Fix npm security vulnerabilities and upgrade dependencies

[dlukt]

Fix npm security vulnerabilities and upgrade dependencies

This PR addresses security vulnerabilities reported by npm audit and upgrades outdated dependencies.

Security Fixes

• valibot: ^0.35.0 → ^1.2.0 (fixes high severity ReDoS vulnerability in EMOJI_REGEX)
• vitest: ^1.6.0 → ^3.2.4 (fixes moderate esbuild/vite vulnerabilities)

Dependency Upgrades

Package	Before	After	Notes
cookie	^1.0.1	^1.1.1	Patch
is-network-error	^1.1.0	^1.3.0	Minor
jose	^5.2.2	^6.1.3	Major (API compatible)
lucia	^3.2.0	^3.2.2	Patch
@auth/core	^0.37.0	^0.41.1	Peer dep update
convex	^1.17.0	^1.30.0	Peer dep update
@types/inquirer	^9.0.7	^9.0.9	Patch
convex-test	^0.0.20	^0.0.41	Minor
inquirer	^9.2.22	^13.0.2	Major (API compatible)
typescript	^5.5.2	^5.9.3	Minor

Verification

• ✅ npm audit: 0 vulnerabilities
• ✅ npm run build: passes
• ✅ All 27 tests pass

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Summary by CodeRabbit

• Chores
  • Version bumped to 0.0.91.
  • Minimum Node engine requirement added.
  • Production and peer dependencies updated for compatibility and security.
  • Development dependencies upgraded (tooling, types, testing, and build infra).
  • No public API or exported declarations changed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

@dlukt is attempting to deploy a commit to the Convex Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

Version bumped to 0.0.91 and multiple dependency updates applied across regular, peer, and dev dependencies in package.json (no code/API surface changes reported).

Changes

Cohort / File(s)	Change Summary
Package metadata package.json	Version 0.0.90 → 0.0.91; Regular deps: cookie 1.0.1 → 1.1.1, is-network-error 1.1.0 → 1.3.0, jose 5.2.2 → 6.1.3, lucia 3.2.0 → 3.2.2; Peer deps: @auth/core 0.37.0 → 0.41.1, convex 1.17.0 → 1.30.0; Dev deps: @types/inquirer 9.0.7 → 9.0.9, convex-test 0.0.20 → 0.0.41, inquirer 9.2.22 → 13.0.2, typescript 5.5.2 → 5.9.3, valibot 0.35.0 → 1.2.0, vitest 1.6.0 → 3.2.4. No exported/public API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Check compatibility for valibot (major jump) and jose (major version) for any breaking API changes used elsewhere.
• Verify peer dependency upgrades (convex, @auth/core) against consumers.
• Confirm TypeScript toolchain upgrade (5.5 → 5.9) doesn't introduce build or type errors.

Poem

🐰 I nibbled versions, hopped the fence,
Bumped the numbers, made them tense.
Cookies crunched and jose did twirl,
Typescript danced, a shiny swirl.
Version 0.0.91—hop, celebrate and whirl! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main purpose of the changeset: addressing security vulnerabilities and upgrading dependencies, which aligns with the primary changes in package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dlukt]

Both upgrades have been verified as compatible:

Valibot (0.35.0 → 1.2.0) ✅
Usage in codebase (
index.ts:502-520
):

const VariablesSchema = v.object({
  help: v.optional(v.string()),
  providers: v.array(v.object({ ... })),
  success: v.optional(v.string()),
});
const variables = v.parse(VariablesSchema, JSON.parse(json));

Breaking changes analysis:

• Main breaking change is the pipe API for chained validations

• This code uses only: v.object(), v.array(), v.string(), v.optional(), v.parse()

• These basic APIs are unchanged in v1.0
  Jose (5.2.2 → 6.1.3) ✅
  Usage in codebase:

• SignJWT, importPKCS8 - for token signing

• exportJWK, exportPKCS8, generateKeyPair - for key generation
  Breaking changes analysis:

• Dropped: Ed448/X448 algorithms, JWE compression, key_ops - not used

• Renamed: PEMImportOptions → KeyImportOptions - not used

• ES2022 target - compatible
  All APIs used in this codebase remain unchanged in jose v6.

Both upgrades are safe. The 27 passing tests validate this.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 90663b2 and aabf6c1.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (4 hunks)

🔇 Additional comments (6)

package.json (6)

3-3: Version bump is appropriate for dependency updates.

The version bump from 0.0.90 to 0.0.91 correctly uses a patch increment for what appears to be dependency/infrastructure updates without API surface changes.

---

18-20: Verify node engine constraint compatibility.

A new engines constraint requiring node >=20.12.0 has been added. This is a breaking change for users on older Node versions and should be intentional. Confirm this aligns with:

• The minimum Node version required by updated dependencies (especially valibot 1.2.0, vitest 3.2.4, inquirer 13.0.2)
• Your project's support policy
• CI/CD environment configurations

---

114-114: Verify vitest v3 API compatibility and vulnerability fixes.

vitest underwent a major version bump (1.6.0 → 3.2.4) addressing moderate esbuild/vite vulnerabilities. Verify:

• The esbuild and vite vulnerabilities are indeed fixed in 3.2.4
• No breaking API changes for test execution or configuration
• Test environment setup (if any vitest config files exist) is still valid

The fact that all 27 tests pass is a strong positive signal.

If there are vitest config files (vitest.config.ts, vitest.config.js), confirm they are compatible with v3 syntax and APIs.

---

71-82: Patch and minor dependency updates are low-risk.

The remaining updates (cookie, is-network-error, lucia, @types/inquirer, convex-test, typescript) are patch or minor version bumps. These are typically backward-compatible. The PR verification (0 vulnerabilities, tests pass, build succeeds) confirms no issues were introduced.

---

106-106: inquirer v13 is API compatible with this codebase.

Verification of inquirer v13 breaking changes against the CLI code confirms compatibility:

• ESM-only requirement: Already satisfied. Code uses ESM import (import inquirer from "inquirer"), and package.json has "type": "module".
• Removed prompt types: The code only uses "confirm" and "input" prompt types, neither of which were removed. The deprecated "list" alias is not used.
• Removed cancel() method: No cancel() calls found in the codebase.
• Removed instructions config: Not used in any prompt configurations.
• Prompt return values: Simple and unchanged (boolean for confirm, string for input).

The PR's API compatibility claim is correct.

---

73-73: jose v6 upgrade is compatible with this codebase's usage.

While jose v6 does introduce breaking changes (algorithm removals, API renames, KeyObject→CryptoKey transitions), none affect the functions used here. The codebase only uses SignJWT, importPKCS8, generateKeyPair, exportPKCS8, and exportJWK with RS256—all supported and API-compatible in v6. No PEMImportOptions, removed algorithms (Ed448/X448/secp256k1/RSA1_5), or KeyObject-specific patterns are present. The package is already ESM-based, aligning with v6's ESM-forward design.

[timvahlbrock]

Related: Renovate is enabled, but not properly configured: #258