security: resolve high-severity dependency advisories

- Add pnpm overrides for transitive fixes (minimatch, cross-spawn, tar,
  undici, h3, devalue, path-to-regexp, rollup, etc.) and pin vite 6.4.1
- Upgrade Next examples and plugin devDeps to 15.2.9; Astro 5.15.8+;
  Rollup 4.59.x; lodash 4.18; @actions/core; lint-staged 16; changesets
- Align integration test apps; migrate astro-4 fixture to Astro 5 for
  patched advisory range; constrain Nuxt to ~3.16.2 to avoid vite 7 drift
- Fix vitest configs for @rollup/plugin-replace + Rollup 4.59 types;
  use import attributes `with` in bundle-analyzer vitest config
- Remove global glob@10 override (breaks @rollup/plugin-commonjs); audit
  remains clear of high severity

Made-with: Cursor

Author: thomasrockhu-codecov

examples/astro-5/package.json

@@ -14,7 +14,7 @@
     "@codecov/astro-plugin": "workspace:*",
     "@types/react": "^19.0.1",
     "@types/react-dom": "^19.0.2",
-    "astro": "^5.0.9",
+    "astro": "^5.15.8",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   }

examples/astro/package.json

@@ -11,14 +11,14 @@
   },
   "dependencies": {
     "@astrojs/check": "^0.9.4",
-    "@astrojs/node": "^8.3.4",
-    "@astrojs/react": "^3.6.3",
+    "@astrojs/node": "^9.0.0",
+    "@astrojs/react": "^4.1.1",
     "@codecov/astro-plugin": "workspace:*",
-    "@types/react": "^18.3.12",
-    "@types/react-dom": "^18.3.1",
-    "astro": "^4.16.18",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
+    "@types/react": "^19.0.1",
+    "@types/react-dom": "^19.0.2",
+    "astro": "^5.15.8",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
     "typescript": "^5.7.2"
   }
 }

examples/bundle-analyzer-cli/package.json

@@ -26,8 +26,8 @@
     "@rollup/plugin-commonjs": "^25.0.7",
     "@rollup/plugin-node-resolve": "^15.2.3",
     "npm-run-all": "^4.1.5",
-    "rollup": "^4.22.4",
-    "serve": "^14.2.1"
+    "rollup": "^4.59.1",
+    "serve": "^14.2.4"
   },
   "volta": {
     "extends": "../../package.json"

examples/next-js-15/package.json

@@ -9,7 +9,7 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "15.2.6",
+    "next": "15.2.9",
     "react": "19.0.0",
     "react-dom": "19.0.0"
   },

examples/next-js/package.json

@@ -9,18 +9,18 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "14.2.25",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1"
+    "next": "15.2.9",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
   },
   "devDependencies": {
     "@codecov/nextjs-webpack-plugin": "workspace:^",
     "@types/node": "^20.12.12",
-    "@types/react": "^18.3.3",
-    "@types/react-dom": "^18.3.0",
+    "@types/react": "^19",
+    "@types/react-dom": "^19",
     "autoprefixer": "^10.4.19",
     "eslint": "^8.56.0",
-    "eslint-config-next": "14.2.25",
+    "eslint-config-next": "15.2.9",
     "postcss": "^8.4.38",
     "tailwindcss": "^3.4.3",
     "typescript": "^5.4.5"

examples/nuxt/package.json

@@ -9,7 +9,7 @@
     "preview": "nuxt preview"
   },
   "dependencies": {
-    "nuxt": "^3.16.0",
+    "nuxt": "~3.16.2",
     "vue": "^3.5.13",
     "vue-router": "^4.5.0"
   },

examples/oidc/package.json

@@ -23,9 +23,9 @@
     "eslint": "^8.56.0",
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-react-refresh": "^0.4.5",
-    "rollup": "^4.22.4",
+    "rollup": "^4.59.1",
     "typescript": "^5.3.3",
-    "vite": "6.3.5"
+    "vite": "6.4.1"
   },
   "volta": {
     "extends": "../../package.json"

examples/remix/package.json

@@ -11,16 +11,16 @@
     "typecheck": "tsc"
   },
   "dependencies": {
-    "@remix-run/node": "^2.17.2",
-    "@remix-run/react": "^2.17.2",
-    "@remix-run/serve": "^2.17.2",
+    "@remix-run/node": "^2.17.4",
+    "@remix-run/react": "^2.17.4",
+    "@remix-run/serve": "^2.17.4",
     "isbot": "^4.1.0",
     "react": "^18.2.0",
     "react-dom": "^18.2.0"
   },
   "devDependencies": {
     "@codecov/remix-vite-plugin": "workspace:^",
-    "@remix-run/dev": "^2.17.2",
+    "@remix-run/dev": "^2.17.4",
     "@types/react": "^18.2.20",
     "@types/react-dom": "^18.2.7",
     "@typescript-eslint/eslint-plugin": "^6.7.4",
@@ -35,7 +35,7 @@
     "postcss": "^8.4.38",
     "tailwindcss": "^3.4.4",
     "typescript": "^5.1.6",
-    "vite": "6.3.5",
+    "vite": "6.4.1",
     "vite-tsconfig-paths": "^4.2.1"
   },
   "engines": {

examples/rollup/package.json

@@ -17,8 +17,8 @@
     "@rollup/plugin-commonjs": "^25.0.7",
     "@rollup/plugin-node-resolve": "^15.2.3",
     "npm-run-all": "^4.1.5",
-    "rollup": "^4.22.4",
-    "serve": "^14.2.1"
+    "rollup": "^4.59.1",
+    "serve": "^14.2.4"
   },
   "volta": {
     "extends": "../../package.json"

examples/solidstart/package.json

@@ -12,7 +12,7 @@
     "@solidjs/meta": "^0.29.4",
     "@solidjs/router": "^0.14.1",
     "@solidjs/start": "^1.0.10",
-    "solid-js": "^1.8.18",
+    "solid-js": "^1.9.4",
     "vinxi": "^0.4.3",
     "vite-plugin-solid": "^2.11.0"
   },