Update dependencies for security advisories

[AnthonyRonning]

Summary

• update npm dependencies and resolutions to clear current bun audit findings, including vite and uuid
• update Rust dependencies for Dependabot advisories, including maple-proxy 0.1.8, openssl 0.10.78, rustls-webpki 0.103.13, bytes 1.11.1, tar 0.4.45, and time 0.3.47
• add a temporary vendored phf_generator 0.8.0 patch to replace the remaining Tauri transitive rand 0.7.x path with rand 0.8.6
• refresh generated TanStack route tree and Prettier formatting required by the pre-commit hook

Validation

• bun install --frozen-lockfile
• bun audit
• just rust-lint
• cargo test
• bun test
• just build
• just lint (warnings only)
• bun run format:check

---

Summary by CodeRabbit

• Chores
  • Updated frontend dependencies (UI libraries, runtime and dev tooling) for improved stability and security.
  • Upgraded desktop/mobile build tooling and native plugins for better reliability across platforms.
  • Applied a temporary vendored patch to mitigate a security advisory in a transitive dependency.
  • Reworked route generation and related internal organization to stabilize routing behavior.

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	ac784f3
Status:	✅  Deploy successful!
Preview URL:	https://b7c7a1d7.maple-ca8.pages.dev
Branch Preview URL:	https://chore-security-dependency-up.maple-ca8.pages.dev

View logs

[coderabbitai]

📝 Walkthrough

Walkthrough

Consolidates frontend dependency upgrades, adds a vendored patched phf_generator crate to address a transitive advisory, updates Tauri/Rust dependency pins and overrides, reformats a few TypeScript UI interfaces, and regenerates/renames imports and parent-route references in the TanStack router file.

Changes

Cohort / File(s)	Summary
Frontend package manifest frontend/package.json	Expanded resolutions to pin multiple transitive packages; bumped runtime and dev dependencies across Radix UI, TanStack, Tauri, content utilities, linting, build tooling, and types.
Tauri Cargo manifest frontend/src-tauri/Cargo.toml	Bumped core Tauri, tauri-build, and multiple Tauri plugins; upgraded reqwest, pinned rand and Android openssl; added [patch.crates-io] override to vendored phf_generator.
Vendored phf_generator crate frontend/src-tauri/vendor/phf_generator-0.8.0/.gitignore, .../Cargo.toml, .../README.md, .../src/lib.rs	Added vendored phf_generator v0.8.0 with updated rand dependency and README; new lib.rs implements HashState and generate_hash public API for perfect-hash generation.
Router generation frontend/src/routeTree.gen.ts	Renamed imported route symbols (*RouteImport), switched route initializers to use rootRouteImport, updated getParentRoute/parentRoute references, removed embedded manifest block, and adjusted exported route typings.
UI component formatting frontend/src/components/ui/badge.tsx, frontend/src/components/ui/button.tsx, frontend/src/components/ui/sheet.tsx	Whitespace/formatting-only adjustments to TypeScript extends clauses (no type or runtime changes).

Sequence Diagram(s)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: add About page for Maple AI marketing site #161 — Modifies frontend/src/routeTree.gen.ts and route mappings; directly related to the router import/parent-reference changes.
• chore: update maple-proxy to v0.1.6 #405 — Bumps maple-proxy and Tauri-related dependencies in frontend/src-tauri/Cargo.toml, overlapping Rust dependency changes.
• chore: bump maple-proxy to 0.1.5 #361 — Also updates frontend/src-tauri/Cargo.toml versions for Tauri/maple-proxy; closely related to the Rust manifest updates.

Poem

🐰 I hopped through crates and tidy trees,

Vendored seeds and pinned dependencies,
Routes renamed, the map rebuilt,
SmallRng sown on patched-up silt,
A bunny's hop — secure and skilled. 🥕✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update dependencies for security advisories' directly and clearly describes the main purpose of the changeset, which is updating npm and Rust dependencies to address security findings and advisories.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/security-dependency-updates-20260424

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[AnthonyRonning]

Reminder before merge: preview Pages now uses BUN_VERSION=1.3.5 so bun install --frozen-lockfile matches the PR lockfile. Please update the production Pages environment to BUN_VERSION=1.3.5 before/when merging, otherwise production deploys may hit the same frozen-lockfile error.

[AnthonyRonning]

Cloudflare preview build now passes after switching the Pages preview build system to v3 and using BUN_VERSION=1.3.5. Before merging / deploying production, also switch the production Pages build system to v3 and set production BUN_VERSION=1.3.5 so prod uses Node 22.x and the same Bun version as preview.

[coderabbitai]

🧹 Nitpick comments (2)

frontend/src/routeTree.gen.ts (1)

11-33: Configure TanStack Router or explicitly exempt generated route tree from path alias policy.

The imports in lines 11–33 use relative paths (./routes/...) rather than the configured path aliases (@/...). However, since routeTree.gen.ts is auto-generated and should not be hand-edited, the appropriate fix is to either configure the TanStack Router generator to emit path-aliased imports or add an explicit exemption in the project's linting/import rules for this generated file.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/routeTree.gen.ts` around lines 11 - 33, The generated route tree
uses relative imports (e.g., the symbols import { Route as rootRouteImport },
TermsRouteImport, AuthChatChatIdRouteImport in routeTree.gen.ts) which violates
your path-alias policy; fix this by either configuring the TanStack Router
codegen to emit aliased imports (update the router generator options to use
"@/routes/..." for generated imports) or add an explicit lint/import rule
exemption for this generated file (create an override for routeTree.gen.ts in
your ESLint/TSLint/import rules to allow ./routes/* or disable the specific rule
for this file).

frontend/src-tauri/vendor/phf_generator-0.8.0/src/lib.rs (1)

5-21: Use a reproducible RNG type if cross-environment determinism is required.

Line 5/Line 18 use SmallRng with a fixed seed, but SmallRng does not guarantee portable deterministic output across platforms or future rand updates. It uses different algorithms on 32-bit (Xoshiro128PlusPlus) and 64-bit (Xoshiro256PlusPlus) platforms, and the algorithm may change in future versions. For stable PHF generation, use an explicitly fixed algorithm RNG like rand_chacha::ChaCha8Rng, which is the official recommendation for reproducible streams.

Suggested change in this file

-use rand::rngs::SmallRng;
+use rand_chacha::ChaCha8Rng;
 use rand::{Rng, SeedableRng};
@@
-    SmallRng::seed_from_u64(FIXED_SEED)
+    ChaCha8Rng::seed_from_u64(FIXED_SEED)
         .sample_iter(Standard)

(Also add rand_chacha in frontend/src-tauri/vendor/phf_generator-0.8.0/Cargo.toml if you apply this.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src-tauri/vendor/phf_generator-0.8.0/src/lib.rs` around lines 5 -
21, The PR uses SmallRng with FIXED_SEED in generate_hash which is not
cross-platform deterministic; replace SmallRng with an explicit algorithm like
rand_chacha::ChaCha8Rng, update the imports (use rand_chacha::ChaCha8Rng; keep
SeedableRng and sample_iter(Standard) usage), call
ChaCha8Rng::seed_from_u64(FIXED_SEED) where SmallRng was used, and add
rand_chacha to the vendor crate's Cargo.toml; ensure the rest of the flow
(try_generate_hash, HashState, etc.) remains unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@frontend/src-tauri/vendor/phf_generator-0.8.0/src/lib.rs`:
- Around line 5-21: The PR uses SmallRng with FIXED_SEED in generate_hash which
is not cross-platform deterministic; replace SmallRng with an explicit algorithm
like rand_chacha::ChaCha8Rng, update the imports (use rand_chacha::ChaCha8Rng;
keep SeedableRng and sample_iter(Standard) usage), call
ChaCha8Rng::seed_from_u64(FIXED_SEED) where SmallRng was used, and add
rand_chacha to the vendor crate's Cargo.toml; ensure the rest of the flow
(try_generate_hash, HashState, etc.) remains unchanged.

In `@frontend/src/routeTree.gen.ts`:
- Around line 11-33: The generated route tree uses relative imports (e.g., the
symbols import { Route as rootRouteImport }, TermsRouteImport,
AuthChatChatIdRouteImport in routeTree.gen.ts) which violates your path-alias
policy; fix this by either configuring the TanStack Router codegen to emit
aliased imports (update the router generator options to use "@/routes/..." for
generated imports) or add an explicit lint/import rule exemption for this
generated file (create an override for routeTree.gen.ts in your
ESLint/TSLint/import rules to allow ./routes/* or disable the specific rule for
this file).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 39138c24-bfe6-4264-bbcf-b951b8d1cc7d

📥 Commits

Reviewing files that changed from the base of the PR and between e23571f and ac784f3.

⛔ Files ignored due to path filters (2)

• frontend/bun.lock is excluded by !**/*.lock
• frontend/src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• frontend/package.json
• frontend/src-tauri/Cargo.toml
• frontend/src-tauri/vendor/phf_generator-0.8.0/.gitignore
• frontend/src-tauri/vendor/phf_generator-0.8.0/Cargo.toml
• frontend/src-tauri/vendor/phf_generator-0.8.0/README.md
• frontend/src-tauri/vendor/phf_generator-0.8.0/src/lib.rs
• frontend/src/components/ui/badge.tsx
• frontend/src/components/ui/button.tsx
• frontend/src/components/ui/sheet.tsx
• frontend/src/routeTree.gen.ts

✅ Files skipped from review due to trivial changes (7)

• frontend/src-tauri/vendor/phf_generator-0.8.0/.gitignore
• frontend/src/components/ui/sheet.tsx
• frontend/src/components/ui/badge.tsx
• frontend/src-tauri/vendor/phf_generator-0.8.0/README.md
• frontend/src-tauri/vendor/phf_generator-0.8.0/Cargo.toml
• frontend/src/components/ui/button.tsx
• frontend/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• frontend/src-tauri/Cargo.toml

[AnthonyRonning]

@TestFlight build

[github-actions]

🚀 TestFlight deployment triggered! Check the Actions tab for progress.

[github-actions]

✅ TestFlight deployment completed successfully!