chore(deps): update dev dependencies and fix vulnerable packages

[muneebs]

• Updated several development dependencies to address security vulnerabilities and improve compatibility
• Updated Next.js README with correct import path: @csrf-armor/nextjs/client

Summary by CodeRabbit

• Documentation

  • Updated import path examples in the Next.js package documentation for better clarity.

• Chores

  • Updated development dependencies and build tooling versions across packages for improved compatibility and stability.

[coderabbitai]

Walkthrough

Behold! Dependencies are strengthened across the realm: vitest and changesets elevated to newer versions, vite overrides inscribed, and the testing-library jest-dom revised. The Express package relinquishes its vitest dependency, whilst the Next.js documentation is corrected to reveal the true client entry point.

Changes

Cohort / File(s)	Summary
Root dependency updates package.json	Upgraded changesets (changelog-github, cli), vitest ecosystem (coverage-v8, ui, core), and added pnpm override for vite ^6.4.1
Express package adjustments packages/express/package.json	Removed vitest from devDependencies
Next.js documentation correction packages/nextjs/README.md	Updated import statements in code examples to use '@csrf-armor/nextjs/client' entry point instead of main package entry
Next.js dependency refresh packages/nextjs/package.json	Upgraded @testing-library/jest-dom from ^6.6.3 to ^6.9.1

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify that the vitest removal from packages/express/package.json does not affect the build or test pipelines for that workspace
• Confirm that the pnpm override for vite does not introduce version conflicts with existing dependencies
• Check that the README import path change from '@csrf-armor/nextjs' to '@csrf-armor/nextjs/client' aligns with the actual package exports structure

Possibly related PRs

• chore: bump @changesets/cli to v2.29.5 and related dependencies in pn… #28: Related through concurrent updates to @changesets/cli and pnpm overrides configuration, following similar dependency management patterns.

Suggested reviewers

• raulcrisan

Poem

✨ A wizard arrives, not late but on schedule!
Dependencies revised, their versions now stable,
Vitest departs from express, as the fates have drawn,
Import paths corrected in Next.js's dawn,
All is in order—the repo ascends! 🧙‍♂️

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: updating development dependencies and addressing vulnerable packages, which aligns with all modifications across multiple package.json files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/vulnerable_packages

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 28b2ada and 19ae4b8.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• package.json (1 hunks)
• packages/express/package.json (1 hunks)
• packages/nextjs/README.md (4 hunks)
• packages/nextjs/package.json (1 hunks)

🔇 Additional comments (4)

packages/nextjs/package.json (1)

62-62: A timely refresh of the testing instruments.

The jest-dom library hath been elevated from ^6.6.3 to ^6.9.1 — a prudent maintenance update. This minor version bump bringeth improved compatibility with @testing-library/react ^16.3.0 and strengtheneth the testing foundations. By the rules of semantic versioning, such changes remain backward compatible.

packages/nextjs/README.md (1)

116-116: The documentation hath been corrected to reflect the true paths of the realm.

Across thy README, the import paths for client-side components have been rightfully amended:

• import {CsrfProvider} from '@csrf-armor/nextjs/client' (lines 116, 143, 256, 276)
• import {useCsrf} from '@csrf-armor/nextjs/client' (lines 158, 294)

These corrections align the examples with the package's actual export structure, where "./client": "./dist/client/index.js" is declared in package.json. Thus shall developers no longer stumble upon import errors, for the documentation now showeth the true way.

Also applies to: 143-143, 158-158, 256-256, 276-276, 294-294

package.json (2)

39-46: Verify test compatibility with vitest v4 and vite v6.4.1 override; clarify the necessity of vite v6.4.1.

The realm's fortifications are well-wrought, yet the path ahead is treacherous. While thy test configurations remain unadorned and free of deprecated incantations, these major version ascensions require verification:

Vitest v4 introduces significant breaking changes including coverage remapping and mocking API alterations, though thy codebase appears spared from the deprecated patterns (no __vitest_executor, no reliance on vi.restoreAllMocks quirks).

The greater peril lies in the vite v6.4.1 pnpm override: tsdown explicitly does not guarantee full compatibility with Vite internals, particularly across major version boundaries. Since thy build process relies upon tsdown, confirm that this specific version pair functions as intended.

Pray verify through actual test execution:

• Run pnpm test in each package and confirm all tests pass
• Run pnpm test:coverage and verify coverage reports generate without error
• Confirm the tsdown build completes successfully with vite v6.4.1

Additionally, clarify in the PR description why vite v6.4.1 specifically was chosen as an override—doth it resolve a particular conflict with tsdown, or is it merely the latest minor?

---

51-52: ---

Vite v6 override secures compatibility with breaking API changes.

The vite ^6.4.1 override is not arbitrary—Vite v6 introduced major breaking changes that demand careful attention. The web results illuminate several transformations: a new Environment API and Module Runner replaced the experimental Runtime API, defaults for resolve.conditions and JSON handling were altered, and Sass now uses the modern API by default. Low-level internal APIs were also removed, potentially affecting plugins and integrations.

This constraint pins your project to Vite v6.x, guarding against future major versions that may introduce further upheaval. However, the wisdom lies in verification: you must confirm that your codebase, plugins, and framework integrations have been properly migrated to work with these new patterns. The Vite 6 Migration Guide and Breaking Changes pages should be consulted, and your full app and plugins (especially custom ones and framework integrations) should be thoroughly tested.

Inquire of yourself: have all thy dependencies and build configurations been updated to align with this new Vite dispensation? If doubt clouds your judgment, a careful review of thy configuration and plugin usage is warranted ere proceeding.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}