chore(deps): Upgrade vulnerable dependencies

[kingston]

Summary

• Upgrade multiple dependencies with known vulnerabilities: Prisma (7.5.0 → 7.6.0), Fastify (5.8.1 → 5.8.4), AWS SDK (3.995.0 → 3.1020.0), and several transitive deps (yaml, picomatch, brace-expansion, react-diff-viewer-continued)
• Update version constants in fastify-generators and plugin-storage to match upgraded versions
• Sync example project lockfiles and run pnpm dedupe

Details

• packages/fastify-generators: Bump fastify (5.8.1 → 5.8.4), prisma/client/adapter-pg (7.5.0 → 7.6.0), @pothos/plugin-prisma (4.14.1 → 4.14.2)
• plugins/plugin-storage: Bump all @aws-sdk packages (3.995.0 → 3.1020.0)
• packages/: Bump yaml, picomatch, brace-expansion, react-diff-viewer-continued across code-morph, core-generators, sync, ui-components, project-builder-cli, project-builder-server
• examples/: Update blog-with-auth and todo-with-better-auth lockfiles with upgraded versions

Summary by CodeRabbit

• Chores

  • Bumped multiple dependencies: AWS S3 SDKs, Fastify, Prisma and related clients/adapters, Pothos plugin, YAML, and a diff-viewer library.
  • Updated pnpm/tooling version across repo and example projects (pnpm 10.32.x → 10.33.0).
  • Enabled workspace peer deduplication and updated example package engine constraints.

• Documentation

  • Normalized a few internal skill metadata names and minor docs/frontmatter tweaks.

[changeset-bot]

🦋 Changeset detected

Latest commit: bcd1d3d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 24 packages

Name	Type
@baseplate-dev/core-generators	Patch
@baseplate-dev/plugin-storage	Patch
@baseplate-dev/fastify-generators	Patch
@baseplate-dev/project-builder-server	Patch
@baseplate-dev/react-generators	Patch
@baseplate-dev/plugin-ai	Patch
@baseplate-dev/plugin-auth	Patch
@baseplate-dev/plugin-email	Patch
@baseplate-dev/plugin-observability	Patch
@baseplate-dev/plugin-payments	Patch
@baseplate-dev/plugin-queue	Patch
@baseplate-dev/plugin-rate-limit	Patch
@baseplate-dev/project-builder-common	Patch
@baseplate-dev/create-project	Patch
@baseplate-dev/project-builder-cli	Patch
@baseplate-dev/project-builder-dev	Patch
@baseplate-dev/project-builder-web	Patch
@baseplate-dev/project-builder-test	Patch
@baseplate-dev/code-morph	Patch
@baseplate-dev/project-builder-lib	Patch
@baseplate-dev/sync	Patch
@baseplate-dev/tools	Patch
@baseplate-dev/ui-components	Patch
@baseplate-dev/utils	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependency and tooling bumps across the monorepo: AWS S3 SDKs to 3.1020.0, Fastify to 5.8.4, Prisma packages to 7.6.0, YAML to 2.8.3, pnpm to 10.33.0; Claude skill frontmatter renamed to kebab-case; runner environment handling adjusted to pass a controlled base env to child processes.

Changes

Cohort / File(s)	Summary
Changesets ​.changeset/upgrade-aws-sdk.md, ​.changeset/upgrade-fastify.md, ​.changeset/upgrade-prisma-7-6-0.md, ​.changeset/afraid-meals-talk.md	Added changeset metadata entries describing package/version bumps (AWS SDK, Fastify, Prisma, pnpm).
Claude configs & skills .claude/settings.json, .claude/skills/add-component/SKILL.md, .claude/skills/add-plugin/SKILL.md, .claude/skills/modify-generated-code/SKILL.md, .claude/skills/upgrade-package/SKILL.md	Renamed skill frontmatter name fields to kebab-case, added argument-hint and pnpm usage to upgrade-package skill, and granted permission for Bash(pnpm view *).
Storage package pins plugins/plugin-storage/src/constants/storage-packages.ts	Bumped pinned AWS S3 SDK packages (@aws-sdk/client-s3, @aws-sdk/lib-storage, @aws-sdk/s3-presigned-post, @aws-sdk/s3-request-presigner) from 3.995.0 → 3.1020.0.
Fastify & Prisma constants packages/fastify-generators/src/constants/fastify-packages.ts	Updated FASTIFY_PACKAGES version constants: fastify → 5.8.4, @pothos/plugin-prisma → 4.14.2, and Prisma packages → 7.6.0.
Example apps package.json examples/blog-with-auth/.../package.json, examples/todo-with-better-auth/.../package.json	Updated example backends and related manifests to match bumped Fastify, Prisma, Pothos and AWS SDK versions and bumped engines.pnpm to ^10.33.0.
Workspace/manifests tooling pins package.json (root), mise.toml, pnpm-workspace.yaml, packages/core-generators/src/constants/node.ts, various examples/*/package.json	Bumped pnpm/tooling from 10.32.x → 10.33.0, added dedupePeers: true to pnpm-workspace.yaml, and updated PNPM_VERSION constant.
Package dependency bumps packages/code-morph/package.json, packages/core-generators/package.json, packages/sync/package.json, packages/ui-components/package.json, packages/fastify-generators/package.json, packages/project-builder-cli/package.json, packages/project-builder-server/package.json	Minor dependency version updates: yaml → 2.8.3, react-diff-viewer-continued → 4.2.0, @prisma/internals → 7.6.0, fastify dev/prod pins → 5.8.4.
E2E runner environment packages/project-builder-dev/src/e2e-runner/environment.ts	Introduced PASSTHROUGH_ENV_VARS and getBaseEnv(); changed all child process invocations to use extendEnv: false and env: getBaseEnv() so spawned processes run with a controlled base environment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: Upgrade packages to fix security vulnerabilities #778: also updates STORAGE_PACKAGES constants for AWS S3 SDK pins (related storage package bumps).
• fix: Try re-enabling prettier tests to see if they've been fixed #581: modifies how execa is invoked and env handling in the test/runner code (related environment/extendEnv changes).
• feat: Upgrade Node.js from 22.18.0 to 24.14.0 and pnpm from 10.27.0 to 10.32.1 #855: updates PNPM_VERSION/packageManager and related pnpm version pins (related pnpm/tooling bump).

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): Upgrade vulnerable dependencies' directly describes the main purpose of the PR—upgrading multiple dependencies with known vulnerabilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kingston/upgrade-vulnerable-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying baseplate-storybook with    Cloudflare Pages

Latest commit:	b4ea38c
Status:	✅  Deploy successful!
Preview URL:	https://49c730c7.baseplate-storybook.pages.dev
Branch Preview URL:	https://kingston-upgrade-vulnerable.baseplate-storybook.pages.dev

View logs

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​prisma/​internals@​7.5.0 ⏵ 7.6.0			+1
	prisma@​7.5.0 ⏵ 7.6.0	+6		+1	+1
	@​prisma/​adapter-pg@​7.5.0 ⏵ 7.6.0	+1		+1
	@​prisma/​client@​7.5.0 ⏵ 7.6.0			+1
	@​aws-sdk/​lib-storage@​3.995.0 ⏵ 3.1020.0	+1			+1
	react-diff-viewer-continued@​4.0.6 ⏵ 4.2.0	-2			+12
	@​pothos/​plugin-prisma@​4.14.1 ⏵ 4.14.2	+1		+1	+1
	fastify@​5.8.1 ⏵ 5.8.4	+1	+2		-1
	@​aws-sdk/​s3-request-presigner@​3.995.0 ⏵ 3.1020.0				+1
	@​aws-sdk/​client-s3@​3.995.0 ⏵ 3.1020.0			+1	+1
	@​aws-sdk/​s3-presigned-post@​3.995.0 ⏵ 3.1020.0				+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @electric-sql/pglite is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: examples/todo-with-better-auth/pnpm-lock.yaml → npm/prisma@7.6.0 → npm/@electric-sql/pglite@0.4.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@electric-sql/pglite@0.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

🧹 Nitpick comments (1)

packages/project-builder-dev/src/e2e-runner/environment.ts (1)

16-41: Consider adding TMPDIR to passthrough variables.

The list includes Windows temp directory variables (TMP, TEMP) but omits TMPDIR, which is the POSIX standard used by macOS and many Linux tools. Package managers, native module builds, and various tools rely on TMPDIR to locate the temporary directory.

Proposed fix

 const PASSTHROUGH_ENV_VARS = [
   // Essential for package management
   'HOME',
   'PATH',
   'NODE_OPTIONS',
   'COREPACK_HOME',
   'TMP',
   'TEMP',
+  'TMPDIR',
   'APPDATA',

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/project-builder-dev/src/e2e-runner/environment.ts` around lines 16 -
41, PASSTHROUGH_ENV_VARS is missing the POSIX temp var TMPDIR; update the
PASSTHROUGH_ENV_VARS array to include 'TMPDIR' alongside 'TMP' and 'TEMP' so
macOS/Linux tools and native builds that rely on TMPDIR inherit the temp
directory value when spawning e2e processes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/project-builder-dev/src/e2e-runner/environment.ts`:
- Around line 16-41: PASSTHROUGH_ENV_VARS is missing the POSIX temp var TMPDIR;
update the PASSTHROUGH_ENV_VARS array to include 'TMPDIR' alongside 'TMP' and
'TEMP' so macOS/Linux tools and native builds that rely on TMPDIR inherit the
temp directory value when spawning e2e processes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f6347c8c-7af5-403a-81c7-d751210f8e9e

📥 Commits

Reviewing files that changed from the base of the PR and between b4ea38c and bcd1d3d.

⛔ Files ignored due to path filters (11)

• examples/blog-with-auth/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/blog-with-auth/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/blog-with-auth/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/blog-with-auth/libs/transactional/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/todo-with-better-auth/apps/admin/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/todo-with-better-auth/apps/backend/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/todo-with-better-auth/apps/web/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/todo-with-better-auth/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• examples/todo-with-better-auth/libs/transactional/baseplate/generated/package.json is excluded by !**/generated/**, !**/generated/**
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• tests/simple/snapshots/root/diffs/pnpm-lock.yaml.diff is excluded by !tests/**

📒 Files selected for processing (15)

• .changeset/afraid-meals-talk.md
• examples/blog-with-auth/apps/admin/package.json
• examples/blog-with-auth/apps/backend/package.json
• examples/blog-with-auth/libs/transactional/package.json
• examples/blog-with-auth/package.json
• examples/todo-with-better-auth/apps/admin/package.json
• examples/todo-with-better-auth/apps/backend/package.json
• examples/todo-with-better-auth/apps/web/package.json
• examples/todo-with-better-auth/libs/transactional/package.json
• examples/todo-with-better-auth/package.json
• mise.toml
• package.json
• packages/core-generators/src/constants/node.ts
• packages/project-builder-dev/src/e2e-runner/environment.ts
• pnpm-workspace.yaml

✅ Files skipped from review due to trivial changes (14)

• examples/todo-with-better-auth/apps/web/package.json
• pnpm-workspace.yaml
• examples/todo-with-better-auth/libs/transactional/package.json
• examples/blog-with-auth/apps/admin/package.json
• examples/todo-with-better-auth/apps/admin/package.json
• .changeset/afraid-meals-talk.md
• mise.toml
• examples/blog-with-auth/libs/transactional/package.json
• packages/core-generators/src/constants/node.ts
• examples/todo-with-better-auth/package.json
• package.json
• examples/blog-with-auth/apps/backend/package.json
• examples/todo-with-better-auth/apps/backend/package.json
• examples/blog-with-auth/package.json