Update dependencies to address CVE-2025-55182

[SvenVw]

Summary by CodeRabbit

• Bug Fixes

  • Patch for CVE-2025-55182.

• Chores

  • Updated dependencies to latest stable versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: ead531a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

👋 Hotfix Branch PR Detected!

Before merging this Pull Request into main, please ensure you have finalized the hotfix by manually running the 'Release' workflow on this hotfix/CVE-2025-55182 branch.

This will:

1. Bump package versions.
2. Generate changelogs.
3. Create Git tags.

You can trigger the workflow from the 'Actions' tab, selecting the 'Release' workflow, and choosing this hotfix/CVE-2025-55182 branch.

[coderabbitai]

Walkthrough

This pull request updates project dependencies to newer patch and minor versions across package.json and pnpm-workspace.yaml, including React Router, Sentry, Turf, Mapbox GL, PostHog, React Hook Form, and Zustand. The project version is bumped from 0.25.0 to 0.25.1 with a security patch entry for CVE-2025-55182 added to the changelog.

Changes

Cohort / File(s)	Change Summary
Package Dependencies fdm-app/package.json, pnpm-workspace.yaml	Updated 20+ dependencies to newer versions: React Router (^7.9.6 → ^7.10.0), Sentry (^10.27.0 → ^10.28.0), Mapbox GL (^3.16.0 → ^3.17.0), React (^19.2.0 → ^19.2.1), React Hook Form (^7.66.1 → ^7.68.0), Turf (^7.3.0 → ^7.3.1), Zustand (^5.0.8 → ^5.0.9), PostHog packages, and others. Also updated better-auth and vite in workspace config.
Documentation fdm-app/CHANGELOG.md	Added new version entry 0.25.1 with patch change noting security fix c9a37ab for CVE-2025-55182.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• These are straightforward dependency version bumps with no logic changes or control flow modifications
• The changelog update simply documents the security patch
• Homogeneous pattern of updates across manifest files requires minimal contextual reasoning

Possibly related PRs

• Chore/20250918 #271: Repository-wide dependency and version bumps including pnpm packageManager updates and multiple package.json dependency changes
• Chore/20251104 #326: Overlapping dependency version bumps in fdm-app/package.json such as react-router, mapbox-gl, and react-hook-form
• Chore/20251014 #299: Combined dependency and package-manager version updates affecting fdm-app/package.json and pnpm workspace configuration

Suggested reviewers

• SvenVw

Poem

🐰 Hop, hop, bump those versions high,
React and Sentry reach the sky!
CVE's patched, security's tight,
Dependencies dance into the light! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main purpose of the changeset: updating dependencies to address a security vulnerability (CVE-2025-55182).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/CVE-2025-55182

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c9a37ab and ead531a.

📒 Files selected for processing (2)

• fdm-app/CHANGELOG.md (1 hunks)
• fdm-app/package.json (4 hunks)

✅ Files skipped from review due to trivial changes (1)

• fdm-app/CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (1)

• fdm-app/package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.62%. Comparing base (18fc1dd) to head (c9a37ab).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #364   +/-   ##
=======================================
  Coverage   87.62%   87.62%           
=======================================
  Files          79       79           
  Lines        3959     3959           
  Branches     1145     1145           
=======================================
  Hits         3469     3469           
  Misses        490      490           

Flag	Coverage Δ
fdm-calculator	87.81% <ø> (ø)
fdm-core	87.08% <ø> (ø)
fdm-data	92.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[BoraIneviNMI]

Updated packages and related seem to perform their duty still so I approve.

I only had to change my Better Auth secret that I use for testing, It is nice Better Auth warned me about a secret that is too short.