⬆️(dependencies) update back and front dependencies

[providenz]

Purpose

Routine maintenance bump of backend and frontend dependencies, plusremoval of packages that are no longer imported anywhere in thecodebase.

Proposal

• Bump python dependencies (django, DRF, pydantic-ai-slim, sentry-sdk, pylint, ruff, ...).
• Drop unused backend packages: parler, easy_thumbnails, django-countries, deprecated, jaraco.context.
• Bump frontend dependencies (next, react, @tanstack/react-query, ui-kit, posthog-js, styled-components, @playwright/test, @typescript-eslint, prettier, stylelint, ...).
• Drop unused frontend packages: canvg, idb, zod.
• remove stale crisp code and related packages

#505

Summary by CodeRabbit

• Chores

  • Bumped many back-end and front-end dependencies and developer tooling.
  • Removed legacy translation and thumbnail modules.
  • Minor linter/configuration adjustment.

• Improvements

  • Updated client-side query/mutation callbacks to align with newer library behavior for more reliable UI updates.
  • Adjusted analytics initialization to refine telemetry.

• Bug Fixes / Tests

  • Updated tests and payload expectations to match revised message schema (added identifiers/state fields).

• Style

  • Improved screen-reader CSS rule for better accessibility.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps backend and frontend dependencies, removes parler/easy_thumbnails and computed PARLER_LANGUAGES, updates Pydantic/Pydantic‑AI usage and ConversationAgent wiring, aligns React Query mutation callbacks to v5, applies small frontend tweaks, and updates tests to match new payload shapes.

Changes

Dependency Management and Code Updates

Layer / File(s)	Summary
Manifests and dependency pins CHANGELOG.md, src/backend/pyproject.toml, src/frontend/apps/conversations/package.json, src/frontend/package.json, src/frontend/packages/eslint-config-conversations/package.json, src/frontend/packages/i18n/package.json	Bump runtime and dev/tooling versions, change resolution pins, and remove several runtime deps from backend and frontend manifests.
Django settings removal src/backend/conversations/settings.py	Removed parler and easy_thumbnails from Base.INSTALLED_APPS and deleted Base.PARLER_LANGUAGES.
Pydantic-AI integration and agent updates src/backend/chat/agents/base.py, src/backend/chat/clients/pydantic_ai.py	Switch .dict() to model_dump() for Pydantic v2, add Instrumentation capability wiring for ConversationAgent, adapt streaming to use event.part, and read run.usage attribute.
React Query v5 callback alignment src/frontend/apps/conversations/src/features/chat/api/*	Update mutation onSuccess/onError wrappers to accept and forward the additional onMutateResult and context parameters across chat hooks.
Small frontend typing, lint, and analytics tweaks src/frontend/apps/conversations/src/api/helpers.tsx, src/frontend/apps/conversations/src/cunningham/useCunninghamTheme.tsx, src/frontend/apps/conversations/src/services/PosthogAnalytic.tsx, src/frontend/apps/conversations/src/pages/globals.css, src/frontend/apps/e2e/package.json	Add eslint comment in query helper, remove a TypeScript cast in theme store, drop __add_tracing_headers from PostHog init, update .sr-only to clip-path: inset(50%), and bump Playwright version.
Test expectation updates src/backend/chat/tests/**, multiple test modules	Adjust many tests to include conversation_id (using ANY where applied), add tool_kind: None on tool parts, and require state: "complete" on completed responses; update Pydantic error URLs and one LLModel test model_name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• suitenumerique/conversations#309: Both PRs modify src/backend/pyproject.toml dependency constraints, including overlapping updates to pydantic-ai-slim (and potentially pypdf), so the changes are related.
• suitenumerique/conversations#254: Both PRs update src/frontend/apps/conversations/package.json dependency versions (including next) as part of dependency bumps.
• suitenumerique/conversations#249: Both PRs modify the Pydantic-AI integration in src/backend/chat/clients/pydantic_ai.py, including changes to agent instrumentation/capabilities and tool-result/event streaming handling (event.part vs event.result).

Suggested labels

dependencies, frontend, backend

Suggested reviewers

• maxenceh
• qbey

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main objective: updating both backend and frontend dependencies, matching the PR's primary purpose.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch providenz/update-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bin/yarn-outdated-dates`:
- Around line 91-93: The RECENT detection fails because released_epoch is set
using BSD-only date flags; modify the parsing logic around released_epoch to try
a portable fallback: first attempt the existing BSD parse (date -j -f
"%Y-%m-%dT%H:%M:%S" "$clean" +%s) and if it fails, re-run with GNU-style parsing
(date -d "$clean" +%s) or another portable parser (python -c or perl) so
released_epoch becomes correct on Linux; keep the subsequent comparison against
CUTOFF_EPOCH and setting of flag="RECENT (<${COOLDOWN_DAYS}d)" unchanged so
RECENT detection works cross-platform.
- Around line 46-49: The satisfies() fallback currently uses a substring check
when SEMVER_NODE_PATH is empty which yields incorrect upgrade decisions; change
satisfies() so that if SEMVER_NODE_PATH is not set it returns an explicit
"unknown" status (e.g., a distinct exit code or sentinel output) instead of
true/false, and update the logic that computes the upgrade? flag (the code that
uses ! satisfies "$declared" "$latest") to treat the "unknown" result as
non-actionable (suppress or render upgrade? as unknown) rather than marking it
as an upgrade; refer to the satisfies() function and the place where upgrade? is
derived from ! satisfies "$declared" "$latest" to implement this flow.

In `@src/backend/pyproject.toml`:
- Line 50: Tighten the dependency spec for mozilla-django-oidc in
src/backend/pyproject.toml by replacing the loose constraint
"mozilla-django-oidc<5.0.0" with the specific version resolved in the lock
(e.g., "mozilla-django-oidc==4.0.1" or a narrow range like
"mozilla-django-oidc>=4.0.1,<4.1.0"); after changing the dependency line,
regenerate the lock (run your project’s lock sync command) so
src/backend/uv.lock and pyproject.toml stay consistent.

In `@src/frontend/packages/eslint-config-conversations/package.json`:
- Around line 9-10: Update the pinned version of the Next ESLint plugin in
src/frontend/packages/eslint-config-conversations/package.json by changing the
dependency "`@next/eslint-plugin-next`" from "15.3.3" to "16.2.6" so the ruleset
matches the Next.js version used by the app; edit the package.json entry for
"`@next/eslint-plugin-next`" in the eslint-config-conversations package and run
your package manager (install) to refresh lockfiles.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2a7f5d16-771b-402e-b4cb-68e656e744b4

📥 Commits

Reviewing files that changed from the base of the PR and between f03e101 and c2e792a.

⛔ Files ignored due to path filters (2)

• src/backend/uv.lock is excluded by !**/*.lock
• src/frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• CHANGELOG.md
• bin/yarn-outdated-dates
• src/backend/conversations/settings.py
• src/backend/pyproject.toml
• src/frontend/apps/conversations/package.json
• src/frontend/apps/e2e/package.json
• src/frontend/package.json
• src/frontend/packages/eslint-config-conversations/package.json
• src/frontend/packages/i18n/package.json

💤 Files with no reviewable changes (1)

• src/backend/conversations/settings.py

[coderabbitai]

🧹 Nitpick comments (2)

src/backend/pyproject.toml (2)

50-50: ⚡ Quick win

Reconsider loosening the mozilla-django-oidc constraint.

A previous review suggested tightening this dependency to an exact pin (e.g., ==4.0.1) or a narrow range (e.g., >=4.0.1,<4.1.0) based on what uv.lock resolves. The current change to <5.0.0 creates a very wide constraint that allows the solver to pick any 4.x version on future lock refreshes, which may introduce unexpected behavior or security issues.

If the intent is to allow patch updates while maintaining stability, consider using a tighter constraint like mozilla-django-oidc>=4.0.1,<4.1.0 instead.

🔒 Suggested tighter constraint

-    "mozilla-django-oidc<5.0.0",
+    "mozilla-django-oidc>=4.0.1,<4.1.0",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/backend/pyproject.toml` at line 50, The dependency constraint for
mozilla-django-oidc in pyproject.toml is too loose ("<5.0.0"); tighten it to
match what uv.lock resolved (either pin to the exact resolved version or a
narrow compatible range) by replacing the "<5.0.0" specifier with a specific pin
like "==4.0.1" or a narrow range such as ">=4.0.1,<4.1.0" so future lock updates
won't unexpectedly pick any 4.x release.

---

82-82: ⚡ Quick win

Remove extra space in version specifier.

The version constraint has an unusual space after the == operator: "drf-spectacular-sidecar== 2026.5.1". While this may be accepted by pip/uv, standard Python dependency specifications don't include spaces around operators.

✨ Normalize the version specifier

-    "drf-spectacular-sidecar== 2026.5.1",
+    "drf-spectacular-sidecar==2026.5.1",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/backend/pyproject.toml` at line 82, The dependency line for
drf-spectacular-sidecar contains an extra space after the "==" operator; edit
the pyproject.toml dependency entry for drf-spectacular-sidecar to remove the
space so the version specifier has no whitespace around the equality operator
(update the drf-spectacular-sidecar version constraint to use the standard
"==version" format).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/backend/pyproject.toml`:
- Line 50: The dependency constraint for mozilla-django-oidc in pyproject.toml
is too loose ("<5.0.0"); tighten it to match what uv.lock resolved (either pin
to the exact resolved version or a narrow compatible range) by replacing the
"<5.0.0" specifier with a specific pin like "==4.0.1" or a narrow range such as
">=4.0.1,<4.1.0" so future lock updates won't unexpectedly pick any 4.x release.
- Line 82: The dependency line for drf-spectacular-sidecar contains an extra
space after the "==" operator; edit the pyproject.toml dependency entry for
drf-spectacular-sidecar to remove the space so the version specifier has no
whitespace around the equality operator (update the drf-spectacular-sidecar
version constraint to use the standard "==version" format).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c63cdd7c-d2ff-46e4-9eef-d7a2d33e702d

📥 Commits

Reviewing files that changed from the base of the PR and between c2e792a and c44b629.

⛔ Files ignored due to path filters (2)

• src/backend/uv.lock is excluded by !**/*.lock
• src/frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (18)

• CHANGELOG.md
• src/backend/conversations/settings.py
• src/backend/pyproject.toml
• src/frontend/apps/conversations/package.json
• src/frontend/apps/conversations/src/api/helpers.tsx
• src/frontend/apps/conversations/src/cunningham/useCunninghamTheme.tsx
• src/frontend/apps/conversations/src/features/chat/api/useCreateProject.tsx
• src/frontend/apps/conversations/src/features/chat/api/useRemoveConversation.tsx
• src/frontend/apps/conversations/src/features/chat/api/useRemoveProject.tsx
• src/frontend/apps/conversations/src/features/chat/api/useRenameConversation.tsx
• src/frontend/apps/conversations/src/features/chat/api/useUpdateProject.tsx
• src/frontend/apps/conversations/src/features/left-panel/components/__tests__/ModalRenameConversation.test.tsx
• src/frontend/apps/conversations/src/features/left-panel/components/__tests__/SimpleConversationItem.test.tsx
• src/frontend/apps/conversations/src/services/PosthogAnalytic.tsx
• src/frontend/apps/e2e/package.json
• src/frontend/package.json
• src/frontend/packages/eslint-config-conversations/package.json
• src/frontend/packages/i18n/package.json

💤 Files with no reviewable changes (2)

• src/frontend/apps/conversations/src/services/PosthogAnalytic.tsx
• src/backend/conversations/settings.py

✅ Files skipped from review due to trivial changes (5)

• src/frontend/apps/e2e/package.json
• src/frontend/apps/conversations/src/cunningham/useCunninghamTheme.tsx
• src/frontend/apps/conversations/src/api/helpers.tsx
• src/frontend/apps/conversations/src/features/left-panel/components/tests/ModalRenameConversation.test.tsx
• CHANGELOG.md

[sonarqubecloud]

Quality Gate failed

Failed conditions
12.2% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE