fix(security): bump dependencies

[fbosch]

Summary by CodeRabbit

• Chores

  • Updated runtime dependencies for prompt and logging utilities.
  • Upgraded development tools for linting, type checking, build and sizing workflows.
  • Added a new build helper to the dev toolchain.
  • Added workspace-wide dependency overrides to ensure consistent dependency resolutions.
  • Bumped project tooling schema/config version.

• Tests

  • Reformatted an existing test for clarity (no behavioral change).

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d0fe4af-a036-48d7-a66c-feabc8705af9

📥 Commits

Reviewing files that changed from the base of the PR and between d2f88c3 and 804f317.

📒 Files selected for processing (3)

• biome.json
• src/commands/sync.ts
• tests/targets.test.js

✅ Files skipped from review due to trivial changes (2)

• biome.json
• tests/targets.test.js

---

📝 Walkthrough

Walkthrough

Updates dependency versions and workspace overrides, makes TaskReporter a lazily imported runtime value in the sync command, and reformats a test; no exported/public API changes.

Changes

Cohort / File(s)	Summary
Dependencies package.json	Bumps runtime deps @clack/prompts (^1.0.0 → ^1.1.0), log-update (^7.0.2 → ^7.2.0); updates devDeps (@biomejs/biome, @size-limit/file, @types/node, bumpp, lint-staged, size-limit); adds unbuild (^3.6.1).
Workspace overrides pnpm-workspace.yaml	Adds override pins: minimatch (>=9.0.6), rollup (>=4.59.0), svgo (>=4.0.1) to influence dependency resolution across the workspace.
Tooling config biome.json	Bumps biome schema/version reference (2.3.14 → 2.4.6).
Runtime change (lazy load) src/commands/sync.ts	Converts TaskReporter value import to a type-only import and instantiates it via dynamic await import(...) when live output is enabled, avoiding module-load-time value import.
Tests (formatting) tests/targets.test.js	Non-functional reformatting of a test declaration (whitespace/structure changes only).

Sequence Diagram(s)

sequenceDiagram
  participant CLI as "Sync Command"
  participant Cond as "useLiveOutput check"
  participant Dyn as "Dynamic Import"
  participant Reporter as "TaskReporter (module)"

  CLI->>Cond: evaluate useLiveOutput
  alt useLiveOutput = true
    CLI->>Dyn: await import("#cli/task-reporter")
    Dyn-->>Reporter: load module
    CLI->>Reporter: new TaskReporter()
    Reporter-->>CLI: reporter instance
  else useLiveOutput = false
    CLI-->>CLI: reporter = null
  end
  CLI->>CLI: proceed with sync using reporter (or not)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(cli): improve progress output with live updates #21 — touches the same TaskReporter value and is directly related to the change from value import to dynamic import/new usage.

Poem

🐰 I hop through package bumps with glee,
I nudge a lazy import under a tree,
Overrides snug like carrots in row,
Tests tidy, ready to go. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(security): bump dependencies' accurately describes the main purpose of the PR, which is updating multiple dependencies across package.json, biome.json, and pnpm-workspace.yaml to address security concerns.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependency-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR bumps several dependencies to address security advisories, primarily by upgrading direct dependencies/devDependencies and adding pnpm overrides to force patched transitive versions.

Changes:

• Added pnpm override rules for minimatch, rollup, and svgo.
• Updated runtime dependencies like @clack/prompts and log-update.
• Updated dev tooling versions (Biome, lint-staged, size-limit, Node types) and regenerated pnpm-lock.yaml.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 5 comments.

File	Description
pnpm-workspace.yaml	Introduces pnpm override rules intended to enforce patched dependency versions.
pnpm-lock.yaml	Regenerated lockfile reflecting upgraded packages and applied overrides.
package.json	Bumps direct dependencies and dev tooling versions to newer releases.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/docs-cache@30

commit: 6a55d8c

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 108: The package.json declares "@types/node": "^25.3.5" which targets
Node 20+ while the engines field requires "node": ">=18", causing
type/compatibility mismatch; fix by aligning versions—either change the
dependency "@types/node" to a Node-18/19-compatible release (e.g.,
"@types/node": "^20.x") or update the engines "node" to ">=20" to match
`@types/node`@25, then reinstall/update the lockfile (npm/yarn/pnpm) so the new
version is reflected; look for the "@types/node" entry in package.json and the
"engines" -> "node" field to apply the change.
- Line 95: package.json currently depends on "@clack/prompts": "^1.1.0" which
requires Node >=20.12.0; update package.json to avoid runtime breakage by either
(A) raising the engines.node field to ">=20.12.0" (modify the "engines": {
"node": ... } entry) or (B) pinning the dependency to a compatible version like
"@clack/prompts": "1.0.x" in the dependencies section; pick one approach and
update the manifest accordingly so imports won't fail for Node 18/19 users.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6200e966-bb30-4e80-84e8-36e341513bd4

📥 Commits

Reviewing files that changed from the base of the PR and between c3f6bc6 and f42b374.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml