Skip to content

chore(deps): clear Dependabot alerts + bring all dependencies to latest#131

Merged
phildenhoff merged 13 commits into
mainfrom
dependabot
Jun 24, 2026
Merged

chore(deps): clear Dependabot alerts + bring all dependencies to latest#131
phildenhoff merged 13 commits into
mainfrom
dependabot

Conversation

@phildenhoff

Copy link
Copy Markdown
Member

Patches the open Dependabot alerts and then brings every dependency (JS + Rust) to its latest installable version. Each step was verified independently (tsc/tsgo, vite build, 184 vitest tests, Storybook build, cargo check/test, biome lint), and the two high-risk migrations (React 19, dependency churn) were smoke-tested by running the app.

Security — Dependabot alerts

Fixes 10 of 11 open alerts:

Remaining: glib 0.18 (#22) — Linux-only, pinned by tauri's frozen gtk-rs 0.18 GTK3 stack. No fix available upstream; recommend dismissing.

Toolchain to latest

  • Build chain: vite 8, vitest 4, Storybook 8 → 10 (consolidated packages; migrated @storybook/preview-api imports)
  • React 18 → 19 (nullable refs; dropped deprecated MutableRefObject) — verified by running the app: routing, search filtering, and the book-edit page all work
  • TypeScript 6, then type-checking via TypeScript 7 native (tsgo) — ~6.7× faster than tsc; the typescript package stays for tooling/editor
  • cargo update (all Rust crates within semver); biome 2.5.1, faker 10, unplugin-icons 23, postcss-load-config 6
  • @tanstack/react-router 1.29 → 1.170, all @tauri-apps/@radix-ui packages, zustand/dompurify/clsx, etc.

Cleanup

Removed dead packages with zero references: bits-ui, @crabnebula/tauri-plugin-drag (JS), @melt-ui/pp, @fontsource/fira-mono, and the entire unused Tailwind stack (tailwindcss/tailwind-merge/tailwind-variants + tailwind.config.js) — the app styles with CSS Modules + clsx, Tailwind was never wired into the build.

🤖 Generated with Claude Code

phildenhoff and others added 10 commits June 13, 2026 18:08
The main window starts hidden and is revealed from the frontend once
settings hydrate. show() made it visible but never activated the app,
so Citadel could launch behind whatever window already had focus. Focus
the window right after showing it, mirroring the settings-window pattern.

Fixes CDL-16

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Resolves 10 of 11 open Dependabot alerts:
- vite 5 -> 6.4.3: server.fs.deny bypass (#50), optimized-deps .map path
  traversal (#27), launch-editor NTLMv2 disclosure (#51)
- tar 0.4.44 -> 0.4.46 (#47/#24/#23)
- tauri 2.10.3 -> 2.11.3 (#42)
- rand -> 0.9.4 / 0.10.1 (#32/#28); cargo update dropped the vulnerable
  rand 0.7.3 / 0.8.5 from the phf build chain (#33)

Bumped @vitejs/plugin-react-swc -> 4 and Storybook 8 -> 8.6.18 for vite 6
peer compatibility. Verified: web build, 184 vitest tests, storybook build,
cargo check + cargo test all green.

glib 0.18 (#22) remains: Linux-only, pinned by tauri's frozen gtk-rs 0.18
stack; no fix available upstream.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ok 10)

Unblocks the latest toolchain now that Storybook 10 lifts the vite<=6 peer
cap that held the previous commit at vite 6.

- vite 6.4.3 -> 8.1.0 (now rolldown-based)
- vitest 3.2.6 -> 4.1.9
- storybook 8.6 -> 10.4.6: dropped the consolidated packages
  (addon-essentials, addon-interactions, blocks, test) now folded into core;
  added @storybook/addon-docs; bumped storybook-dark-mode -> 5 and
  @chromatic-com/storybook -> 5 for SB10 peer support
- migrated @storybook/preview-api imports -> storybook/preview-api subpath

Verified: web build (vite 8), 184 vitest tests, storybook build, biome lint.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pulls every dependency to the newest version satisfying its existing semver
range. Notable: @tanstack/react-router 1.29 -> 1.170 (regenerated
routeTree.gen.ts to the new format), typescript 5.3 -> 5.9, all @tauri-apps
plugins/api/cli to latest 2.x, all @radix-ui primitives, zustand/dompurify/
clsx/tailwind-merge/postcss/autoprefixer.

React stays on 18 (normalized to ~18.2.0); major-version bumps left for
follow-up. Verified: tsc, vite 8 build, 184 vitest tests, storybook build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Low-risk dev-only major/minor bumps verified independently:
- @biomejs/biome 2.4.16 -> 2.5.1 (lint + format clean)
- @faker-js/faker 8.4.1 -> 10.5.0 (only stable namespaced APIs used in
  test factories; 184 vitest tests pass)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Verifiable dev/build-tooling majors:
- typescript 5.9 -> 6.0.3: migrated tsconfig off the now-deprecated `baseUrl`
  (paths resolve relative to the config dir under moduleResolution "bundler")
- unplugin-icons 0.18 -> 23.0.1 (vite plugin loads; build clean)
- postcss-load-config 5 -> 6.0.1 (autoprefixer still applies in build output)

Verified: tsc, vite 8 build, 184 vitest tests, storybook build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop four dependencies with zero references outside package.json (leftovers
from the pre-Radix / Svelte era):
- bits-ui (Svelte component lib)
- @crabnebula/tauri-plugin-drag (JS side; the Rust plugin stays)
- @melt-ui/pp (Svelte preprocessor)
- @fontsource/fira-mono (unused font)

Verified: vite 8 build + 184 vitest tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- react / react-dom 18.2 -> 19.2.7, @types/react(-dom) -> 19
- ref props now nullable per React 19 types: RefObject<T> -> RefObject<T | null>
  in use-library-keymap and BookGrid
- replace deprecated MutableRefObject with RefObject (unified + mutable in 19)

Entry point already uses createRoot. Verified: tsc, vite 8 build, 184 vitest
tests, storybook build, biome lint. Runtime smoke-test to follow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Tailwind was never wired into the build: no @tailwind/@import directives, no
PostCSS or Vite Tailwind plugin, and zero imports of tailwindcss/
tailwind-merge/tailwind-variants in src. The app styles entirely with CSS
Modules + clsx, and tailwind.config.js was abandoned shadcn scaffolding whose
HSL vars don't match the real --ctd-*/--pal- OKLCH tokens in styles.css.

Removed tailwindcss, tailwind-merge, tailwind-variants, and tailwind.config.js.
Kept clsx, postcss, autoprefixer (all in active use). Verified: vite 8 build
(autoprefixer still applies), 184 vitest tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Migrate the build's type-check step from tsc to the native Go compiler:
- add @typescript/native-preview (tsgo) as a dev dependency
- build:web now runs `tsgo && vite build`; add a `typecheck` script
- keep the `typescript` package (6.x) installed — Vite, Storybook docgen and
  the editor still consume its language-service API

tsgo type-checks this repo cleanly (paths + project references + composite)
in ~0.28s vs ~1.9s for tsc (~6.7x faster). Native binaries resolve per
platform via optional deps, so CI on ubuntu-22.04 + macos-15 both use it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@phildenhoff phildenhoff enabled auto-merge (squash) June 24, 2026 08:23
@github-actions

Copy link
Copy Markdown

libcalibre Test Coverage Report

Overall coverage: 81.63%

📊 Download HTML Report

Coverage breakdown available in the artifacts.

The text-merge of Cargo.lock dropped quick-xml (added by main's metadata SRU
work); cargo check re-locked it. Workspace compiles + all tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

libcalibre Test Coverage Report

Overall coverage: 81.63%

📊 Download HTML Report

Coverage breakdown available in the artifacts.

The codebase uses ES2022 APIs (Array/String.prototype.at) while tsconfig
declared lib ES2020. tsc tolerated this; the TS7 native compiler (tsgo) does
not, so CI's build_app failed with TS2550 ("change lib to es2022 or later")
on 4 files. Raise target + lib to ES2022 to match what the code actually uses.

Verified with both tsc and tsgo; full build:web passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

libcalibre Test Coverage Report

Overall coverage: 81.63%

📊 Download HTML Report

Coverage breakdown available in the artifacts.

@phildenhoff phildenhoff merged commit cb78707 into main Jun 24, 2026
7 checks passed
@phildenhoff phildenhoff deleted the dependabot branch June 24, 2026 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant