build(deps): consolidate bumps from #2, #4, #5, #7, #15 against realigned main#26
build(deps): consolidate bumps from #2, #4, #5, #7, #15 against realigned main#26adm01-debug wants to merge 1 commit into
Conversation
Applies all 5 dependabot bumps in a single commit against current main: - react-helmet-async: 2.0.5 -> 3.0.0 (#2) - date-fns: 2.30.0 -> 4.1.0 (#4) - framer-motion: 11.0.0 -> 12.34.5 (#5) - vitest: 3.2.4 -> 4.1.0 (#7) - postcss: 8.5.10 -> 8.5.12 (#15) Also bumps @vitest/coverage-v8 to ^4.1.0 to satisfy vitest@4 peer dep. Adds .npmrc with legacy-peer-deps=true so 'npm ci' accepts the date-fns@^4 / react-day-picker@8.10 peer mismatch (react-day-picker@8.10 declares date-fns@'^2 || ^3' as peer; date-fns@4's API surface used by react-day-picker@8.10 is backward-compatible enough that this works in practice without bumping react-day-picker to v9 which has breaking changes).
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple Dependabot dependency bumps into a single update against the realigned main, updating the app’s frontend/runtime/test tooling dependencies and regenerating the npm lockfile accordingly.
Changes:
- Bump key dependencies:
react-helmet-async,date-fns,framer-motion,vitest(+@vitest/coverage-v8), andpostcss. - Regenerate
package-lock.jsonto reflect the new resolved dependency graph. - Add
.npmrcsettinglegacy-peer-deps=trueto allow installs despite a peer-range mismatch.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates dependency version ranges for the consolidated bumps. |
| package-lock.json | Updates the resolved dependency tree for the new versions (including vitest/vite/tooling changes). |
| .npmrc | Adds legacy-peer-deps=true to bypass peer dependency conflicts during install. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "tailwind-merge": "^2.2.0", | ||
| "vaul": "^0.9.0", | ||
| "vitest": "^3.2.4", | ||
| "vitest": "^4.1.0", |
There was a problem hiding this comment.
Upgrading to vitest@^4.1.0 brings in vitest 4.x which requires Node >=20 (and pulls in a nested vite@8.x per the lockfile, which requires Node >=20.19). If this repo is expected to work on earlier Node versions, consider either (a) pinning the repo’s supported Node version explicitly (e.g., package.json "engines" / .nvmrc and CI using a >=20.19.x runtime) or (b) staying on vitest 3.x until Vite/Node can be upgraded together.
| "vitest": "^4.1.0", | |
| "vitest": "^3.2.4", |
| @@ -0,0 +1 @@ | |||
| legacy-peer-deps=true | |||
There was a problem hiding this comment.
Setting legacy-peer-deps=true at the repo level disables peer dependency enforcement for all npm installs, which can mask unrelated peer incompatibilities and make dependency issues harder to detect. If this is only needed to bypass the react-day-picker/date-fns peer-range conflict, consider scoping it more narrowly (e.g., using npm ci --legacy-peer-deps in CI only, or resolving the mismatch by upgrading/reacting to the peer requirement) so future peer problems still surface during install.
| legacy-peer-deps=true |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 93b58dea52
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "tailwind-merge": "^2.2.0", | ||
| "vaul": "^0.9.0", | ||
| "vitest": "^3.2.4", | ||
| "vitest": "^4.1.0", |
There was a problem hiding this comment.
package.json upgrades vitest to ^4.1.0 but keeps top-level vite at ^5.4.19; the updated lockfile shows vitest@4.1.5 requiring vite: ^6 || ^7 || ^8 as a non-optional peer (package-lock.json lines 14174 and 14198). This leaves the dependency graph peer-incompatible and only installable because peer checks are relaxed, so environments that enforce peers (or resolve differently) can fail or run tests against a divergent toolchain.
Useful? React with 👍 / 👎.
| @@ -0,0 +1 @@ | |||
| legacy-peer-deps=true | |||
There was a problem hiding this comment.
Adding .npmrc with legacy-peer-deps=true suppresses peer-dependency validation for all installs, which masks real incompatibilities introduced here (for example, react-day-picker@8.10.1 peers on date-fns ^2 || ^3 while package.json now pins date-fns ^4.1.0, visible in package-lock.json line 11992). Keeping this override repo-wide shifts dependency breakage from install-time into harder-to-debug runtime/test behavior.
Useful? React with 👍 / 👎.
Summary
Consolidates all 5 open dependabot bumps into a single commit, applied against the recently-realigned
mainbranch.Plus:
@vitest/coverage-v83.2.4 → 4.1.0 (peer dep of vitest@4).npmrcwithlegacy-peer-deps=truesonpm ciaccepts thedate-fns@^4/react-day-picker@8.10peer mismatch (peer declared as^2 || ^3but the API surface used byreact-day-picker@8.10is backward-compatible with v4 in practice; alternative would be areact-day-pickerv9 major bump with breaking API changes)Validation
npm ci --ignore-scripts✅ exit 0npx tsc --noEmit✅ exit 0Context (why this PR exists instead of merging dependabot PRs directly)
The dependabot PRs (#2, #4, #5, #7, #15) all targeted
mainbut had unrelated git histories with main, because main had diverged from the active development line on 2026-04-23. That divergence has now been resolved — main was force-pushed to the latestlovable-sync-*HEAD (f3e6de1c). With main realigned, applying the dep bumps is a straightforward 3-file change (this PR).After merge, dependabot PRs #2, #4, #5, #7, #15 can be closed — comments added on each pointing here.
https://claude.ai/code/session_01KWeDG
Generated by Claude Code