12: react-email@^4.2.11 — verified: no breaking changes; ensure Node >=18

Changelog shows 4.2.9–4.2.11 are patch fixes (preview-server patched alongside) and no breaking changes are documented; published package metadata lists engines >=18 and peer React 18/19 support. Confirm your dev/CI Node is >=18 and run the preview-server locally if you rely on it.

apps/web/CHANGELOG.md (1)

3-16: Verify changelog dependency versions vs package.json (apps/web/CHANGELOG.md lines 3-16)

Automated check could not locate @libra/better-auth-cloudflare and did not find the other @libra packages in package.jsons — verification is inconclusive. Confirm that the versions listed in this changelog block match the committed package.json dependency versions, or provide the package.json paths so I can re-run the check.

apps/cdn/package.json (1)

3-3: CDN app deps align with the rest; LGTM.

No breaking changes expected from these patch bumps. Keep lockfile in sync.

Also applies to: 16-18

packages/better-auth-stripe/package.json (1)

3-3: Stripe plugin deps updated; check peer expectations from better-auth.

Looks good. Please confirm no peer range conflicts with other auth plugins and that test suite passes.

Also applies to: 42-42, 46-46

packages/better-auth-cloudflare/package.json (1)

3-3: Cloudflare plugin: deps/peers align with root; LGTM.

Minor bump only. Ensure consuming apps have matching peers (@cloudflare/workers-types and @opennextjs/cloudflare).

Also applies to: 34-34, 40-42

packages/ui/package.json (1)

3-3: UI package tailwind/react- bumps look safe; verify PostCSS/TW plugin compat.*

Ensure no breaking changes from tailwindcss 4.1.13 and @tailwindcss/postcss 4.1.13 in your PostCSS config.

Also applies to: 18-29, 37-37

package.json (3)

31-41: Action: Normalize divergent dependency versions across workspaces

• hono: ^4.8.4, ^4.8.12, ^4.9.8
• zod: ^4.0.14, ^4.1.11
• @cloudflare/workers-types: ^4.20250712.0, ^4.20250723.0, ^4.20250803.0, ^4.20250921.0
• @opennextjs/cloudflare: ^1.6.2, ^1.8.3
• @tanstack/react-query: ^5.84.1, ^5.89.0
• react-hook-form: ^7.62.0, ^7.63.0
• tailwindcss: ^4.1.11, ^4.1.13

Choose a single target version per package (or adopt workspace ranges/protocol), update workspace package.json files to match, then re-run the version-check script to confirm.

---

31-41: Confirm @babel/runtime v8 beta or revert to stable v7

package.json contains "@babel/runtime": "^8.0.0-beta.2" (devDependency) while bun.lock shows both @babel/[email protected] and many packages depending on @babel/[email protected] — either complete a full Babel 8 migration and validate the toolchain, or pin/revert to @babel/runtime@^7.x (or remove if helpers are unused).
Location: package.json (lines 31–41)

---

54-56: Approve dependency bumps — no breaking changes found.
Changelogs/npm show only feature/ and bugfix entries for better-auth 1.3.7→1.3.13 and @opennextjs/cloudflare 1.7→1.8; no BREAKING CHANGE notes.
File: package.json (lines 54-56, 59)

apps/dispatcher/package.json (1)

18-23: Run targeted TypeScript typecheck for dispatcher (Cloudflare Workers types bumped)

apps/dispatcher/package.json: @cloudflare/workers-types = ^4.20250921.0; hono = ^4.9.8; zod = ^4.1.11. No issues from this version check — run a localized typecheck (tsc --noEmit in apps/dispatcher or your workspace typecheck) to catch any Cloudflare types drift.

apps/deploy/package.json (1)

23-27: Align dependency versions across workspaces and run a full typecheck.

apps/deploy (lines 23–27): hono ^4.9.8, @scalar/hono-api-reference ^0.9.19, zod ^4.1.11.
Other package.jsons contain hono ^4.8.12 and ^4.8.4, and zod ^4.0.14.
Cloudflare types differ: apps/vite-shadcn-template: ^4.20250803.0; apps/opennext-cache: ^4.20250723.0; apps/dispatcher: ^4.20250921.0; apps/builder: ^4.20250921.0.

Pick target versions, update workspace package.json files for consistency, then run workspace install and a TypeScript typecheck (tsc --noEmit or CI) to catch latent breakages.

apps/web/package.json (1)

28-75: Large dep surface bump — quick sanity checks

• Found imports to validate: apps/web/components/client-providers.tsx:25 — import posthog from 'posthog-js'; apps/web/ai/providers.ts:26 — import { customProvider } from 'ai'; apps/web/ai/generate.ts:22 — import { streamText } from 'ai'.
• Static usage matches current upstream docs (posthog-js uses a default import; ai exports streamText/generateText), but this cannot guarantee a clean build. Run a local dev/build and CI to catch ESM/CJS init errors or API signature changes with React 19 / Next 15.
• If you see runtime/build errors: avoid mixing posthog entrypoints (dist/module.* vs default import) and either pin the working versions or update callsites to the new ai API.

apps/docs/package.json (1)

12-20: fumadocs trio kept in lockstep — good

All fumadocs packages bumped together; motion/zod patches are safe. Proceed.

packages/auth/CHANGELOG.md (1)

3-14: No action required — internal dependency versions verified

All versions listed in packages/auth/CHANGELOG.md match the package.json entries: @libra/[email protected], @libra/[email protected], @libra/[email protected], @libra/[email protected], @libra/[email protected].

apps/builder/package.json (1)

62-75: Tailwind v4 + Vite 6 — local check OK, PostCSS compatible

• apps/builder has no tailwind.config.* and its package.json uses tailwindcss ^4.1.13, @tailwindcss/vite ^4.1.13, postcss ^8.5.6 and vite ^6.3.6 — no legacy v3 config found in that package. Tailwind v4 auto-detects sources (so the old content array is not required) and the PostCSS plugin moved to @tailwindcss/postcss; the Vite plugin (@tailwindcss/vite) is the recommended integration and supports Vite 6. (tailwindcss.com)

apps/deploy-workflow/package.json (1)

3-3: Add "private": true to apps/deploy-workflow/package.json; CHANGELOG entry for 1.0.5 confirmed.

Mark package private to avoid accidental publishes — CHANGELOG.md contains "## 1.0.5" (line 3).

Apply:

 {
   "name": "@libra/deploy-workflow",
+  "private": true,
   "version": "1.0.5",

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Check Router 7 and RHF minor bumps against our usage

react-router-dom 7.9.1 and react-hook-form 7.63.0 can introduce subtle type/runtime shifts. Sanity-check common hooks (useSearchParams, useForm, Controller) in builder routes/forms.

Run quick repo-wide scans for potentially changed APIs:

---

🏁 Script executed:

#!/bin/bash
# Router v7 common surfaces
rg -nP -C2 --type=ts --type=tsx '\b(useRoutes|createBrowserRouter|RouterProvider|useSearchParams|useNavigation|Link)\b' apps/builder

# RHF breaking-ish spots
rg -nP -C2 --type=ts --type=tsx '\b(useForm|Controller|useController|FormProvider)\b' apps/builder

Length of output: 55

---

🏁 Script executed:

#!/bin/bash
# Router v7 common surfaces
rg -nP -C2 -g '*.ts' -g '*.tsx' '\b(useRoutes|createBrowserRouter|RouterProvider|useSearchParams|useNavigation|Link)\b' apps/builder

# RHF breaking-ish spots
rg -nP -C2 -g '*.ts' -g '*.tsx' '\b(useForm|Controller|useController|FormProvider)\b' apps/builder

Length of output: 1688

---

Fix react-hook-form version; verify RHF usage — router bump low-risk

• Critical: apps/builder/package.json pins "react-hook-form": "^7.63.0" but upstream releases/npm show latest 7.62.0 — update package.json to an existing version (e.g. ^7.62.0) or confirm 7.63.0 is published to avoid install failures.
• RHF usage to sanity-check: apps/builder/src/components/ui/form.tsx imports Controller, FormProvider, useFormContext and renders <Controller {...props}/> — run targeted tests/validation after the bump.
• Router: I found no react-router hooks used in apps/builder; react-router-dom 7.9.1 is a patch release (low-risk for this app).

🤖 Prompt for AI Agents

In apps/builder/package.json around lines 35 to 57, the pinned
"react-hook-form": "^7.63.0" does not appear to exist upstream and will cause
install failures; update the dependency to a published version (e.g. "^7.62.0")
or verify that 7.63.0 is actually published and replace it only if confirmed,
then run installs; after changing, run targeted tests and validate
apps/builder/src/components/ui/form.tsx (which imports Controller, FormProvider,
useFormContext and renders <Controller {...props}/>) to ensure API compatibility
with the chosen RHF version and adjust imports/usages if necessary; no change
required for react-router-dom 7.9.1 as it appears low-risk for this app.

[coderabbitai]

🛠️ Refactor suggestion

🧩 Analysis chain

Verify Hono-related compatibility across the monorepo and align workspace deps.

• Ensure hono@^4.9.8, @hono/zod-openapi@^0.19.10, and @scalar/hono-api-reference@^0.9.19 have no peer/version clashes and are consistent across all packages.
• Consider switching internal @libra/* from "*" to a workspace range ("workspace:*" or link:) for determinism and to avoid accidentally resolving registry versions if any package becomes public.

Repo-wide sanity checks:

If your workspace tool supports it, update internal deps:

-    "@libra/auth": "*",
+    "@libra/auth": "workspace:*",
-    "@libra/common": "*",
+    "@libra/common": "workspace:*",
-    "@libra/db": "*",
+    "@libra/db": "workspace:*",
-    "@libra/middleware": "*",
+    "@libra/middleware": "workspace:*",
-    "@libra/sandbox": "*",
+    "@libra/sandbox": "workspace:*",
-    "@libra/templates": "*",
+    "@libra/templates": "workspace:*",
-    "@libra/typescript-config": "*",
+    "@libra/typescript-config": "workspace:*",

Optionally add:

+  "packageManager": "[email protected]",
+  "engines": { "node": ">=20", "bun": ">=1.1" },

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- Hono versions across repo ---'
fd -a package.json | while read -r f; do
  dep=$(jq -r '.dependencies.hono // empty' "$f")
  dev=$(jq -r '.devDependencies.hono // empty' "$f")
  if [[ -n "$dep" || -n "$dev" ]]; then
    echo "$f -> deps:$dep devDeps:$dev"
  fi
done | sort

echo '--- @hono/zod-openapi versions across repo ---'
fd -a package.json | xargs -I{} jq -r '"{} -> " + (.dependencies["@hono/zod-openapi"] // empty)' {} | rg -n '-> .+' | sort

echo '--- @scalar/hono-api-reference versions across repo ---'
fd -a package.json | xargs -I{} jq -r '"{} -> " + (.dependencies["@scalar/hono-api-reference"] // empty)' {} | rg -n '-> .+' | sort

echo '--- Internal @libra/* deps using "*" ---'
fd -a package.json | while read -r f; do
  jq -r '
    .dependencies // {} | to_entries[] | select(.key|startswith("@libra/")) | select(.value=="*") |
    "'$f' -> \(.key): \(.value)"' "$f"
done | sort

Length of output: 1102

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- package.json files ---'
fd -a package.json | sort

echo '--- Hono versions across repo (dependencies & devDependencies) ---'
fd -a package.json | while read -r f; do
  dep=$(jq -r '.dependencies.hono // empty' "$f")
  dev=$(jq -r '.devDependencies.hono // empty' "$f")
  if [[ -n "$dep" || -n "$dev" ]]; then
    printf '%s -> deps:%s devDeps:%s\n' "$f" "$dep" "$dev"
  fi
done | sort

echo '--- @hono/zod-openapi versions across repo (dependencies & devDependencies) ---'
fd -a package.json | while read -r f; do
  dep=$(jq -r '.dependencies["@hono/zod-openapi"] // empty' "$f")
  dev=$(jq -r '.devDependencies["@hono/zod-openapi"] // empty' "$f")
  if [[ -n "$dep" || -n "$dev" ]]; then
    printf '%s -> deps:%s devDeps:%s\n' "$f" "$dep" "$dev"
  fi
done | sort

echo '--- @scalar/hono-api-reference versions across repo (dependencies & devDependencies) ---'
fd -a package.json | while read -r f; do
  dep=$(jq -r '.dependencies["@scalar/hono-api-reference"] // empty' "$f")
  dev=$(jq -r '.devDependencies["@scalar/hono-api-reference"] // empty' "$f")
  if [[ -n "$dep" || -n "$dev" ]]; then
    printf '%s -> deps:%s devDeps:%s\n' "$f" "$dep" "$dev"
  fi
done | sort

echo '--- Internal @libra/* deps using "*" ---'
fd -a package.json | while read -r f; do
  jq -r '
    .dependencies // {} | to_entries[] | select(.key|startswith("@libra/")) | select(.value=="*") |
    "'$f' -> \(.key): \(.value)"' "$f" | sed '/^$/d'
done | sort || true

echo '--- Internal @libra/* versions (dependencies & devDependencies) ---'
fd -a package.json | while read -r f; do
  jq -r '
    ((.dependencies // {}) + (.devDependencies // {})) | to_entries[] | select(.key|startswith("@libra/")) |
    "'$f' -> \(.key): \(.value)"' "$f" | sed '/^$/d'
done | sort || true

Length of output: 11237

---

Align Hono versions and convert internal @libra/ deps to workspace ranges*

• Hono is inconsistent across the repo: ^4.9.8 is used in apps/builder, apps/cdn, apps/deploy-workflow, apps/deploy, apps/dispatcher, apps/screenshot; apps/vite-shadcn-template uses ^4.8.12 and packages/middleware uses ^4.8.4. Unify to a single version (recommend ^4.9.8) across the monorepo.
• @hono/zod-openapi (^0.19.10) and @scalar/hono-api-reference (^0.9.19) are aligned in apps/cdn, apps/deploy-workflow, apps/deploy, apps/dispatcher, and apps/screenshot.
• Replace internal @libra/* deps set to "" with "workspace:" for determinism in these files: apps/cdn/package.json, apps/deploy-workflow/package.json, apps/deploy/package.json, apps/dispatcher/package.json, apps/email/package.json, apps/screenshot/package.json, apps/web/package.json, packages/api/package.json, packages/auth/package.json, packages/db/package.json, packages/middleware/package.json, packages/sandbox/package.json, scripts/package.json.

Apply changes repo-wide (Hono bump + switch "" → "workspace:") and run a full install/lockfile refresh to validate.

🤖 Prompt for AI Agents

In apps/deploy-workflow/package.json around lines 19-21, Hono is set to "^4.9.8"
and internal dependencies using "*" should be deterministic; update this file so
Hono remains "^4.9.8" (to align with the monorepo standard) and change any
internal @libra/* dependency versions that are currently "*" to "workspace:*";
after making these edits, run a full package install and refresh the lockfile
(e.g., npm/yarn/pnpm install) to validate dependency resolution across the repo.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Good: includes dependency bump reference to @libra/[email protected].

Add release date and optionally list external bumps (hono, zod, @scalar/hono-api-reference) for clarity.

Quick consistency check:

---

🏁 Script executed:

#!/bin/bash
# Verify apps/dispatcher/package.json reflects these versions
jq -r '.name, .version, .dependencies.hono, .dependencies.zod, .dependencies["@scalar/hono-api-reference"], .dependencies["@libra/common"]' apps/dispatcher/package.json

Length of output: 49

---

Action required: align CHANGELOG and package.json for @libra/common

• CHANGELOG lists @libra/[email protected] but apps/dispatcher/package.json has "@libra/common": "*"; update package.json to the intended 1.0.3 (or correct the CHANGELOG) so they match.
• Add a release date to apps/dispatcher/CHANGELOG.md.
• Optional: enumerate external bumps for clarity — hono (^4.9.8), zod (^4.1.11), @scalar/hono-api-reference (^0.9.19).

Files: apps/dispatcher/CHANGELOG.md, apps/dispatcher/package.json.

🤖 Prompt for AI Agents

In apps/dispatcher/CHANGELOG.md lines 3-10 and apps/dispatcher/package.json, the
changelog claims @libra/[email protected] while package.json pins "@libra/common":
"*" and the changelog lacks a release date; update package.json to depend on
"1.0.3" (or change the changelog to reflect the actual version you intend), add
a release date entry to apps/dispatcher/CHANGELOG.md for the 1.0.11 entry, and
optionally expand the changelog's Patch Changes to enumerate external bumps
(hono ^4.9.8, zod ^4.1.11, @scalar/hono-api-reference ^0.9.19) so package.json
and CHANGELOG are consistent.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Hono + Scalar + zod compatibility check; Node types in Workers

The version trio (hono 4.9.8, @scalar/hono-api-reference 0.9.19, zod 4.1.11) should be fine; confirm @hono/zod-openapi 0.19.10 peers align. Also ensure Node types don’t leak into Worker runtime (keep tsconfig types clean for this app).

---

🏁 Script executed:

#!/bin/bash
# Check for mixed DOM/Node typings in the Worker app's tsconfig
fd tsconfig.json apps/screenshot -x cat {} | jq -r '.compilerOptions.types, .compilerOptions.lib' | sed '/null/d'

# Confirm only one hono and zod version in lockfile
rg -n 'hono@|zod@' pnpm-lock.yaml package-lock.json yarn.lock 2>/dev/null || true

Length of output: 43

---

Remove 'node' from apps/screenshot/tsconfig.json types (Cloudflare Worker) and verify Hono/Zod peers

• apps/screenshot/tsconfig.json has compilerOptions.types = ["@cloudflare/workers-types","node"] — remove "node" (or move Node types to a separate dev-only tsconfig) to avoid Node typings leaking into the Worker runtime (blocking).
• rg for 'hono@|zod@' returned no lockfile matches in the repo; check your lockfile (pnpm-lock.yaml / package-lock.json / yarn.lock) and ensure a single compatible hono/zod version and that @hono/[email protected] peer dependencies align.

🤖 Prompt for AI Agents

In apps/screenshot/tsconfig.json around lines referenced by the reviewer
(compilerOptions.types), remove "node" from the types array (or move Node types
into a separate dev-only tsconfig used only by non-Worker tools) so Cloudflare
Worker typings are not polluted by Node types; additionally, inspect the repo
lockfile (pnpm-lock.yaml / package-lock.json / yarn.lock) to ensure there is a
single compatible version of hono and zod installed, and confirm
@hono/[email protected] peer dependencies match those versions (bump or align
package.json entries and reinstall to update the lockfile if necessary).

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Shiki 3.13.0: ESM/engine considerations.

Shiki v3 is ESM-only and generally assumes modern Node runtimes; ensure your tsup config and Node/Bun versions align to avoid build-time resolution issues (even as a devDependency).

---

🌐 Web query:

Does shiki 3.13.0 have any Node engine or ESM-only constraints that differ from 3.12.2?

💡 Result:

Short answer: There’s no 3.13.0 release for shiki on npm/GitHub — the latest v3 release shown is 3.12.2 — and shiki is published ESM-only (package.json uses "type":"module" / .mjs exports). There’s no separate Node "engines" requirement in the package manifest; CJS consumers must use dynamic import interop. [1][2][3]

Sources:

• npm / package listing showing v3.12.2 as latest. [1]
• Official docs: "shiki is published as ESM-only" (CJS possible via dynamic import). [2]
• Example package.json (shows "type": "module" and .mjs exports). [3]

---

Shiki: ^3.13.0 not published; ESM/runtime considerations.

• packages/shikicode/package.json (line 16): "shiki": "^3.13.0" — v3.13.0 is not published (latest v3 is 3.12.2). Pin to a published version (e.g., ^3.12.2) or update to a valid release.
• Shiki v3 is ESM-only ("type":"module" / .mjs exports). Ensure tsup build config and your Node/Bun target support ESM or use dynamic-import interop for CJS consumers to avoid build/runtime resolution failures.

🤖 Prompt for AI Agents

In packages/shikicode/package.json around line 16, the dependency "shiki":
"^3.13.0" references a non-published release and v3 is ESM-only; update the
dependency to a published v3 release (e.g., "shiki": "^3.12.2") or a valid newer
release, and then ensure the build/runtime supports ESM: adjust tsup to target
ESM (or set "format": ["esm"] / appropriate target), set Node/Bun target
compatibility, or implement dynamic-import interop (lazy import()/create a small
ESM wrapper) so CJS consumers don’t break; make these dependency + build changes
together to avoid resolution/runtime failures.