fix: upgrade turbo version

[sriramveeraghanta]

Description

• Upgrade Turbo Version
• Adding NextJS in overrides to make sure right version is installed by the packages that are dependent on it. example: next-themes

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Summary by CodeRabbit

• Chores
  • Updated Turbo dependency version to 2.6.3 across build configurations.
  • Enhanced package manager configuration for improved dependency resolution.
  • Pinned Next.js version for consistent builds.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates the Turbo monorepo tool version from 2.6.1 to 2.6.3 across all application Dockerfiles and the root package.json. Additionally, pnpm configuration is extended with a Next.js version override and new build dependency controls for turbo and sharp packages.

Changes

Cohort / File(s)	Summary
Turbo Version Bumps (Dockerfiles) apps/admin/Dockerfile.admin, apps/live/Dockerfile.live, apps/space/Dockerfile.space, apps/web/Dockerfile.web	Updated TURBO_VERSION ARG from 2.6.1 to 2.6.3 in builder stage across all application Dockerfiles.
Root Package Configuration package.json	Bumped devDependencies.turbo from 2.6.1 to 2.6.3; added pnpm override for next (16.0.7); added onlyBuiltDependencies configuration including "turbo"; added ignoredBuiltDependencies configuration including "sharp".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify version bump compatibility across Dockerfiles for consistency
• Review pnpm configuration additions (overrides, build dependency controls) to ensure intended behavior
• Check if Next.js 16.0.7 override aligns with application requirements

Poem

🐰 Turbo spins faster, version two-six-three,
Dependencies dance in harmony,
Next and sharp play their part,
Monorepos built with builder's heart! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: upgrade turbo version' accurately summarizes the primary change of bumping turbo from 2.6.1 to 2.6.3 across multiple Dockerfiles and package.json.
Description check	✅ Passed	The description covers the main changes but lacks test scenarios, screenshots, and references sections; however, it adequately explains the upgrade intent and rationale for NextJS overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-turbo-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ea74e1 and 47af118.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• apps/admin/Dockerfile.admin (1 hunks)
• apps/live/Dockerfile.live (1 hunks)
• apps/space/Dockerfile.space (1 hunks)
• apps/web/Dockerfile.web (1 hunks)
• package.json (2 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/bash.instructions.md:0-0
Timestamp: 2025-11-25T10:17:39.709Z
Learning: Applies to {turbo.json,**/*.sh} : Use Turbo for build system orchestration with configuration in turbo.json

📚 Learning: 2025-11-25T10:17:39.709Z

Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/bash.instructions.md:0-0
Timestamp: 2025-11-25T10:17:39.709Z
Learning: Applies to {turbo.json,**/*.sh} : Use Turbo for build system orchestration with configuration in turbo.json

Applied to files:

• apps/live/Dockerfile.live
• apps/admin/Dockerfile.admin
• apps/space/Dockerfile.space
• package.json
• apps/web/Dockerfile.web

📚 Learning: 2025-08-29T08:45:15.953Z

Learnt from: sriramveeraghanta
Repo: makeplane/plane PR: 7672
File: pnpm-workspace.yaml:8-9
Timestamp: 2025-08-29T08:45:15.953Z
Learning: The makeplane/plane repository uses pnpm v10.12.1, which supports onlyBuiltDependencies configuration in pnpm-workspace.yaml files.

Applied to files:

• package.json

📚 Learning: 2025-11-25T10:18:05.172Z

Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/typescript.instructions.md:0-0
Timestamp: 2025-11-25T10:18:05.172Z
Learning: Assume `--moduleResolution bundler` resolution strategy for modern web projects (Vite, Next.js, etc.)

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and lint web apps
• GitHub Check: Analyze (javascript)

🔇 Additional comments (6)

apps/admin/Dockerfile.admin (1)

16-16: Consistent Turbo upgrade across builder stages.

Version bump from 2.6.1 to 2.6.3 mirrors the update in apps/space/Dockerfile.space.

apps/web/Dockerfile.web (1)

17-18: Turbo version parameterized correctly via build argument.

The ARG-based approach (line 17) is correctly propagated to the pnpm invocation (line 18), allowing build-time overrides if needed.

apps/live/Dockerfile.live (1)

18-18: LGTM.

Turbo version argument consistently updated across multi-stage build pipeline.

package.json (2)

42-42: Turbo version consistently bumped in devDependencies.

The root package.json update to turbo@2.6.3 aligns with all Dockerfile changes.

Confirm Turbo 2.6.3 compatibility with pnpm@10.24.0 and the Node 22 environment.

---

74-80: Clarify the purpose of adding sharp to ignoredBuiltDependencies.

Line 76 adds "turbo" to onlyBuiltDependencies, which is appropriate for a pre-built binary. However, line 79 introduces a new ignoredBuiltDependencies section that includes "sharp".

This is a significant behavioral change: adding sharp to ignoredBuiltDependencies means pnpm will not use prebuilt binaries for sharp, potentially causing:

• Compilation delays during install
• Platform-specific compilation issues
• Build failures if build tools are unavailable

No rationale is documented for this change.

Please provide clarification:

1. Why was sharp added to ignoredBuiltDependencies?
2. Are there known issues with sharp prebuilds in your Docker/CI environment?
3. Has this been tested to confirm image processing functionality still works?

Alternatively, if this is intentional, please add a comment above the section explaining the rationale.

apps/space/Dockerfile.space (1)

16-16: Turbo version bump to 2.6.3 is safe and appropriate.

The update from 2.6.1 to 2.6.3 is a patch release with bug fixes and maintenance updates. No breaking changes or compatibility concerns.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Next.js version 16.0.7 release date status npm

💡 Result:

Next.js 16.0.7 — published as a security/patch release on December 3, 2025; it’s available on npm and is the patched release Vercel recommends to mitigate the reported RSC/React vulnerability. [1][2][3]

Sources:

• Next.js blog (security advisory). [1]
• Snyk package versions (lists 16.0.7 published Dec 3, 2025). [2]
• jsDocs/npm metadata showing 16.0.7 published. [3]

---

🌐 Web query:

Next.js 16.0.0 16.x breaking changes migration guide

💡 Result:

Here’s a concise migration guide for Next.js 16 / 16.x (breaking changes + practical steps).

Key breaking changes (what to change)

1. Async Request APIs — synchronous access removed: cookies(), headers(), draftMode(), and route props like params and searchParams are promises and must be awaited; mark pages/layouts/routes async. Use the codemod to automate many fixes. [1][2]
2. Turbopack is default — custom webpack() config is ignored by Turbopack; review/remove custom webpack loaders/plugins or opt out to keep Webpack. [1][3]
3. Removed/renamed features — AMP removed; devIndicators and next lint command removed; serverRuntimeConfig/publicRuntimeConfig removed (use env vars); middleware convention renamed (middleware.ts → proxy or new proxy pattern). [1][3]
4. New caching model / Cache Components — new opt-in "cache" component patterns and renamed experimental flags; review how caching and PPR were used. [1][3]
5. Minimum runtime/tooling bumps — Node (>=20.9), TypeScript 5.x and newer React (React 19) requirements; update CI/deploy images. [3][5]

Quick migration steps

1. Read official upgrade doc and run codemod:
   • npx @next/codemod@canary upgrade latest. This handles many mechanical edits (async APIs, config changes). [1]
2. Upgrade dependencies:
   • npm install next@latest react@latest react-dom@latest
   • Upgrade Node in CI/deploy to >= Node 20.9 and TypeScript to 5.x if used. [1][3]
3. Convert Request API usage:
   • Make page/layout/route functions async where they use params/searchParams/cookies/headers and await those values. Run codemod then manually audit complex patterns (hooks, nested components). [1][2]
4. Handle bundler/config:
   • If you rely on custom webpack features, either port them to Turbopack-compatible approaches or keep using Webpack (explicitly opt out/adjust next.config). Audit next.config for removed options (eslint, devIndicators, runtimeConfig). [1][3]
5. Update env and runtime config:
   • Replace serverRuntimeConfig/publicRuntimeConfig with environment variables (NEXT_PUBLIC_ for client-visible). [3]
6. Test thoroughly:
   • Run full build/test on CI, exercise dynamic routes (params/searchParams), middleware/proxy behavior, image optimization, and edge runtimes. Fix missing await errors and Promise propagation. [1][2]
7. Optional: adopt Cache Components and new features after migration — enable and test incrementally. [1]

Tools & commands

• Codemod: npx @next/codemod@canary upgrade latest. [1]
• Typegen (help with new types): npx next typegen. [1]
• Dependency upgrade: npm install next@latest react@latest react-dom@latest. [1]

References
[1] Next.js — Upgrading: Version 16 (official docs).
[2] "Migrating to Next.js 16" — Michael Pilgram (migration experience, async-API details).
[3] "What's new in Next.js 16" / community guides (Turbopack, config removals, requirements).

Would you like a targeted checklist for a repo (I can scan your package.json/next.config.js and produce exact edits)?

---

Verify monorepo compatibility with Next.js 16.0.7 before applying override.

Next.js 16.0.7 is a valid release (published December 3, 2025 as a security patch). However, Next.js 16.x introduces significant breaking changes that require verification across all monorepo packages before enforcing this version globally:

• Async Request APIs (cookies(), headers(), params, searchParams must be awaited)
• Turbopack now default (custom webpack configs are ignored unless explicitly opted out)
• Removed features (AMP, devIndicators, serverRuntimeConfig/publicRuntimeConfig, middleware convention changes)
• Minimum runtime/tooling: Node ≥20.9, TypeScript 5.x, React 19

Confirm that all applications and dependencies in this monorepo are compatible with these changes. Run the Next.js codemod (npx @next/codemod@canary upgrade latest) and test builds thoroughly before merging.

🤖 Prompt for AI Agents

In package.json around lines 71-72, the pinned Next.js version "16.0.7" may
introduce breaking changes across the monorepo; before approving this override
verify compatibility by (1) auditing each package/app for Next.js 16 breaking
changes (async Request APIs: await cookies(), headers(), params, searchParams;
removed features and middleware changes), (2) ensuring tooling/runtime minimums
(Node ≥20.9, TypeScript 5.x, React 19) are met or upgraded, (3) checking
Turbopack defaults and explicitly opting out where custom webpack is required,
(4) running the Next.js codemod npx @next/codemod@canary upgrade latest and
applying fixes, and (5) performing full CI builds and manual testing of each
app; only update package.json after these checks pass and update any
package-level configs/deps accordingly.

[Copilot]

Pull request overview

This PR upgrades Turbo from version 2.6.1 to 2.6.3 and adds Next.js 16.0.7 to pnpm overrides to ensure consistent versioning across packages that depend on it (e.g., next-themes). The upgrade also adds sharp to ignoredBuiltDependencies configuration.

Key Changes:

• Turbo upgraded from 2.6.1 to 2.6.3 across package.json, all Dockerfiles, and pnpm-lock.yaml
• Next.js 16.0.7 added to pnpm overrides to enforce consistent installation
• Sharp added to pnpm's ignoredBuiltDependencies configuration

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
package.json	Updated turbo to 2.6.3, added Next.js 16.0.7 to overrides, added sharp to ignoredBuiltDependencies
pnpm-lock.yaml	Updated lockfile reflecting turbo upgrade and dependency resolution changes including sharp downgrade and caniuse-lite duplication
apps/web/Dockerfile.web	Updated TURBO_VERSION ARG from 2.6.1 to 2.6.3
apps/space/Dockerfile.space	Updated turbo global installation from 2.6.1 to 2.6.3
apps/live/Dockerfile.live	Updated TURBO_VERSION ARG from 2.6.1 to 2.6.3
apps/admin/Dockerfile.admin	Updated turbo global installation from 2.6.1 to 2.6.3

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Sharp has been downgraded from 0.34.5 to 0.34.4. This appears to be an unintended side effect of the lockfile update. Unless there's a specific reason for this downgrade, consider updating to the latest version of sharp or maintaining the previous version 0.34.5.

Suggested change

	sharp@0.34.4:
	resolution: {integrity: sha512-FUH39xp3SBPnxWvd5iib1X8XY7J0K0X7d93sie9CJg2PO8/7gmg89Nve6OjItK53/MlAushNNxteBYfM6DEuoA==}
	sharp@0.34.5:
	resolution: {integrity: sha512-+QwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQwQwQKQw==}

[Copilot]

caniuse-lite 1.0.30001756 is being added while 1.0.30001759 (a newer version) already exists in the lockfile. This creates version duplication. The lockfile should only use the newer version 1.0.30001759 to avoid redundancy and potential conflicts.

Suggested change

	caniuse-lite@1.0.30001756:
	resolution: {integrity: sha512-4HnCNKbMLkLdhJz3TToeVWHSnfJvPaq6vu/eRP0Ahub/07n484XHhBF5AJoSGHdVrS8tKFauUQz8Bp9P7LVx7A==}

[Copilot]

The next-themes peer dependency has been changed from 'next: ' (any version) to a specific version 'next: 16.0.7'. This is overly restrictive and could cause installation issues if the Next.js version is updated in the future. Consider using a version range (e.g., 'next: >=16.0.7' or 'next: ^16.0.0') instead of pinning to an exact version, or reverting to '' if next-themes actually supports multiple Next.js versions.

Suggested change

	next: 16.0.7
	next: ^16.0.0