Security: Update dependencies to fix CVE vulnerabilities

[kdy1]

Summary

This PR updates all dependencies with known CVE vulnerabilities to their latest secure versions.

Security Audit Results:

• Before: 24 vulnerabilities (2 critical, 1 high, 17 moderate, 4 low)
• After: ✅ No known vulnerabilities found

Updated Packages

Critical Security Fixes

• Next.js: 15.3.4 → 15.4.8

  • ✅ Fixes critical RCE vulnerability (GHSA-9qr9-h5gf-34mp)
  • ✅ Fixes moderate SSRF vulnerability (GHSA-4342-x723-ch2f)
  • ✅ Fixes moderate cache key confusion (GHSA-g5qg-72qw-gw5v)
  • ✅ Fixes moderate content injection (GHSA-xv57-4mr9-wg8v)

• next-auth: 5.0.0-beta.25 → 5.0.0-beta.30

  • ✅ Fixes moderate email misdelivery vulnerability (GHSA-5jpx-9hw9-2fx4)

Moderate Security Fixes

• markdown-to-jsx: 6.11.4 → 7.4.0

  • ✅ Fixes moderate XSS vulnerability (GHSA-4wx3-54gh-9fr9)

• lint-staged: 13.3.0 → 15.2.11

  • ✅ Fixes micromatch ReDoS vulnerability (GHSA-952p-6rrq-rcjv)

Additional Updates

All other dependencies were also updated to their latest compatible versions for better security and stability.

Test Plan

• Verify pnpm audit shows no vulnerabilities
• Run pnpm build to ensure all builds succeed
• Test critical features in plugins app
• Test documentation site functionality

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
plugins	Building	Preview	Comment	Dec 6, 2025 11:58pm
website	Building	Preview	Comment	Dec 6, 2025 11:58pm

[claude]

Pull Request Review: Security Dependency Updates

Overall Assessment

Recommendation: ✅ APPROVE with minor suggestions

This is an excellent security-focused PR that addresses critical vulnerabilities in the dependency tree. The updates are well-documented and follow best practices for dependency management.

---

Security Review ✅ EXCELLENT

Critical Fixes Addressed

• Next.js 15.3.4 → 15.4.8: Resolves RCE (Remote Code Execution) vulnerability - CRITICAL priority
• next-auth 5.0.0-beta.25 → 5.0.0-beta.30: Fixes email misdelivery vulnerability
• markdown-to-jsx 6.11.4 → 7.4.0: Patches XSS vulnerability - Important for documentation site
• lint-staged 13.0.3 → 15.2.11: Addresses micromatch ReDoS vulnerability

The PR successfully reduces the vulnerability count from 24 to 0, which is outstanding.

---

Code Quality ✅ GOOD

Strengths

1. Minimal surface area: Only 4 files changed (package.json files + lockfile)
2. Clear intent: Pure dependency updates with no code changes
3. Version strategy: Uses caret ranges (^) appropriately for non-breaking updates
4. Lockfile updated: pnpm-lock.yaml properly regenerated

Observations

1. Large version jumps: Some packages have significant version increases (e.g., lint-staged 13→15, markdown-to-jsx 6→7)

   • These are major version bumps that may include breaking changes
   • Recommendation: Test thoroughly, especially markdown rendering and pre-commit hooks

2. Radix UI updates: Comprehensive update of all @radix-ui components (1.x → 1.x/2.x)

   • Generally safe as they maintain backward compatibility
   • Watch for subtle UI behavior changes

---

Potential Issues ⚠️ MINOR CONCERNS

1. Breaking Changes Risk

• markdown-to-jsx v6 → v7 is a major version bump

  • Impact: Documentation rendering in apps/website
  • Mitigation: Verify all .mdx files render correctly

• lint-staged v13 → v15 skips v14 entirely

  • Impact: Pre-commit hook behavior
  • Mitigation: Test git commit flow with the new hooks

2. Beta Dependency

• next-auth remains on beta (5.0.0-beta.30)
  • This is acceptable for addressing security issues
  • Consider migration to stable v5 when available

3. Version Consistency

• Different React versions between apps:
  • plugins: react@19.0.0, react-dom@19.0.0
  • website: react@19.1.0, react-dom@19.1.0
  • This is fine for a monorepo but could lead to subtle issues
  • Recommendation: Consider aligning to same minor version

---

Performance Considerations ✅ NEUTRAL/POSITIVE

Positive Impacts

• Newer Next.js versions typically include performance improvements
• Updated dependencies may have optimizations

Potential Concerns

• Larger bundle sizes possible with updated UI libraries
• Recommendation: Run bundle analysis before/after to verify no significant size increase

---

Test Coverage 📋 NEEDS VERIFICATION

The PR description includes a test plan but checkboxes are unchecked:

- [ ] Verify `pnpm audit` shows no vulnerabilities
- [ ] Run `pnpm build` to ensure all builds succeed  
- [ ] Test critical features in plugins app
- [ ] Test documentation site functionality

Recommendations

1. ✅ Complete the test plan checklist before merging
2. Run pnpm audit to confirm 0 vulnerabilities
3. Build both apps and verify no TypeScript/build errors
4. Manually test:
   • Markdown rendering on documentation site
   • Authentication flows (due to next-auth update)
   • UI components in plugins app (due to Radix updates)
   • Git commit hooks (due to lint-staged update)

---

Best Practices Evaluation ✅ EXCELLENT

What's Done Well

1. ✅ Security-first approach with CVE references
2. ✅ Clear PR description with before/after metrics
3. ✅ Links to security advisories (GHSA-*)
4. ✅ Atomic change - only dependency updates
5. ✅ Proper lockfile management

Suggestions for Future PRs

1. Include before/after bundle size comparison
2. Add screenshots/recordings if UI changes detected
3. Consider splitting mega-updates into:
   • Critical security fixes (this PR)
   • Non-security dependency updates (separate PR)

---

Action Items Before Merge

Required ✋

• Run pnpm install and verify lockfile is clean
• Execute pnpm build in both apps
• Run pnpm audit and confirm 0 vulnerabilities
• Test markdown rendering (apps/website)
• Test authentication flows (apps/plugins)
• Test pre-commit hooks

Recommended 💡

• Run bundle analysis to check for size regressions
• Smoke test critical user flows in both apps
• Verify no console errors/warnings in browser
• Check for any deprecated API usage warnings

---

Additional Notes

Dependency Highlights

• Next.js: Critical RCE fix - highest priority ⚠️
• Tailwind CSS: 4.1.3 → 4.1.17 (stable minor updates)
• TypeScript: Different versions across apps (4.9.5 vs 5.9.3) - intentional?
• Prisma: 5.17.0 → 5.22.0 (good to stay current)

Migration Risks: LOW

Given this is primarily patch/minor updates with a few major bumps to actively maintained libraries, the risk is low. The major version bumps (lint-staged, markdown-to-jsx) are in dev/build-time dependencies, reducing runtime risk.

---

Final Verdict

APPROVE ✅

This PR significantly improves the security posture of the project. The dependency updates are necessary and well-executed. Complete the testing checklist, and this is ready to merge.

Great work on staying on top of security vulnerabilities! 🎉

---

Review conducted with focus on security, code quality, performance, and testing - as requested.

[Copilot]

Pull request overview

This PR updates dependencies across the monorepo to address 24 known CVE vulnerabilities (2 critical, 1 high, 17 moderate, 4 low) by upgrading to secure versions. The updates focus on critical security fixes in Next.js (RCE and SSRF vulnerabilities), next-auth (email misdelivery), markdown-to-jsx (XSS), and lint-staged (ReDoS), while also updating numerous other packages to their latest stable versions.

• Updates Next.js from 15.3.4 to 15.4.8 to fix critical RCE and moderate SSRF/cache/injection vulnerabilities
• Updates next-auth from 5.0.0-beta.25 to 5.0.0-beta.30 to fix email misdelivery vulnerability
• Updates markdown-to-jsx from 6.11.4 to 7.4.0 (major version) to fix XSS vulnerability
• Updates lint-staged from 13.0.3 to 15.2.11 (multiple major versions) to fix ReDoS vulnerability

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 6 comments.

File	Description
package.json	Updates root-level dev dependencies including lint-staged (13.0.3→15.2.11), husky, prettier, and turbo
apps/website/package.json	Updates Next.js, markdown-to-jsx (major version 6→7), and various dev dependencies including TypeScript types and Tailwind tooling
apps/plugins/package.json	Updates Next.js, next-auth, Prisma, all Radix UI components, TanStack libraries, React Hook Form, and numerous other production and dev dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

eslint-config-next is still at version 15.3.0 while Next.js has been updated to 15.4.8. The ESLint config version should typically match the Next.js version to ensure compatibility and get the latest lint rules. Consider updating this to 15.4.8 or a compatible version.

Suggested change

	"eslint-config-next": "15.3.0",
	"eslint-config-next": "15.4.8",

[Copilot]

eslint-config-next is still at version 15.3.0 while Next.js has been updated to 15.4.8. The ESLint config version should typically match the Next.js version to ensure compatibility and get the latest lint rules. Consider updating this to 15.4.8 or a compatible version.

Suggested change

	"eslint-config-next": "15.3.0",
	"eslint-config-next": "15.4.8",

[Copilot]

lint-staged is being updated from ^13.0.3 to ^15.2.11, which is a major version jump spanning two major versions (13→14→15). Major version updates often include breaking changes to the configuration format or behavior. Please verify that the lint-staged configuration in this file (lines 29-35) is still compatible with version 15, particularly the glob patterns and command structure.

[Copilot]

[nitpick] zod is being updated from ^3.23.8 to ^3.25.76, a minor version increase with 2 minor versions. While this should be backward compatible, Zod schema validation is critical for runtime type safety and data validation. Please ensure all existing Zod schemas, particularly those used for API validation and form validation, continue to work as expected after this update.

[Copilot]

The markdown-to-jsx package is being updated from ^6.11.4 to ^7.4.0, which is a major version bump. Major version updates typically include breaking changes. Please verify that this update doesn't break any markdown rendering functionality in the website, particularly if the library is used by the nextra theme or other dependencies.

Suggested change

	"markdown-to-jsx": "^7.4.0",
	"markdown-to-jsx": "^6.11.4",

[Copilot]

@types/react is updated to 19.0.12 but the pnpm overrides section (line 42) still forces @types/react to 19.1.0. This creates a version mismatch. Consider either:

1. Updating the pnpm override to 19.0.12 to match, or
2. Updating the devDependency version to 19.1.0 to match the override

Currently, the override will win, making the declared version in devDependencies misleading.

Suggested change

	"@types/react": "19.0.12",
	"@types/react": "19.1.0",