chore: node and libs update

[hmbanan666]

Summary by CodeRabbit

• Chores
  • Upgraded Node.js runtime to 22.18.0 across CI and Docker images; updated local engine requirement to Node >=22.18.0.
  • Synchronized and bumped many build/runtime dependencies to newer minor/patch versions and removed one unused build tool from the workspace.
  • No user-facing feature changes; builds, tests, and deployments now run on updated tooling.

[coderabbitai]

Walkthrough

Node.js was bumped to 22.18.0 across CI, Docker base images, and package.json engines; the pnpm workspace also had multiple dependency minor/patch bumps and the removal of unbuild. No functional code or public API/export declarations were altered.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	Update Node setup from 22 → 22.18.0 (affects all CI steps).
Dockerfiles docker/web-app/Dockerfile, docker/web-parser/Dockerfile, docker/web-storefront/Dockerfile	Bump base images from `node:22.17.1-[alpine
Package Engines package.json	Update engines.node from >=22.17.1 → >=22.18.0.
Workspace Dependencies pnpm-workspace.yaml	Multiple dependency minor/patch version bumps (nuxt, openai, vite, eslint, libs, @types/node, VueUse, Unovis, etc.) and removal of unbuild: ^3.6.0; no API/export changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: nuxt and node updated #40 — Also updates Node engine requirement to >=22.18.0 and includes related dependency/version bumps.

Poem

I hop through branches, nose a-twitch,
From .17 to .18 I stitch.
Images baked and CI tuned,
Dependencies lightly pruned.
Carrots ready — build resumed. 🥕🐇

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​coverage-v8@​3.2.4
	@​types/​pg@​8.15.5
	@​vueuse/​core@​13.7.0
	@​iconify-json/​simple-icons@​1.2.46 ⏵ 1.2.48				+1
	changelogen-monorepo@​0.5.0
	drizzle-cuid2@​2.1.0
	@​iconify-json/​circle-flags@​1.2.6 ⏵ 1.2.8				+9
	@​iconify-json/​fluent-emoji-flat@​1.2.3 ⏵ 1.2.5	+1			+9
	aws4fetch@​1.0.20
	@​iconify-json/​lucide@​1.2.61 ⏵ 1.2.62	+1		+1	+1
	@​vitest/​browser@​3.2.4
	@​types/​node@​24.3.0
	date-fns@​4.1.0
	@​vueuse/​nuxt@​13.7.0
	@​vueuse/​integrations@​13.7.0
	arktype@​2.1.20
	drizzle-orm@​0.44.4
	@​tailwindcss/​typography@​0.5.16
	@​nuxt/​image@​1.10.0 ⏵ 1.11.0			+1
	@​unovis/​vue@​1.6.0
	@​nuxtjs/​i18n@​10.0.3 ⏵ 10.0.5	+1
	dotenv@​17.2.1
	@​unovis/​ts@​1.6.0
	drizzle-kit@​0.31.4
	@​antfu/​eslint-config@​5.2.0 ⏵ 5.2.1	-4			-4
	@​nuxt/​ui@​3.3.0 ⏵ 3.3.2				+3
	@​openai/​agents@​0.0.13 ⏵ 0.0.17	+2		+1	+1

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

package.json (1)

12-12: Optional: enforce the Node version locally via toolfile.
Consider adding/updating a .nvmrc (or .tool-versions/Volta) to 22.18.0 so contributors automatically use the correct Node locally.

Would you like me to add a minimal .nvmrc update in this PR?

docker/web-parser/Dockerfile (1)

1-1: Optional: pin base image by digest to avoid tag drift.
To make builds fully reproducible, consider pinning the image with a sha256 digest (or use a centralized build arg/version management).

If you want, I can open a follow-up to add digest pinning or a shared ARG strategy across Dockerfiles.

.github/workflows/ci.yml (1)

37-41: Optional: make version resolution more robust.
You can add check-latest to ensure the exact patch is fetched, and/or reference a toolfile if you introduce .nvmrc.

Apply this small tweak:

       - name: Node
         uses: actions/setup-node@v4
         with:
-          node-version: 22.18.0
+          node-version: 22.18.0
+          check-latest: true
           cache: 'pnpm'

docker/web-storefront/Dockerfile (1)

1-1: Optional: centralize Node version across Dockerfiles.
To simplify future bumps, consider using a shared build arg (or a buildx bake file) so you only change the version once.

I can draft a bake.hcl or a small Makefile/CI matrix to centralize and validate all images together.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 87821c3 and cfc7e0d.

📒 Files selected for processing (5)

• .github/workflows/ci.yml (1 hunks)
• docker/web-app/Dockerfile (1 hunks)
• docker/web-parser/Dockerfile (1 hunks)
• docker/web-storefront/Dockerfile (1 hunks)
• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (7)

package.json (2)

12-12: Engines bump to Node >=22.18.0 looks good and aligns with CI/Docker.
This keeps local dev aligned with runtime images and CI.

---

12-12: No stale Node version references found
All Node version tags have been updated to 22.18.0 and no older versions remain:

• docker/web-app/Dockerfile → node:22.18.0-alpine
• docker/web-parser/Dockerfile → node:22.18.0-slim
• docker/web-storefront/Dockerfile → node:22.18.0-alpine
• .github/workflows/ci.yml → node-version: 22.18.0
• package.json → "engines".node: ">=22.18.0"

No references to 22.17.* or other hard-coded Node tags were found in README or compose files.

docker/web-parser/Dockerfile (1)

1-1: Docker base bumped to node:22.18.0-slim — aligned with CI and engines.
Slim is a good choice here given Playwright deps are installed explicitly.

.github/workflows/ci.yml (2)

40-41: CI now uses Node 22.18.0 — good alignment.
Matches engines and Docker images.

---

3-19: Heads-up: Dockerfile-only changes won’t trigger this CI.
paths-ignore excludes docker/** for both push and PR events. If you intend CI to run when Dockerfiles change, you’ll need to adjust these filters or add a dedicated workflow for image builds.

Do you want CI to run when only Dockerfiles are updated? I can propose a minimal workflow to lint/build images on Dockerfile changes.

docker/web-storefront/Dockerfile (1)

1-1: Docker base bumped to node:22.18.0-alpine — consistent with the stack.
No other changes; build and runtime should remain identical.

docker/web-app/Dockerfile (1)

1-1: Docker base bumped to node:22.18.0-alpine — aligned with engines and CI.
Looks good.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Sanity check that the tag exists on Docker Hub.
If 22.18.0-slim isn’t published yet, builds will fail.

---

🌐 Web query:

Does the official Docker Hub "node" image provide tags "22.18.0-slim" and "22.18.0-alpine"?

💡 Result:

The official Docker Hub "node" image does not provide tags exactly named "22.18.0-slim" or "22.18.0-alpine", based on the most recent publicly available tags.

• The closest available "slim" tag is "22.18.0-bullseye-slim"[6]. The tag naming convention follows the pattern: node:<version>-<deb-based-release>-slim (e.g., node:22.18.0-bullseye-slim).
• For the Alpine variant, the available tags are in the form "22.18-alpine3.22" or "22.18-alpine3.21". There is no tag with the full patch version (22.18.0) together with the alpine variant (e.g., node:22.18-alpine3.22 exists, but not node:22.18.0-alpine) [8].

Summary Table:

Tag	Officially Available?
node:22.18.0-slim	No
node:22.18.0-bullseye-slim	Yes [6]
node:22.18.0-alpine	No
node:22.18-alpine3.22	Yes [8]
node:22.18-alpine3.21	Yes [8]

• No exact tag named node:22.18.0-slim or node:22.18.0-alpine.
• Use node:22.18.0-bullseye-slim for the "slim" variant and node:22.18-alpine3.22 (or .21) for the Alpine-based variant[6][8].

If you need to match tags exactly for automation or image pulls, use the exact forms above for correct results.

Citations:

• 1: https://docs.docker.com/reference/cli/docker/image/tag/
• 2: https://hub.docker.com/r/s390x/node/tags
• 3: https://labs.iximiuz.com/tutorials/how-to-choose-nodejs-container-image
• 4: https://hub.docker.com/r/arm32v7/node/tags
• 5: https://github.com/nodejs/docker-node
• 6: https://hub.docker.com/_/node/tags?page=1&name=slim
• 7: https://hub.docker.com/search?badges=official
• 8: https://hub.docker.com/_/node/tags?page=1&name=18-alpine
• 9: https://hub.docker.com/search?q=node
• 10: https://hub.docker.com/r/nikolaik/python-nodejs

---

Incorrect Docker image tag – update to an existing tag
The tag node:22.18.0-slim does not exist on Docker Hub and will cause CI/build failures. Please update to a valid, published tag.

• File: docker/web-parser/Dockerfile, Line 1
• Replace with the “bullseye-slim” variant or, if you need Alpine, with an alpine3.x tag.

Suggested diff:

-FROM node:22.18.0-slim AS base
+FROM node:22.18.0-bullseye-slim AS base

Alternative Alpine variants (if desired):

node:22.18-alpine3.22
node:22.18-alpine3.21

🤖 Prompt for AI Agents

In docker/web-parser/Dockerfile at line 1, the base image tag
"node:22.18.0-slim" does not exist and causes build failures; update the FROM
line to a valid tag such as "node:22.18-bullseye-slim" (or use an Alpine variant
like "node:22.18-alpine3.22" or "node:22.18-alpine3.21") so the Dockerfile uses
a published Node image.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

pnpm-workspace.yaml (1)

5-72: Ensure PNPM’s catalog feature is enabled and actually used

• The root package.json specifies packageManager: "pnpm@10.14.0", so catalog support (v9+) is available.
• No CI workflows (e.g. under .github/workflows/) reference pnpm or Corepack—please verify your CI setup runs Corepack (or actions/setup-node with corepack: true) so that pnpm@10.14.0 is used in CI.
• We found no occurrences of the catalog: protocol in any package.json, so the catalog block in pnpm-workspace.yaml isn’t being applied.

Mandatory refactor: update your dependency declarations to use the catalog: protocol. For example, in each package.json:

- "@antfu/eslint-config": "^5.2.1"
+ "@antfu/eslint-config": "catalog:@antfu/eslint-config"

🧹 Nitpick comments (2)

pnpm-workspace.yaml (2)

51-51: Avoid ‘latest’ in catalog to keep builds deterministic

nitropack: latest makes builds non-reproducible. Prefer a caret or exact version aligned with your lockfile and CI to reduce surprise upgrades.

If you want, I can scan the repo and propose a conservative pinned range based on the lockfile.

---

27-27: Align @types/node with your Node 22 runtime

I ran a scan across all package.json files and found no other @types/node declarations—this override in pnpm-workspace.yaml is the only one. To avoid picking up Node 24-only APIs, update it to match your Node 22.18.0 runtime:

 pnpm-workspace.yaml
 …
-  '@types/node': ^24.3.0
+  '@types/node': ^22.18.0

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cfc7e0d and 0b4f0d0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• pnpm-workspace.yaml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (5)

pnpm-workspace.yaml (5)

5-72: Catalog bumps look coherent and consistent with the Node 22.18.0 update

Minor/patch upgrades across Nuxt, VueUse, Vite, ESLint, OpenAI, Unovis, etc. are generally safe, and the versions are internally consistent (e.g., all VueUse entries at 13.7.0). No red flags in the catalog itself.

---

5-72: 'unbuild' removal verified

• Only occurrences are in pnpm-lock.yaml (lockfile artifacts)
• No build scripts, config files, or CI workflows reference unbuild

Removal is complete.

---

5-72: Sanity check passed: engines.node and lockfile are in order

• Verified package.json at workspace root declares engines.node: >=22.18.0
• Confirmed presence of pnpm-lock.yaml

No further action required.

---

57-57: No deprecated OpenAI API usage found
A search through your code shows only standard instantiation of new OpenAI({…}), use of OpenAIChatCompletionsModel, and the agents’ Agent/run flow—no streaming flags, no response_format, and no other deprecated calls. The bump to openai@^5.12.2 can proceed.

---

67-67: Confirm Vite override aligns with Nuxt’s Vite requirement

Our scan shows:

• pnpm-workspace.yaml (lines 60–80) pins

  vite: ^7.1.2

• The only explicit vite entry across your packages is via catalog:vite in the root workspace.
• Nuxt is also consumed via catalog:nuxt in these packages:
  • @roll-stack/geo-vault
  • @roll-stack/web-app
  • @roll-stack/web-storefront
  • @roll-stack/ui

Please verify that the Nuxt version provided by your catalog accepts Vite ^7.1.2 (e.g. run

npm view nuxt@<your-catalog-version> peerDependencies.vite

or inspect its internal dependency).

If Nuxt’s own Vite requirement is lower or mismatched, remove or adjust this override. If you intentionally need Vite 7.x across your workspace, confirm no plugins break.