[Snyk] Fix for 12 vulnerabilities

[Dustin4444]

Snyk has created this PR to fix 12 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• apps/webapp/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Server-side Request Forgery (SSRF) SNYK-JS-AISDKPROVIDERUTILS-16734888
	Allocation of Resources Without Limits or Throttling SNYK-JS-AISDKPROVIDERUTILS-16735288
	XML Injection SNYK-JS-FASTXMLBUILDER-16540557
	XML External Entity (XXE) Injection SNYK-JS-FASTXMLBUILDER-16540558
	Prototype Pollution SNYK-JS-JSONDIFFPATCH-16322990
	Cross-site Scripting (XSS) SNYK-JS-JSONDIFFPATCH-16635946
	Improper Handling of Exceptional Conditions SNYK-JS-OPENTELEMETRYEXPORTERPROMETHEUS-16758050
	NULL Pointer Dereference SNYK-JS-QS-16721866
	Command Injection SNYK-JS-SYSTEMINFORMATION-16677388
	Improper Validation of Specified Index, Position, or Offset in Input SNYK-JS-UUID-16133035
	Use of Uninitialized Resource SNYK-JS-WS-16722635
	Denial of Service (DoS) SNYK-JS-GRAPHQL-5905181

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)
🦉 Allocation of Resources Without Limits or Throttling
🦉 XML Injection
🦉 More lessons are available in Snyk Learn

---

This change is 

[Dustin4444]

This update includes three high-risk major version upgrades that require developer action. The @team-plain/typescript-sdk package is being deprecated, the ai SDK has significant API and data structure changes, and remix-auth alters how authentication strategies are handled.

High-Risk Upgrades

@team-plain/typescript-sdk from 3.5.0 to 5.12.1

• Risk: HIGH
• Breaking Change: The v5.0 release introduces a breaking change to webhook handling. The SDK will no longer parse payloads from legacy/unversioned webhook targets; you must update your webhook target to the '2024-09-18' version. [2]
• Deprecation Notice: This package is being deprecated and replaced by three new, more focused packages: @team-plain/graphql, @team-plain/webhooks, and @team-plain/ui-components. [16, 35] Future development should migrate to these new packages.
• Recommendation: Update your Plain webhook target to the '2024-09-18' version. Plan a migration to the new @team-plain/* packages to avoid using a deprecated SDK.

ai from 4.3.19 to 5.0.0

• Risk: HIGH
• Breaking Change: This major upgrade introduces significant breaking changes to the API and data model. The message object structure has been redesigned, deprecating the content field in favor of a parts array. [23] Several API parameters have been renamed or removed, such as maxTokens becoming maxOutputTokens in streamText. [17]
• Migration: The data schema for messages has changed, impacting how they are stored and retrieved. [23] Vercel provides codemods to assist with the migration, but manual verification is required. [17, 34]
• Recommendation: Allocate time for a careful migration. Use the official migration guides and codemods to update your code to the new API and data structures.

remix-auth from 3.6.0 to 4.0.0

• Risk: HIGH
• Breaking Change: Version 4.0.0 simplifies the library and removes the dependency on React Router, but introduces breaking changes in strategy implementation. [31] Strategies may no longer automatically fetch the user profile after authentication; they now primarily return tokens, making it the developer's responsibility to fetch profile data. [11]
• Recommendation: Review your authentication strategies. You will likely need to add logic to fetch user profiles manually after the

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9e73b3da-8e10-4369-997b-032caf2663b1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-8c58e62ad88f6a1f1a1baff87272bb3f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​fal-ai/​serverless-client@​0.15.0
	@​ai-sdk/​openai@​1.3.23
	@​ai-sdk/​openai@​2.0.14
	@​ai-sdk/​openai@​2.0.53
	@​ai-sdk/​openai@​3.0.41
	@​ai-sdk/​openai@​1.3.3
	@​ai-sdk/​react@​3.0.170
	@​ai-sdk/​provider@​3.0.8
	@​ai-sdk/​provider-utils@​1.0.22
	@​epic-web/​test-server@​0.1.0
	@​lezer/​highlight@​1.1.6
	@​ariakit/​react-core@​0.4.6
	@​heroicons/​react@​2.0.13
	@​ai-sdk/​anthropic@​3.0.71
	@​codemirror/​lint@​6.4.2
	@​fast-csv/​parse@​5.0.2
	@​ai-sdk/​anthropic@​2.0.4
	@​codemirror/​search@​6.2.3
	@​codemirror/​commands@​6.1.3
	@​codemirror/​autocomplete@​6.4.0
	@​codemirror/​language@​6.3.2
	@​codemirror/​state@​6.2.0
	@​codemirror/​view@​6.7.2
	@​codemirror/​lang-json@​6.0.1
	@​codemirror/​lang-javascript@​6.1.2
	@​electric-sql/​react@​0.3.5
	@​arethetypeswrong/​cli@​0.15.4
	@​jsonhero/​schema-infer@​0.1.5
	@​codemirror/​lang-sql@​6.5.5
	@​headlessui/​react@​1.7.8
	@​depot/​sdk-node@​1.0.0
	@​manypkg/​cli@​0.19.2
	@​kubernetes/​client-node@​0.20.0
	@​kubernetes/​client-node@​1.0.0
See 25 more rows in the dashboard

View full report

[gemini-code-assist]

Code Review

This pull request updates several dependencies in apps/webapp/package.json, including major version bumps for remix-auth, ai, and @team-plain/typescript-sdk. The review identifies critical compatibility issues: the remix-auth v4 upgrade requires corresponding updates to its strategy packages (email-link, github, and google) to prevent runtime errors, and the @opentelemetry/sdk-node update should be synchronized with other core OpenTelemetry packages to avoid version mismatches and potential runtime instability.

[gemini-code-assist]

Upgrading remix-auth to ^4.0.0 is a major breaking change. The existing strategy packages listed in this file (remix-auth-email-link, remix-auth-github, and remix-auth-google) are designed for remix-auth v3 and are incompatible with the new v4 API. These strategies must also be upgraded to their compatible versions (e.g., remix-auth-github v2+) to prevent authentication logic from breaking at runtime.

[gemini-code-assist]

Upgrading @opentelemetry/sdk-node to 0.217.0 while leaving other core OpenTelemetry packages (such as @opentelemetry/api-logs, @opentelemetry/sdk-logs, and various exporters) at 0.203.0 creates a significant version mismatch. OpenTelemetry components are highly interdependent and should generally be kept at the same version level to avoid runtime issues like duplicate global state or incompatible internal types.

[kilo-code-bot]

Kilo Code Review could not run — your account is out of credits.

Add credits or switch to a free model to enable reviews on this change.