update deps

[drake-nathan]

Summary by CodeRabbit

• Chores

  • Updated ESLint plugins, TypeScript tooling, Vite, Next.js, Convex, and Turbo dependencies to latest versions.
  • Simplified Prettier configuration script by removing experimental flag.
  • Updated project runtime and development tools including Bun and type definitions.

• Style

  • Applied consistent code formatting across project files.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 712937b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
js-style-kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR performs dependency version updates across the monorepo, including ESLint-related plugins and tooling packages, removes an outdated changeset, adds pull-request write permissions to the release workflow, removes project metadata documentation, applies code formatting to a TypeScript file, and updates root package scripts.

Changes

Cohort / File(s)	Summary
Changeset Management .changeset/few-wasps-camp.md, .changeset/wet-cycles-poke.md	Added new changeset documenting patch release for js-style-kit with ESLint plugin updates; removed older changeset file.
GitHub Workflow .github/workflows/release.yaml	Added pull-requests: write permission to enable PR-related operations during release workflow.
Documentation .windsurfrules	Deleted project metadata documentation file containing overview, docs links, and workflow information.
Code Formatting apps/next-test-app/convex/costco.ts	Wrapped single-line guard clauses and conditional increments in block bodies; no logic changes.
Root Dependencies & Scripts package.json	Updated @types/bun (1.3.4→1.3.5), turbo (2.6.3→2.7.2), packageManager (bun 1.3.4→1.3.5); removed --experimental-cli flag from format script; removed outdated script.
App Dependencies apps/next-test-app/package.json, apps/vite-test-app/package.json	Updated convex (1.31.0→1.31.2), next (16.0.10→16.1.1) in next-test-app; updated vite (7.2.7→7.3.0) in vite-test-app.
Package Dependencies packages/eslint-plugin-nextjs/package.json, packages/style-kit/package.json	Bumped @types/bun (1.3.4→1.3.5) in eslint-plugin-nextjs; updated multiple ESLint plugins and parser versions in style-kit (typescript-eslint 8.49.0→8.50.1, eslint-plugin-jest 29.4.0→29.11.0, eslint-plugin-perfectionist 4.15.1→5.1.0, eslint-plugin-react-refresh 0.4.24→0.4.26, eslint-plugin-storybook 10.1.8→10.1.10, eslint-plugin-turbo 2.6.3→2.7.2).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Update-deps #108: Updates ESLint and TypeScript-eslint plugin versions in packages/style-kit/package.json, directly overlapping with this PR's dependency bump scope.
• update deps, note prettier 3.7 experimental flag #114: Performs similar dependency and version bump changes across root and package-level package.json files throughout the monorepo.
• Update-deps #116: Updates packages/style-kit and root-level devDependencies including typescript-eslint and turbo versions with the same upgrade targets.

Poem

🐰 Hops through the dependency trees,
Updating plugins with such ease,
ESLint versions now pristine,
The newest tooling has been seen,
A workflow permission takes its place,
While scripts get trimmed up with grace! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'update deps' is overly vague and generic. While it relates to the changeset, it does not clearly convey the primary changes (ESLint dependency updates, tooling upgrades, and workflow/documentation changes).	Use a more specific and descriptive title such as 'Update ESLint and tooling dependencies' or 'Bump ESLint plugins and dev dependencies' to better communicate the main purpose of the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 51254ea and 712937b.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .changeset/few-wasps-camp.md
• .changeset/wet-cycles-poke.md
• .github/workflows/release.yaml
• .windsurfrules
• apps/next-test-app/convex/costco.ts
• apps/next-test-app/package.json
• apps/vite-test-app/package.json
• package.json
• packages/eslint-plugin-nextjs/package.json
• packages/style-kit/package.json

💤 Files with no reviewable changes (2)

• .changeset/wet-cycles-poke.md
• .windsurfrules

🧰 Additional context used

📓 Path-based instructions (1)

apps/**

📄 CodeRabbit inference engine (CLAUDE.md)

Maintain integration test applications under the apps/ directory to validate real-world configurations

Files:

• apps/vite-test-app/package.json
• apps/next-test-app/package.json
• apps/next-test-app/convex/costco.ts

🧠 Learnings (14)

📓 Common learnings

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 84
File: scripts/ci.js:5-10
Timestamp: 2025-09-27T20:21:53.141Z
Learning: In scripts/ci.js for drake-nathan/js-style-kit: The build command must run before lint/format because the build process generates or modifies files that need to be linted/formatted. This script runs locally only and has specific build->lint dependencies.

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: .windsurfrules:0-0
Timestamp: 2025-08-08T03:09:04.266Z
Learning: Applies to packages/style-kit/README.md : The read at `packages/style-kit/README.md` is the npm documentation for the package

📚 Learning: 2025-03-15T03:32:01.610Z

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 39
File: packages/style-kit/package.json:65-65
Timestamp: 2025-03-15T03:32:01.610Z
Learning: The js-style-kit package continues to ship and support the Vitest ESLint plugin (`eslint-plugin-vitest`) as a dependency, even though the package itself has migrated from using Vitest to Bun for its internal testing.

Applied to files:

• apps/vite-test-app/package.json
• .changeset/few-wasps-camp.md
• package.json
• packages/style-kit/package.json
• packages/eslint-plugin-nextjs/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Applies to packages/style-kit/src/eslint/index.ts : Implement the main ESLint configuration factory at packages/style-kit/src/eslint/index.ts

Applied to files:

• .changeset/few-wasps-camp.md
• packages/style-kit/package.json
• packages/eslint-plugin-nextjs/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Applies to packages/style-kit/src/eslint/** : Organize ESLint configuration modules under packages/style-kit/src/eslint/, with plugin-specific subfolders (e.g., base/, import/, react/)

Applied to files:

• .changeset/few-wasps-camp.md
• packages/style-kit/package.json

📚 Learning: 2025-10-18T19:48:58.176Z

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 98
File: .github/workflows/ci.yaml:61-62
Timestamp: 2025-10-18T19:48:58.176Z
Learning: In drake-nathan/js-style-kit, the `apps/*` directories contain example applications that serve as ESLint test fixtures to verify that the ESLint configuration works correctly across different frameworks. Type errors in these apps are not a concern; only linting is verified to check for regressions.

Applied to files:

• .changeset/few-wasps-camp.md

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Applies to packages/style-kit/src/prettier/** : Keep Prettier configuration (and its plugin support) under packages/style-kit/src/prettier/

Applied to files:

• .changeset/few-wasps-camp.md
• packages/style-kit/package.json

📚 Learning: 2025-09-27T20:21:53.141Z

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 84
File: scripts/ci.js:5-10
Timestamp: 2025-09-27T20:21:53.141Z
Learning: In scripts/ci.js for drake-nathan/js-style-kit: The build command must run before lint/format because the build process generates or modifies files that need to be linted/formatted. This script runs locally only and has specific build->lint dependencies.

Applied to files:

• .changeset/few-wasps-camp.md
• package.json

📚 Learning: 2025-09-27T20:21:27.195Z

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 84
File: package.json:19-20
Timestamp: 2025-09-27T20:21:27.195Z
Learning: In the js-style-kit monorepo, the root lint script uses --ignore-pattern to exclude packages, apps, and docs because Turborepo runs individual lint scripts for each workspace. The root lint script is only meant to lint root-level files like scripts and config files, while `turbo run lint` handles workspace linting through the dependsOn: ["^lint"] configuration.

Applied to files:

• package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Use Bun as the package manager and test runner across the repository

Applied to files:

• package.json
• packages/style-kit/package.json
• packages/eslint-plugin-nextjs/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Use tsup as the TypeScript bundler for packages

Applied to files:

• package.json
• packages/style-kit/package.json
• packages/eslint-plugin-nextjs/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Use Turborepo to manage the monorepo build pipeline and caching

Applied to files:

• package.json

📚 Learning: 2025-10-16T22:50:32.349Z

Learnt from: drake-nathan
Repo: drake-nathan/js-style-kit PR: 96
File: packages/style-kit/src/eslint/convex/config.ts:0-0
Timestamp: 2025-10-16T22:50:32.349Z
Learning: For Convex ESLint configuration in packages/style-kit/src/eslint/convex/config.ts, the file pattern should only include `.js` and `.ts` files (not `.jsx` or `.tsx`), as Convex directories contain backend/server-side code and should not have React component files.

Applied to files:

• packages/style-kit/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Applies to packages/eslint-plugin-nextjs/test/** : Keep comprehensive tests for the Next.js ESLint plugin under packages/eslint-plugin-nextjs/test/

Applied to files:

• packages/style-kit/package.json

📚 Learning: 2025-09-12T02:53:12.206Z

Learnt from: CR
Repo: drake-nathan/js-style-kit PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-09-12T02:53:12.206Z
Learning: Applies to packages/eslint-plugin-nextjs/src/utils/** : Store shared utilities for ESLint rules under packages/eslint-plugin-nextjs/src/utils/

Applied to files:

• packages/eslint-plugin-nextjs/package.json

🧬 Code graph analysis (2)

package.json (3)

scripts/check-bun-version.js (1)

• packageJson (5-33)

packages/style-kit/bin/lib/setup-scripts.ts (1)

• console (6-30)

packages/style-kit/bin/lib/setup-dependencies.ts (1)

• packageManager (14-86)

packages/eslint-plugin-nextjs/package.json (1)

scripts/check-bun-version.js (1)

• packageJson (5-33)

🔇 Additional comments (11)

.github/workflows/release.yaml (1)

10-10: LGTM!

The pull-requests: write permission is required for the changesets action to create release PRs. This is a standard and appropriate permission for a release workflow.

apps/next-test-app/convex/costco.ts (3)

91-93: LGTM!

Formatting change adds braces for consistency. No functional impact.

---

103-105: LGTM!

Formatting change adds braces for consistency. No functional impact.

---

228-236: LGTM!

Formatting changes add braces to conditional statements for consistency. No functional impact.

package.json (2)

16-16: LGTM!

Removal of --experimental-cli flag suggests this Prettier feature has been stabilized. The change aligns with the setup script template in packages/style-kit/bin/lib/setup-scripts.ts which also generates the format script without this flag.

---

27-33: Bun and Turbo versions are valid.

The packageManager field (bun@1.3.5) matches the @types/bun version (1.3.5) for consistency. Both Bun 1.3.5 and Turbo 2.7.2 exist and have no known critical issues.

.changeset/few-wasps-camp.md (1)

1-12: LGTM!

The changeset properly documents the dependency updates as a patch release. The listed changes align with the updates made in packages/style-kit/package.json.

packages/eslint-plugin-nextjs/package.json (1)

57-57: Approve: @types/bun update to 1.3.5

The @types/bun version 1.3.5 is consistently updated across all three package.json files (root, packages/eslint-plugin-nextjs, and packages/style-kit), and the version exists on the npm registry.

packages/style-kit/package.json (2)

48-75: All ESLint and TypeScript tool versions verified and secure.

All specified package versions exist on NPM with no reported security vulnerabilities.

---

55-55: No action required – eslint-plugin-perfectionist 5.1.0 is compatible with this project.

The upgrade from 4.15.1 to 5.1.0 is safe. The project already uses ESM ("type": "module") and requires Node 20.11.0+ or 21.2.0+, meeting v5's requirements. The perfectionist configuration uses only standard options (order and type), none of which were deprecated or removed in v5.0.0. No deprecated features like object-based custom groups, group kind, or deprecated selectors are present.

apps/vite-test-app/package.json (1)

22-22: No action required. Vite 7.3.0 exists on the npm registry and has no known public security vulnerabilities. Earlier versions in the 7.0/7.1 branches had CVEs (CVE-2025-58752, CVE-2025-58751) that were fixed in 7.1.5 and 7.0.7; version 7.3.0 includes those fixes.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify package versions exist on npm registry and check for security issues

echo "=== Checking convex 1.31.2 ==="
curl -s https://registry.npmjs.org/convex/1.31.2 | jq '.' | head -30

echo ""
echo "=== Checking next 16.1.1 ==="
curl -s https://registry.npmjs.org/next/16.1.1 | jq '.' | head -30

echo ""
echo "=== Checking convex package latest versions ==="
curl -s https://registry.npmjs.org/convex | jq '.versions | keys | sort | .[-5:]'

echo ""
echo "=== Checking next package latest versions ==="
curl -s https://registry.npmjs.org/next | jq '.versions | keys | sort | .[-5:]'

echo ""
echo "=== Checking for npm security advisories ==="
npm audit registry 2>/dev/null || echo "npm audit not available in this environment"

Repository: drake-nathan/js-style-kit

Length of output: 194

---

🌐 Web query:

convex 1.31.2 npm package version

💡 Result:

Yes — convex@1.31.2 is published (release dated December 17, 2025). [1][2]

Sources:

• Yarn package changelog and version list (1.31.2 — Dec 17, 2025). [1]
• jsDelivr/npm CDN listing for convex showing version 1.31.2. [2]

(If you want the npmjs registry page or a tarball URL, tell me and I’ll fetch it.)

---

🌐 Web query:

next 16.1.1 npm package version

💡 Result:

Yes — next@16.1.1 is published. Install with:

npm install next@16.1.1

Sources: Next.js 16.1 release notes and npm package metadata. [1][2][3]

References
[1] Next.js 16.1 blog (Dec 18, 2025).
[2] next@16.1.1 package metadata (jsdocs listing).
[3] next package info / vulnerability listing (Snyk).

---

🌐 Web query:

convex 1.31.2 security vulnerabilities advisories

💡 Result:

I found no published security advisories or CVEs specifically affecting convex version 1.31.2 as of December 25, 2025. Check these sources for current status and to monitor future advisories: GitHub repo (convex-js) [1], Snyk package page (no direct vulnerabilities listed) [2], and Socket/npm-package overview showing v1.31.2 (no alerts) [3].

Sources:
[1] get-convex/convex-js (GitHub).
[2] Snyk — convex-dev package vulnerabilities page.
[3] Socket — convex npm package security/versions page.

---

🌐 Web query:

next 16.1.1 security vulnerabilities advisories

💡 Result:

Short answer: Yes — multiple security advisories affect Next.js 16.x (including downstream impact from React RSC vulnerabilities). You should treat any 16.x or canary 16.1.* build as potentially affected and upgrade to the patched stable release for your release line immediately. [1][2][3][4]

Key references (summary):

• Next.js security advisories and required upgrades for RSC-related CVEs (Dec 3 & Dec 11, 2025). Advisories track CVE-2025-55182 (React) → CVE-2025-66478 (Next.js) and follow-up fixes; Next.js lists affected / fixed versions and urges upgrades. [1][2]
• GitLab / NVD advisories list affected 15.x/16.x ranges and fixed versions (patches published; upgrade to a listed patched release). [3]
• Snyk vulnerability database shows 16.1 canary entries and notes which canary builds were flagged; check Snyk for your exact package version. [4]

Actionable steps:

1. Identify exact installed version (npm ls next).
2. If running any 16.x (or 16.1.* canary) — upgrade to the patched stable version recommended in the Next.js advisories for 16.x (follow the Next.js blog/advisory instructions). [1][2][3]
3. If your instance was exposed/unpatched as of early December 2025, rotate secrets and follow the Next.js advisory remediation steps. [2]

Sources:
[1] Next.js — Security Update: December 11, 2025.
[2] Next.js — Security Advisory: CVE-2025-66478 (Dec 3, 2025).
[3] GitLab Advisory / CVE tracking for Next.js (CVE-2025-66478 / related fixes).
[4] Snyk — next package vulnerability page (16.1 canary notes).

---

Update next to the latest patched stable release for version 16.x.

Verification confirms that convex 1.31.2 exists with no known security vulnerabilities. However, next 16.1.1 is affected by multiple security advisories, including CVE-2025-66478 (Dec 11, 2025) and related React RSC vulnerabilities (CVE-2025-55182). The Next.js team explicitly recommends upgrading to patched stable releases for 16.x. Check the Next.js security advisories for the recommended patched version in the 16.x release line and update the package.json accordingly.

🤖 Prompt for AI Agents

In apps/next-test-app/package.json around lines 12-13, the pinned "next":
"16.1.1" is vulnerable; update it to the latest patched 16.x release recommended
by the Next.js security advisories (look up the current patched 16.x tag),
change the version string in package.json accordingly, then run your package
manager (npm/yarn/pnpm) to update node_modules and the lockfile, rebuild and run
tests to ensure compatibility; commit the package.json and updated lockfile.