Update ui deps sync (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rollup/plugin-alias (source)	^5.1.1 -> ^6.0.0
@rollup/plugin-commonjs (source)	^28.0.8 -> ^29.0.0
openai	5.23.2 -> 6.7.0
openai	5.23.2 -> 6.7.0
svelte-check	^3.8.6 -> ^4.3.3
svelte-preprocess	^5.1.4 -> ^6.0.3
tailwindcss (source)	^3.4.18 -> ^4.1.16

---

Release Notes

rollup/plugins (@​rollup/plugin-alias)

v6.0.0

2025-10-28

Breaking Changes

• feat!: ESM only. Update Node and Rollup minimum versions (#​1926)

rollup/plugins (@​rollup/plugin-commonjs)

v29.0.0

2025-10-30

Breaking Changes

• feat!: revert #​1909 and add requireNodeBuiltins option (#​1937)

v28.0.9

2025-10-24

Bugfixes

• fix: handle node: builtins with strictRequires: auto (#​1930)

openai/openai-node (openai)

v6.7.0

Compare Source

Full Changelog: v6.6.0...v6.7.0

Features

• add support for zod@​4 schemas (#​1666) (10ef7ff)

Bug Fixes

• api: docs updates (2591c21)

v6.6.0

Compare Source

Full Changelog: v6.6.0...v6.7.0

Features

• add support for zod@​4 schemas (#​1666) (10ef7ff)

Bug Fixes

• api: docs updates (2591c21)

v6.5.0

Compare Source

Full Changelog: v6.5.0...v6.6.0

Features

• api: Add responses.input_tokens.count (520c8a9)

Bug Fixes

• api: internal openapi updates (d4aaef9)

v6.4.0

Compare Source

Full Changelog: v6.4.0...v6.5.0

Features

• api: api update (4d21af3)

v6.3.0

Compare Source

Full Changelog: v6.3.0...v6.4.0

Features

• api: Add support for gpt-4o-transcribe-diarize on audio/transcriptions endpoint (2d27392)

v6.2.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

• api: comparison filter in/not in (1a733c6)

Chores

• internal: use npm pack for build uploads (a532410)

v6.1.0

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

• api: dev day 2025 launches (f2816db)

Chores

• internal: codegen related update (b6f64b7)
• jsdoc: fix @​link annotations to refer only to parts of the package‘s public interface (73e465d)

v6.0.1

Compare Source

Full Changelog: v6.0.1...v6.1.0

Features

• api: add support for realtime calls (5de9585)

v6.0.0

Compare Source

Full Changelog: v6.0.0...v6.0.1

Bug Fixes

• api: add status, approval_request_id to MCP tool call (498c6a5)

sveltejs/language-tools (svelte-check)

v4.3.3

Compare Source

Patch Changes

• fix: prevent file watcher issue (#​2859)

• fix: allow undefined and null values for #each in Svelte 5 (#​2863)

• perf: check if file content changed in tsconfig file watch (#​2859)

v4.3.2

Compare Source

Patch Changes

• perf: tweak some snapshot hot paths (#​2852)

• perf: more precise module cache invalidation (#​2853)

• fix: properly handle runes={false} in <svelte:options> (#​2847)

See https://github.com/sveltejs/language-tools/releases

v4.3.1

Compare Source

fix: handle object literal in MustacheTag (#​2805)

v4.3.0

Compare Source

• feat: zero types for params (#​2795)
• feat: add await support (#​2799)
• fix: strip doctype using AST instead of regex (#​2798)
• chore: make human output more concise and readable (#​2748)

v4.2.2

Compare Source

• fix: invalidate project file cache and handle watcher race condition (#​2779)
• fix: prevent error with bind:this={get, set} (#​2781)
• fix: don't treat derived imported from svelte/store as a potential store (#​2780)
• fix: key block can have its own block scope (#​2768)

v4.2.1

Compare Source

• feat: support generics on snippets (#​2761)

v4.2.0

Compare Source

• feat: support attachments (#​2760)
• fix: deduplicate definition for rune-mode components (#​2759)

v4.1.7

Compare Source

• fix: robustify hoisting logic around prop types (#​2740)
• fix: ensure typed exports are marked as used (#​2746)
• chore: bump vscode-html/css-language-service (#​2752)
• fix: ensure eligible snippets can be referenced in module script (#​2753)
• fix: prevent error with unclosed tag followed by LF or end of file (#​2750)

v4.1.6

Compare Source

• fix: prevent unused variable error for bindable
• fix: ensure exports in runes mode are marked as used
• fix: add color CLI options

v4.1.5

Compare Source

• fix: take other snippets into account when checking for hoistability (#​2668)
• fix: disambiguate render in module script (#​2667)
• fix: properly transform $props.id when $props is assigned to props (#​2694)
• fix: handle booleanish popover (#​2702)
• chore: bump vscode-html/css-language-service (#​2677)
• fix: use referenced project's compiler option to get resolution mode (#​2676)

v4.1.4

Compare Source

• fix: don't hoist types/snippets referencing stores or destructured variables (#​2661)

v4.1.3

Compare Source

• fix: move snippets to correct place when only module script present

v4.1.2

Compare Source

• feat: support generics attribute for JSDoc (#​2624)
• fix: better snippet/interface hoistability analysis (#​2655)
• chore: TypeScript 5.7 support (#​2585)

v4.1.1

Compare Source

• fix: support each without as (#​2615)

v4.1.0

Compare Source

• fix: don't move appended content from previous node while hoisting interface (#​2596)
• fix: ensure hoisted interfaces are moved after hoisted imports (#​2597)
• fix: preserve bind:... mapping on elements for better source maps
• feat: prepare for some upcoming features of Svelte 5

v4.0.9

Compare Source

• fix: detect shadowed variables/types during type hoisting (#​2590)

v4.0.8

Compare Source

• fix: fall back to any instead of unknown for untyped $props (#​2582)
• fix: robustify and fix file writing (#​2584)
• fix: hoist types related to $props rune if possible (#​2571)

v4.0.7

Compare Source

• fix: $props: infer types for $bindable, infer function type from arrow function

v4.0.6

Compare Source

• chore: autotype const load = ... declarations (#​2540)
• chore: provide component instance type in Svelte 5 (#​2553)
• chore: support typescript 5.6 (#​2545)
• fix: infer object and array shapes from fallback types (#​2562)

v4.0.5

Compare Source

• fix: include named exports in svelte 5 type (#​2528)

v4.0.4

Compare Source

• fix: relax component constructor type (#​2524)

v4.0.3

Compare Source

• breaking(svelte5): only generate function component shape in runes mode (#​2517). This means you can no longer just do Component in type positions. Instead you need to prepend it with typeof. Here's how you do it:
  • ...when typing a component instance: Before: let x: Component. After: let x: ReturnType<typeof Component>
  • ...when typing a component constructor/function: Before let x: typeof Component. After let x: typeof Component (no change)
• fix: revert additional two-way-binding checks as they were causing bugs (#​2508)
• fix: include files indirectly belonging to a project into correct project (#​2488)
• fix: check project files update more aggressively before assigning service (#​2518)
• chore: upgrade to chokidar 4 (#​2502)

v4.0.2

Compare Source

• fix: ensure components typed through Svelte 5's Component interface get proper intellisense

v4.0.1

Compare Source

• fix: remove ancient process augmentation from internal d.ts file

v4.0.0

Compare Source

• chore: bump magic-string (#​2476)
• chore: switch from fast-glob to fdir (#​2433)
• fix: detect <script module> tag (#​2482)
• feat: better type checking for bindings in Svelte 5 (#​2477)
• feat: replace svelte-preprocess with barebones TS preprocessor (#​2452)
• feat: project reference support (#​2463)

Breaking changes

• require Svelte 4 or later (#​2453)
• make TypeScript a peer dependency, require TS 5 or later (#​2453)
• require node 18 or later (#​2453)
• process augmentation (declaring a process.browser field) was removed
• slight changes to how files are assigned to which tsconfig.json (#​1234, #​2463)
• slight changes to how Svelte module resolution works; .svelte files now take precedence over .svelte.js/ts files (if both exist) (#​2481)
• language-server now forces fewer TypeScript options. Most notably skipLibCheck is no longer forced to true, which may result in d.ts files now being checked in your project, which they were not before, revealing type errors. Either fix those or add "skipLibCheck": true to your tsconfig.json (#​1976, #​2463)

sveltejs/svelte-preprocess (svelte-preprocess)

v6.0.3

Compare Source

Bug Fixes

• add pug mixins to support svelte-5 syntax (#​654) (9d49f3d)
• ignore sass deprecation warning (#​657) (9b54325), closes #​656

v6.0.2

Compare Source

Bug Fixes

• remove customConditions tsconfig option (#​648) (afb80ae), closes #​646

v6.0.1

Compare Source

Bug Fixes

• deprecate default export in favor of named export (#​641) (a43de10), closes #​591

v6.0.0

Compare Source

BREAKING CHANGES

• remove TS mixed imports support, require TS 5.0 or higher
• remove preserve option as it's unnecessary
• require Svelte 4+, Node 18+
• add exports map

Bug Fixes

• adjust globalifySelector to not split selectors with parentheses. (#​632) (c435ebd), closes #​501
• fix: allow TS filename to be undefined, fixes #​488
• fix: adjust Svelte compiler type import
• fix: remove pug types and magic-string from dependencies
• chore: bump peer deps, fixes #​553

5.1.4 (2024-04-16)

Bug Fixes

• remove pnpm version restriction (#​629) (2713b82)

5.1.3 (2023-12-18)

Bug Fixes

• sass dependency list referencing source file in win32 (#​621) (209312f)

5.1.2 (2023-12-12)

• chore: mark postcss-load-config 5 as supported (3b5b1f0)

5.1.1 (2023-11-21)

Bug Fixes

• force module(resolution) (66d3cf9)

tailwindlabs/tailwindcss (tailwindcss)

v4.1.16

Compare Source

Fixed

• Discard candidates with an empty data type (#​19172)
• Fix canonicalization of arbitrary variants with attribute selectors (#​19176)
• Fix invalid colors due to nested & (#​19184)
• Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#​19178)

v4.1.15

Compare Source

Fixed

• Fix Safari devtools rendering issue due to color-mix fallback (#​19069)
• Suppress Lightning CSS warnings about :deep, :slotted, and :global (#​19094)
• Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#​19097)
• Allow named groups in combination with not-*, has-*, and in-* (#​19100)
• Prevent important utilities from affecting other utilities (#​19110)
• Don’t index into strings with the theme(…) function (#​19111)
• Fix parsing issue when \t is used in at-rules (#​19130)
• Upgrade: Canonicalize utilities containing 0 values (#​19095)
• Upgrade: Migrate deprecated break-words to wrap-break-word (#​19157)

Changed

• Remove the postinstall script from oxide ([#​19149])(#​19149)

v4.1.14

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes (#​19031)

v4.1.13

Compare Source

Changed

• Drop warning from browser build (#​18731)
• Drop exact duplicate declarations when emitting CSS (#​18809)

Fixed

• Don't transition visibility when using transition (#​18795)
• Discard matched variants with unknown named values (#​18799)
• Discard matched variants with non-string values (#​18799)
• Show suggestions for known matchVariant values (#​18798)
• Replace deprecated clip with clip-path in sr-only (#​18769)
• Hide internal fields from completions in matchUtilities (#​18820)
• Ignore .vercel folders by default (can be overridden by @source … rules) (#​18855)
• Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#​18869)
• Do not allow custom variants to start or end with a - or _ (#​18867, #​18872)
• Upgrade: Migrate aria theme keys to @custom-variant (#​18815)
• Upgrade: Migrate data theme keys to @custom-variant (#​18816)
• Upgrade: Migrate supports theme keys to @custom-variant (#​18817)

v4.1.12

Compare Source

Fixed

• Don't consider the global important state in @apply (#​18404)
• Add missing suggestions for flex-<number> utilities (#​18642)
• Fix trailing ) from interfering with extraction in Clojure keywords (#​18345)
• Detect classes inside Elixir charlist, word list, and string sigils (#​18432)
• Track source locations through @plugin and @config (#​18345)
• Allow boolean values of process.env.DEBUG in @tailwindcss/node (#​18485)
• Ignore consecutive semicolons in the CSS parser (#​18532)
• Center the dropdown icon added to an input with a paired datalist by default (#​18511)
• Extract candidates in Slang templates (#​18565)
• Improve error messages when encountering invalid functional utility names (#​18568)
• Discard CSS AST objects with false or undefined properties (#​18571)
• Allow users to disable URL rebasing in @tailwindcss/postcss via transformAssetUrls: false (#​18321)
• Fix false-positive migrations in addEventListener and JavaScript variable names (#​18718)
• Fix Standalone CLI showing default Bun help when run via symlink on Windows (#​18723)
• Read from --border-color-* theme keys in divide-* utilities for backwards compatibility (#​18704)
• Don't scan .hdr and .exr files for classes by default (#​18734)

v4.1.11

Compare Source

Fixed

• Add heuristic to skip candidate migrations inside emit(…) (#​18330)
• Extract candidates with variants in Clojure/ClojureScript keywords (#​18338)
• Document --watch=always in the CLI's usage (#​18337)
• Add support for Vite 7 to @tailwindcss/vite (#​18384)

v4.1.10

Compare Source

Fixed

• Fix incorrectly generated CSS when using percentages in arbitrary values with calc (e.g. w-[calc(100%-var(--offset))]) (#​18289)

v4.1.9

Compare Source

Fixed

• Correctly parse custom properties with strings containing semicolons (#​18251)
• Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#​18184)
• Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#​18184)
• Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#​18212)
• Upgrade: Do not migrate blur in wire:model.blur (#​18216)
• Don't add spaces around CSS dashed idents when formatting math expressions (#​18220)

v4.1.8

Compare Source

Added

• Improve error messages when @apply fails (#​18059)

Fixed

• Upgrade: Do not migrate declarations that look like candidates in <style> blocks (#​18057, 18068)
• Upgrade: Don't error when looking for tailwindcss in pnpm monorepos (#​18065)
• Upgrade: Don't error when updating dependencies in pnpm monorepos (#​18065)
• Upgrade: Migrate deprecated order-none to order-0 (#​18126)
• Support Leptos class: attributes when extracting classes (#​18093)
• Fix "Cannot read properties of undefined" crash on malformed arbitrary value (#​18133)
• Upgrade: Migrate -mt-[0px] to mt-[0px] instead of the other way around (#​18154)
• Fix Haml pre-processing crash when there is no \n at the end of the file (#​18155)
• Ignore .pnpm-store folders by default (can be overridden by @source … rules) (#​18163)
• Fix PostCSS crash when calling toJSON() (#​18083)

v4.1.7

Compare Source

Added

• Upgrade: Migrate bare values to named values (#​18000)
• Upgrade: Added cache to improve template migration performance (#​18025)

Fixed

• Allow _ before numbers during candidate extraction (#​17961)
• Prevent duplicate suggestions when using @theme and @utility together (#​17675)
• Ensure that media queries within ::before and ::after pseudo selectors create valid CSS rules in production builds (#​17979)
• Ensure that the standalone CLI does not leave temporary files behind (#​17981)
• Ensure -rotate-* utilities properly negate arbitrary values (#​18014)
• Ignore custom variants using :merge(…) selectors in legacy JS plugins (#​18020)
• Ensure classes containing . are properly extracted from Clojure files (#​18038)
• Upgrade: Fix error when using @import … source(…) (#​17963)
• Upgrade: Change casing of utilities with named values to kebab-case to match updated theme variables (#​18017)
• Upgrade: Don't migrate strings that match utility names in Vue attribute bindings other than class (#​18025)

v4.1.6

Compare Source

Added

• Upgrade: Automatically convert arbitrary values to named values when possible (e.g. h-[1lh] to h-lh) (#​17831, #​17854)
• Upgrade: Update dependencies in parallel for improved performance (#​17898)
• Add detailed logging about @source directives, discovered files and scanned files when using DEBUG=* (#​17906, #​17952)
• Add support for generating source maps in development (#​17775)

Fixed

• Ensure negative arbitrary scale values generate negative values (#​17831)
• Fix HAML extraction with embedded Ruby (#​17846)
• Don't scan files for utilities when using @reference (#​17836)
• Fix incorrectly replacing _ with in arbitrary modifier shorthand bg-red-500/(--my_opacity) (#​17889)
• Don't scan .log files for classes by default (#​17906)
• Ensure that custom utilities applying other custom utilities don't swallow nested @apply rules (#​17925)
• Download platform specific package if optionalDependencies are skipped (#​17929)

v4.1.5

Compare Source

Added

• Support using @tailwindcss/upgrade to upgrade between versions of v4.* (#​17717)
• Add h-lh / min-h-lh / max-h-lh utilities (#​17790)
• Transition display, visibility, content-visibility, overlay, and pointer-events when using transition to simplify @starting-style usage (#​17812)

Fixed

• Don't scan .geojson or .db files for classes by default (#​17700, #​17711)
• Hide default shadow suggestions when missing default shadow theme keys (#​17743)
• Replace _ with . in theme suggestions for @utility if surrounded by digits (#​17733)
• Skip color-mix(…) when opacity is 100% (#​17815)
• PostCSS: Ensure that errors in imported stylesheets are recoverable (#​17754)
• Upgrade: Bump all Tailwind CSS related dependencies during upgrade (#​17763)
• Upgrade: Don't add - to variants starting with @ (#​17814)
• Upgrade: Don't format stylesheets that didn't change when upgrading (#​17824)

Changed

• Ignore .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders by default (can be overridden by @source … rules) (#​17892)
• @source rules that point inside .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders no longer consider your .gitignore rules (#​17892)

v4.1.4

Compare Source

Added

• Add experimental @tailwindcss/oxide-wasm32-wasi target for running Tailwind in browser environments like StackBlitz (#​17558)

Fixed

• Ensure color-mix(…) polyfills do not cause used CSS variables to be removed (#​17555)
• Ensure color-mix(…) polyfills create fallbacks for theme variables that reference other theme variables (#​17562)
• Fix brace expansion in declining ranges like {10..0..5} and {0..10..-5} (#​17591)
• Work around a Chrome rendering bug when using the skew-* utilities (#​17627)
• Ensure container query variant names can contain hyphens (#​17628)
• Ensure shadow-inherit, inset-shadow-inherit, drop-shadow-inherit, and text-shadow-inherit inherit the shadow color (#​17647)
• Ensure compatibility with array tuples used in fontSize JS theme keys (#​17630)
• Ensure folders with binary file extensions in their names are scanned for utilities (#​17595)
• Upgrade: Convert fontSize array tuple syntax to CSS theme variables (#​17630)

v4.1.3

Compare Source

Fixed

• Show warning when using unsupported bare value data type in --value(…) (#​17464)
• PostCSS: Ensure changes to the input CSS file don't generate stale output when using Turbopack (#​17554)
• Ensure classes are detected in Ruby's %w syntax in Slim templates (#​17557)

v4.1.2

Compare Source

Fixed

• Don't rely on the presence of @layer base to polyfill @property (#​17506)
• Support setting multiple inset shadows as arbitrary values ([#​17523](https://redirect.github.com/tailwindlabs/tailwindcss

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Walkthrough

This PR upgrades dependencies in the UI package. The OpenAI dependency is bumped from 5.23.2 to 6.5.0 in both the import map and package.json. Additional devDependencies are also updated: svelte-check, svelte-preprocess, and tailwindcss to newer minor and patch versions.

Changes

Cohort / File(s)	Summary
UI package dependency updates packages/ui/import_map.json, packages/ui/package.json	Upgraded openai from 5.23.2 to 6.5.0; upgraded svelte-check from ^3.8.6 to ^4.3.3; upgraded svelte-preprocess from ^5.1.4 to ^6.0.3; upgraded tailwindcss from ^3.4.18 to ^4.1.14

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Renovate update import and package #674: Adds Renovate rules to ensure coordinated updates between import_map.json and packages/ui/package.json for dependency consistency.

Suggested reviewers

• ericglau
• collins-w

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update ui deps sync (major)" is directly related to the changeset, which consists of major version updates to four UI package dependencies (openai, svelte-check, svelte-preprocess, and tailwindcss). The title clearly conveys the primary change—updating UI dependencies to major versions—and would allow a teammate scanning the commit history to quickly understand the PR's purpose. While the term "sync" is somewhat informal compared to "update," the "(major)" notation effectively emphasizes the significant nature of these version bumps.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The PR description is directly related to the changeset. The description provides a comprehensive table of dependency version updates along with detailed release notes for each package. While there are minor discrepancies between some version numbers listed in the description (e.g., openai 6.7.0 vs actual 6.5.0, tailwindcss 4.1.16 vs actual 4.1.14) and the PR description mentions @rollup plugins that are not in the actual changeset, the core subject matter is clearly aligned. The description explicitly documents UI dependency updates, which matches the actual changes in packages/ui/package.json and packages/ui/import_map.json. Key packages like svelte-check and svelte-preprocess are accurately described with matching version transitions.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/major-ui-deps-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard watchdog for child-process lifecycle management, aiming to prevent zombie processes when the parent exits. It is not inherently malicious, but reliability hinges on the correctness of the inline watchdog script and proper scoping of the PID. Potential improvements include addressing syntax reliability of the inline code, removing unnecessary no-op keepalive, and ensuring strict validation of the provided PID to mitigate accidental termination of unrelated processes. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a standard Function.prototype.bind polyfill implementation. It carefully handles this binding, constructor behavior, and argument binding without introducing observable malicious behavior. The dynamic Function constructor is used as part of a legitimate polyfill technique and does not indicate an attack by itself in this context. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a conventional, non-malicious implementation of a globbing helper with ignore pattern support. It reads inputs from configuration and filesystem state, and writes results to an internal cache/result set. There are no indicators of malware or exfiltration within this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed Glob library fragment implements standard, non-malicious filesystem globbing with proper asynchronous flow, error handling, and event emissions. It presents typical patterns for matching paths and optionally resolving real paths. Security risk is low to moderate as with any filesystem enumeration utility; no malicious activity detected in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code fragment is a conventional minimatch-like glob-to-regex translator and matcher. There is no evidence of malware, backdoors, or data leakage in this fragment. The primary risk is standard RegExp-based performance concerns with pathological inputs; otherwise, it is safe when used as part of trusted tooling. Recommend monitoring for pathological patterns and applying input validation or complexity limits in security-sensitive environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a straightforward and correct PBKDF2 implementation using HMAC with support for multiple digests and standard input handling. No malicious behavior detected. Security risk mainly derives from correct usage (encodings, salt handling, and proper key length) and from the absence of explicit side-channel hardening within the function. Recommendations focus on careful integration and memory hygiene, and optional refinements for side-channel resilience in high-assurance contexts. Confidence: 0.72 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ui/package.json (1)

15-45: Critical: Tailwind v4 migration incomplete—build will fail due to missing configuration updates.

The upgrade to Tailwind v4 requires configuration and CSS syntax changes that are not present in this PR:

1. Missing required dependency: @tailwindcss/postcss not in package.json. Tailwind v4 moved the PostCSS plugin to a separate package; your postcss.config.js requires 'tailwindcss' which no longer exists as a plugin.

2. Outdated CSS directives:

   • packages/ui/src/common/styles/global.css: Change @tailwind utilities; to @import "tailwindcss";
   • packages/ui/src/common/styles/standalone.css: Likely needs same update

3. Incompatible preprocessor config: packages/ui/svelte.config.js has postcss: true which will fail when PostCSS can't load the tailwindcss plugin.

Required changes before merge:

• Add "@tailwindcss/postcss": "next" to devDependencies (or use CSS-first approach by removing postcss config entirely)
• Update all CSS files from @tailwind directives to @import "tailwindcss"
• Run npm run build and npm run validate to verify the build succeeds
• Confirm svelte-check passes with Svelte v3.55.0 + svelte-check v4.3.3

The OpenAI SDK upgrade (v5.23.2→6.5.0) appears compatible with your usage patterns.

🧹 Nitpick comments (1)

packages/ui/package.json (1)

29-29: Consider using a caret range for OpenAI to allow patch/minor updates.

The version is pinned to an exact semver (6.5.0) rather than using a caret range (^6.5.0). While pinning prevents accidental upgrades, it also blocks security patches and minor updates. Most projects use caret ranges for npm dependencies to balance safety and flexibility. If exact pinning is intentional, please document the rationale.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8073313 and 9c27729.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• packages/ui/import_map.json (1 hunks)
• packages/ui/package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: check
• GitHub Check: build (cairo, default)
• GitHub Check: build (solidity, default)
• GitHub Check: build (stellar, default)
• GitHub Check: build (stellar, compile)
• GitHub Check: build (stylus, default)
• GitHub Check: format-lint
• GitHub Check: mcp
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/ui/import_map.json (1)

4-4: Verify OpenAI SDK v6 compatibility—significant API migration required.

The OpenAI SDK v6 migrated from node-fetch to builtin fetch, which represents a breaking change. Before merging, you must verify that:

1. All application code consuming the OpenAI SDK has been updated to work with v6's API (e.g., method signatures, response shapes)
2. The application builds successfully with the new version
3. Existing tests pass with v6

Since the PR context shows no code changes related to OpenAI usage, there's a risk that dependent code is incompatible with v6.

packages/ui/package.json (1)

39-40: Verify Svelte ecosystem upgrade—ensure build tools meet minimum requirements.

Svelte 4 is mainly a maintenance release that increases the minimum version requirements, with Node.js 16 now the minimum version and TypeScript 5+ recommended. The package.json shows TypeScript ^5.9.3 (line 44), which satisfies requirements.

However, verify that:

1. The application builds successfully with svelte-check ^4.3.3
2. If using SvelteKit, it's version 1.20.4 or newer (check if applicable)
3. The validate script at line 12 (svelte-check) runs without errors

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

⚠️ Tailwind CSS v4 requires significant configuration and CSS file updates—verify migration is complete.

Tailwind CSS v4.0 is a major version with necessary updates required from v3 to v4. This update introduces breaking changes that are NOT evident in this PR:

1. CSS imports: In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives
2. Preprocessor incompatibility: Tailwind CSS v4.0 is not designed to be used with CSS preprocessors like Sass, Less, or Stylus, and it is not possible to use Sass for <style> blocks in Svelte
3. Browser support: Tailwind CSS v4.0 is designed for Safari 16.4+, Chrome 111+, and Firefox 128+. If you need to support older browsers, stick with v3.4
4. Configuration: CSS-first config replaces JavaScript-based tailwind.config.js

The PR shows no corresponding updates to CSS files, Tailwind config, or SCSS/Sass removal. The upgrade tool will handle most of these changes automatically, but there's no evidence it was used. Without these changes, the build will likely fail or styles will break.

Verify the following before merging:

• All CSS files have been updated to use @import "tailwindcss" instead of @tailwind directives
• tailwind.config.js has been updated to CSS-first format (or removed if no custom config needed)
• Any SCSS/Sass files have been converted to plain CSS or removed
• The build completes successfully and styles render correctly

Run the following verification script:

---

🏁 Script executed:

#!/bin/bash
# Find and list Tailwind-related config and CSS files

echo "=== Tailwind Config Files ==="
find . -name "tailwind.config.*" -o -name "tailwind.css" -o -name "global.css" | grep -v node_modules

echo ""
echo "=== SCSS/Sass Files (may be incompatible with Tailwind v4) ==="
find . -name "*.scss" -o -name "*.sass" | grep -v node_modules | head -20

echo ""
echo "=== CSS Files Mentioning @tailwind ==="
rg -t css "@tailwind" --no-heading

echo ""
echo "=== SVG/Vue/Svelte Files with Style Blocks Using @tailwind ==="
rg -t svelte -A2 "<style" | grep -A2 "@tailwind"

Length of output: 418

---

CSS files must be updated to use Tailwind v4 syntax—@tailwind directives are no longer supported.

In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives you used in v3. The PR updates tailwindcss to v4.1.14 but contains two CSS files that still use the deprecated v3 syntax:

• packages/ui/src/standalone.css:@tailwind utilities;
• packages/ui/src/common/styles/global.css:@tailwind utilities;

These files must be updated before this PR can be merged. Change @tailwind utilities; to @import "tailwindcss"; in both files.

Additional items to verify:

• If tailwind.config.js contains custom configuration, it must be explicitly loaded with @config "../../tailwind.config.js"; at the top of your CSS file (or migrated to CSS-first format using @theme)
• Ensure tailwind.config.js is no longer auto-detected in v4 and add the @config directive if needed
• If any .svelte, .vue, or other component files use <style> blocks with Tailwind, verify they reference the updated CSS or use the new v4 syntax