fix: package.json & package-lock.json to reduce vulnerabilities

[Dargon789]

da3d63a

Summary by Sourcery

Update project dependencies and CI configuration to newer, pinned versions.

Bug Fixes:

• Address security and compatibility issues by upgrading multiple runtime dependencies and development tools to newer versions.

Enhancements:

• Refresh React, Next.js, Arcjet, and related libraries to their latest compatible releases.
• Upgrade TypeScript, Playwright, Sass, and React type definitions for improved tooling and type safety.
• Regenerate package-lock.json to align with the updated dependency graph.

CI:

• Relocate CircleCI configuration and pin the Docker base image to a specific version for reproducible builds.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
arcjet-example	Error		Feb 7, 2026 3:55am
arcjet-example-pvhg	Error		Feb 7, 2026 3:55am

[sourcery-ai]

Reviewer's Guide

This PR updates application and tooling dependencies to newer, less vulnerable versions and pins the CI Docker image to a specific tag for reproducible builds, with corresponding updates to the lockfile.

File-Level Changes

Change	Details	Files
Update runtime dependencies to newer, likely less vulnerable versions of Arcjet, Next.js, React, and related libraries.	Bump all @arcjet/* packages from 1.0.0-beta.9 to 1.1.0. Upgrade Next.js from 15.3.5 to 16.1.6 and next-auth from 5.0.0-beta.29 to 5.0.0-beta.30. Update UI and form libraries (@fontsource*, @hookform/resolvers, react-hook-form) and zod to their newer versions. Regenerate package-lock.json to reflect updated runtime dependency graph.	package.json package-lock.json
Update development and testing tooling dependencies to current versions.	Upgrade @playwright/test from 1.54.1 to 1.58.2 for E2E tests. Bump React type definitions (@types/react, @types/react-dom) to match newer React. Upgrade sass from 1.89.2 to 1.97.3 and TypeScript from 5.8.3 to 5.9.3. Regenerate package-lock.json to capture updated dev dependency tree.	package.json package-lock.json
Pin CI Docker image to a fixed CircleCI base image tag for more reproducible builds.	Move CircleCI configuration (or introduce GitHub directory variant) while keeping the existing job/workflow structure. Change Docker image from cimg/base:current to cimg/base:2024.01 and clarify the inline comment about pinning versions.	.circleci/config.yml .github/config.yml

Possibly linked issues

• [Snyk] Security upgrade @playwright/test from 1.54.1 to 1.55.1 #7: The PR upgrades @playwright/test (to 1.58.2), fulfilling the Snyk security upgrade requested in issue [Snyk] Security upgrade @playwright/test from 1.54.1 to 1.55.1 #7.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on a comprehensive update of the project's dependencies to enhance security by addressing potential vulnerabilities and ensuring compatibility with the latest versions of key libraries. Additionally, it includes a significant refactoring of the continuous integration setup, transitioning from CircleCI to GitHub Actions, which streamlines the build and deployment processes.

Highlights

• Dependency Upgrades: Numerous project dependencies, including next, next-auth, react, react-dom, and various @arcjet packages, have been updated to their latest versions to improve stability and security.
• CI/CD Configuration Migration: The continuous integration setup has been migrated from CircleCI to GitHub Actions, marked by the renaming of .circleci/config.yml to .github/config.yml and an update to the base Docker image for CI jobs.
• Node.js Engine Requirement Updates: The minimum Node.js engine requirement has been standardized to version 20 or newer across several core packages, ensuring compatibility with modern runtime features and security patches.
• Dependency Tree Optimization: Several unused or deprecated dependencies, such as @swc/counter, busboy, and various color related packages, have been removed, leading to a leaner and more efficient dependency tree.

Changelog

• .circleci/config.yml
  • File renamed to .github/config.yml.
  • Docker base image for CI jobs updated from cimg/base:current to cimg/base:2024.01 for reproducible builds.
• package-lock.json
  • Reflected all dependency and dev dependency version updates from package.json.
  • Node.js engine requirements for @arcjet/* packages and nosecone updated from >=18 to >=20.
  • Node.js engine requirement for next updated to >=20.9.0.
  • Updated next-auth peer dependencies to include next: ^16.0.0 and nodemailer: ^7.0.7.
  • Removed dev: true flag from numerous optional dependencies, including @parcel/watcher, braces, detect-libc, fill-range, fsevents, is-extglob, is-glob, is-number, micromatch, node-addon-api, picomatch, and to-regex-range.
  • Removed @swc/counter, busboy, color, color-convert, color-name, color-string, simple-swizzle, streamsearch, and undici dependencies.
  • Added @arcjet/body and baseline-browser-mapping as new dependencies.
  • Added @img/colour, @img/sharp-libvips-linux-riscv64, and @img/sharp-linux-riscv64 as new optional dependencies.
  • Updated various @img/sharp-* and @img/sharp-libvips-* optional dependencies to newer versions (e.g., 0.34.3 to 0.34.5 and 1.2.0 to 1.2.4).
  • Updated oauth4webapi from 3.6.0 to 3.8.3.
• package.json
  • Updated @arcjet/* packages (decorate, env, ip, next) from 1.0.0-beta.9 to 1.1.0.
  • Updated @fontsource-variable/figtree from 5.2.8 to 5.2.10.
  • Updated @fontsource/ibm-plex-mono from 5.2.6 to 5.2.7.
  • Updated @hookform/resolvers from 5.1.1 to 5.2.2.
  • Updated @nosecone/next from 1.0.0-beta.9 to 1.1.0.
  • Updated @oddbird/css-anchor-positioning from 0.6.1 to 0.8.0.
  • Updated next from 15.3.5 to 16.1.6.
  • Updated next-auth from 5.0.0-beta.29 to 5.0.0-beta.30.
  • Updated react from 19.1.0 to 19.2.4.
  • Updated react-dom from 19.1.0 to 19.2.4.
  • Updated react-hook-form from 7.60.0 to 7.71.1.
  • Updated zod from 3.25.76 to 4.3.6.
  • Updated dev dependency @playwright/test from 1.54.1 to 1.58.2.
  • Updated dev dependency @types/react from 19.1.8 to 19.2.13.
  • Updated dev dependency @types/react-dom from 19.1.6 to 19.2.3.
  • Updated dev dependency sass from 1.89.2 to 1.97.3.
  • Updated dev dependency typescript from 5.8.3 to 5.9.3.

Activity

• The pull request was created by Dargon789 with the stated goal of fixing vulnerabilities through package updates.
• The changes primarily consist of automated dependency updates in package.json and package-lock.json, alongside a CI/CD configuration file rename and update.
• No additional human activity, such as comments, reviews, or approvals, is evident in the provided context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey - I've left some high level feedback:

• Moving the CircleCI config from .circleci/config.yml to .github/config.yml will prevent CircleCI from picking it up; if CircleCI is still in use, keep the file under .circleci/ and just update the image tag there.
• Upgrading zod from v3 to v4 is a breaking change; please scan for and update any usages that rely on removed/changed APIs (e.g., .nullable(), .optional(), preprocess behavior, or error handling differences) to avoid runtime schema issues.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Moving the CircleCI config from `.circleci/config.yml` to `.github/config.yml` will prevent CircleCI from picking it up; if CircleCI is still in use, keep the file under `.circleci/` and just update the image tag there.
- Upgrading `zod` from v3 to v4 is a breaking change; please scan for and update any usages that rely on removed/changed APIs (e.g., `.nullable()`, `.optional()`, preprocess behavior, or error handling differences) to avoid runtime schema issues.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request effectively updates project dependencies to newer versions, which is excellent for security and maintenance. Pinning the Docker image in the CI configuration is also a good change for reproducibility. I've added one comment regarding the location of the CircleCI configuration file, which is a non-standard path and might cause issues with your CI pipeline.

[Dargon789]

https://github.com/Dargon789/arcjet-example/runs/58015461510
https://vercel.com/dargon789-forge/arcjet-example/GP1ieR4iGN12EbARniAnhv8HDwCV
https://vercel.com/dargon789-forge/arcjet-example-pvhg/GPs9P1ui88p1o7pXzXsvvRhnLytQ