chore(deps): update non-major dependencies by renovate[bot] · Pull Request #328 · deepnote/deepnote

renovate · 2026-03-02T01:35:48Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Type	Update	Pending
@ai-sdk/mcp (source)	`1.0.25` → `1.0.30`	dependencies	patch
@ai-sdk/openai (source)	`3.0.41` → `3.0.48`	dependencies	patch
@biomejs/biome (source)	`2.2.7` → `2.4.8`	devDependencies	minor	`2.4.9`
@inquirer/prompts (source)	`8.2.1` → `8.3.2`	dependencies	minor
@inquirer/testing (source)	`3.1.1` → `3.3.2`	devDependencies	minor
@jupyterlab/nbformat	`4.5.2` → `4.5.6`	dependencies	patch
@jupyterlab/services	`7.5.2` → `7.5.6`	dependencies	patch
@modelcontextprotocol/sdk (source)	`1.26.0` → `1.27.1`	dependencies	minor	`1.28.0`
@shikijs/cli (source)	`3.21.0` → `3.23.0`	dependencies	minor
@types/node (source)	`22.18.12` → `22.19.15`	devDependencies	minor
@vitest/coverage-v8 (source)	`4.0.5` → `4.1.1`	devDependencies	minor
ai (source)	`6.0.116` → `6.0.138`	dependencies	patch
cleye	`2.0.0` → `2.3.0`	dependencies	minor
commander	`14.0.2` → `14.0.3`	dependencies	patch
cspell (source)	`9.2.2` → `9.7.0`	devDependencies	minor
diff	`8.0.3` → `8.0.4`	dependencies	patch
dotenv	`17.2.3` → `17.3.1`	dependencies	minor
lint-staged	`16.2.5` → `16.4.0`	devDependencies	minor
node (source)	`22.21.0` → `22.22.2`		minor
ora	`9.0.0` → `9.3.0`	dependencies	minor
pnpm (source)	`10.19.0` → `10.33.0`	packageManager	minor
prettier (source)	`3.6.2` → `3.8.1`	devDependencies	minor
sort-package-json	`3.4.0` → `3.6.1`	devDependencies	minor
tsdown (source)	`0.15.9` → `0.21.4`	devDependencies	minor	`0.21.5`
tsx (source)	`4.20.6` → `4.21.0`	devDependencies	minor
vite-tsconfig-paths	`6.0.3` → `6.1.1`	devDependencies	minor
vitest (source)	`4.0.5` → `4.1.1`	devDependencies	minor
ws	`8.19.0` → `8.20.0`	dependencies	minor
yaml (source)	`2.8.1` → `2.8.3`	dependencies	patch

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

vercel/ai (@ai-sdk/mcp)

`v1.0.30`

Compare Source

Patch Changes

4953414: fix: trigger new release for @ai-v5 dist-tag
Updated dependencies [4953414]
- @ai-sdk/provider@2.0.1
- @ai-sdk/provider-utils@3.0.20

`v1.0.29`

Compare Source

Patch Changes

Updated dependencies [ef6d784]
- @ai-sdk/provider-utils@3.0.19

Patch Changes

51aa5de: backport: test server
Updated dependencies [51aa5de]
- @ai-sdk/provider-utils@3.0.16

biomejs/biome (@biomejs/biome)

`v2.4.8`

Compare Source

Patch Changes

#9488 bc709f6 Thanks @mvanhorn! - Fixed #9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.
#9527 2f8bf80 Thanks @mdm317! - Fixed #8959: Fixed TypeScript arrow function formatting when a comment appears after =>.
#9525 e7b3b10 Thanks @ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.
#9531 1302740 Thanks @ematipico! - Fixed #9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.
#9535 b630d93 Thanks @leno23! - Fixed #9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.
#9537 81e6306 Thanks @ematipico! - Fixed #9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.
#9532 4b64145 Thanks @ematipico! - Fixed #9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.
#9528 61451ef Thanks @ematipico! - Fixed #9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.
#9538 794f79c Thanks @ematipico! - Fixed #9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.
#9462 c23272c Thanks @ematipico! - Fixed #9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.
#9515 f85c069 Thanks @shivamtiwari3! - Fixed #9506 and #9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.
#9514 7fe43c8 Thanks @ematipico! - Fixed #6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.
#9521 af39936 Thanks @ematipico! - Fixed #9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.
#9490 60cf024 Thanks @willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.
#9526 4d42823 Thanks @ematipico! - Fixed #9358 and #9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.
#9520 61f53ee Thanks @ematipico! - Fixed #9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.
#9487 331dc0d Thanks @mvanhorn! - Fixed #9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.
#9525 e7b3b10 Thanks @ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

`v2.4.7`

Compare Source

Patch Changes

#9318 3ac98eb Thanks @ematipico! - Added new nursery lint rule useBaseline for CSS. The rule reports when CSS properties, property values, at-rules, media conditions, functions, or pseudo-selectors are not part of the configured Baseline tier.

For example, at the time of writing, the rule will trigger for the use of accent-color because it has limited availability:
```
a {
  accent-color: bar;
}
```
#9272 2de8362 Thanks @terror! - Added the nursery rule useImportsFirst that enforces all import statements appear before any non-import statements in a module. Inspired by the eslint-plugin-import import/first rule.
```
// Invalid
import { foo } from "foo";
const bar = 1;
import { baz } from "baz"; // ← flagged

// Valid
import { foo } from "foo";
import { baz } from "baz";
const bar = 1;
```
#9285 93ea495 Thanks @dyc3! - Fixed noUndeclaredVariables from erroneously flagging props only used in the template section in Vue SFCs
#9435 6c5a8f2 Thanks @siketyan! - Fixed #9432: Values referenced as a JSX element in Astro/Vue/Svelte templates are now correctly detected; noUnusedImports and useImportType rules no longer reports these values as false positives.
#9362 fc9ca4c Thanks @Netail! - Extra rule source references. biome migrate eslint should do a bit better detecting rules in your eslint configurations.
#9392 b881fea Thanks @g-ortuno! - Fixed biomejs/biome-vscode#959: LSP now correctly resolves project directory when configurationPath points to a configuration file outside the workspace.
#9420 a1c46af Thanks @ematipico! - Fixed #9385: noUselessEscapeInString no longer incorrectly flags valid CSS hex escapes (e.g. \e7bb) as useless. The rule now recognizes all hex digits (0-9, a-f, A-F) as valid escape characters in CSS strings.
#9416 f2581b8 Thanks @ematipico! - Fixed #9131, #9112, #9166: the formatter no longer crashes or produces corrupt output when a JS file with experimentalEmbeddedSnippetsEnabled contains non-embedded template literals alongside embedded ones (e.g. console.log(\test`)next tographql(`...`)`).
#9344 cb4d7d7 Thanks @ematipico! - Fixed #6921: noShadow no longer incorrectly flags destructured variable bindings in sibling scopes as shadowing. Object destructuring, array destructuring, nested patterns, and rest elements are now properly recognized as declarations.
#9360 bc5dd99 Thanks @ematipico! - Fixed #7125: The rule noShadow no longer incorrectly flags parameters in TypeScript constructor and method overload signatures.
#9371 29cac17 Thanks @ematipico! - Fixed #5279: Tabs in diagnostic diff output are now rendered at a consistent width across context and changed lines, fixing visual misalignment when source files use tab indentation.
#9043 61e2a02 Thanks @dyc3! - Fixed #8897: Biome now parses @utility names containing / when Tailwind directives are enabled.

#9354 930c858 Thanks @denbezrukov! - Improved CSS parser recovery for invalid unicode-range values that mix wildcard ranges with range intervals. For example, Biome now reports clearer diagnostics for invalid syntax like:

unicode-range: U+11???-2??;
unicode-range: U+11???-;

with diagnostics such as:

× Wildcard ranges cannot be combined with a range interval.
  > unicode-range: U+11???-2??;
                            ^

× Expected a codepoint but instead found ';'.
  > unicode-range: U+11???-;
                             ^

#9355 78e74a2 Thanks @SchahinRohani! - Fixed #9349: Biome now correctly handles Vue dynamic :alt and v-bind:alt bindings in useAltText, preventing false positives in .vue files.
#9369 b309dde Thanks @costajohnt! - Fixed #9210: useAnchorContent no longer reports an accessibility error for Astro Image components inside links when they provide non-empty alt text.
#9345 70c2d4e Thanks @ematipico! - Fixed #7214: useOptionalChain now detects optional chain patterns that don't start at the beginning of a logical AND expression. For example, bar && foo && foo.length is now correctly flagged and fixed to bar && foo?.length.
#9311 78c4e9b Thanks @ruidosujeira! - Fixed #9245: the useSemanticElements rule no longer suggests <output> for role="status" and role="alert". The <output> element is only a relatedConcept of these roles, not a direct semantic equivalent. These roles are now excluded from suggestions, aligning with the intended behavior of the upstream prefer-tag-over-role rule.
#9363 b2ffb4a Thanks @ematipico! - Fixed #5212: useSemanticElements no longer reports a diagnostic when a semantic element already has its corresponding role attribute (e.g. <nav role="navigation">, <footer role="contentinfo">). These cases are now correctly left to noRedundantRoles.
#9364 1bb9edc Thanks @xvchris! - Fixed #9357. Improved the information emitted by some diagnostics.
#9434 bf12092 Thanks @siketyan! - Fixed #9433: noBlankTarget now correctly handles dynamic href attributes, such as <a href={company?.website} target="_blank">.
#9351 5046d2b Thanks @Netail! - Expanded the noNegationElse rule to cover the inequality & strict inequality operator.
#9353 2a29e0d Thanks @Conaclos! - Fixed #7583:
organizeImports now
sorts named specifiers inside bare exports and merges bare exports.
```
- export { b, a };
- export { c };
+ export { a, b, c };
```
Also, organizeImports now correctly adds a blank line between an import chunk
and an export chunk.
```
  import { A } from "package";
+
  export { A };
```
#8658 bdcc934 Thanks @rksvc! - When the domains field is set in the configuration file, domains is now automatically enabled when Biome detects certain dependencies in package.json.
#9383 f5c8bf0 Thanks @ematipico! - Fixed #6606: The type inference engine now resolves Record<K, V> types, synthesizing them as object types with index signatures. This improves accuracy for type-aware lint rules such as noFloatingPromises, noMisusedPromises, useAwaitThenable, and useArraySortCompare when operating on Record-typed values.
#9359 701ddd3 Thanks @ematipico! - Fixed #7516: noUnusedImports no longer reports a false positive when a local variable shadows an imported type namespace that is still used in a type annotation.
#9473 50e93bd Thanks @ematipico! - Improved the detection of variables inside Astro files. Now the rule noUnusedVariables and others will trigger fewer false positives.
#9459 171b2ee Thanks @ematipico! - Fixed #9314. Now Biome doesn't panic when useAriaPropsForRole is configured using an object.
#9465 c8918d6 Thanks @Netail! - Fixed #9464: Temporal is now correctly detected as a global.
#9367 722f0da Thanks @Netail! - Added the nursery rule noTopLevelLiterals. It requires the root-level value to be an array or object.

Invalid:
```
"just a string"
```
#9333 a294b89 Thanks @terror! - Fixed #9310. Now the HTML formatter doesn't mangle elements that are followed by self-closing elements such as <br> or <img>.
#9391 4bffb66 Thanks @ematipico! - Slightly increased the performance of the CLI in projects that have more than ~2K files.
#9365 776cb64 Thanks @Netail! - Added the nursery rule noEmptyObjectKeys, which disallows the use of empty keys in JSON objects.

Invalid:
```
{
  "": "value"
}
```

`v2.4.6`

Compare Source

Patch Changes

#9305 40869b5 Thanks @ematipico! - Fixed #4946: noUnreachable no longer reports code inside finally blocks as unreachable when there is a break, continue, or return in the corresponding try body.
#9303 464910c Thanks @ematipico! - Fixed #2786: The formatter no longer produces different output on subsequent runs when a case clause has a trailing line comment followed by a single block statement.
#9324 6294aa2 Thanks @arendjr! - Fixed #7730: useAnchorContent now recognises SolidJS's innerHTML the same way as React's dangerouslySetInnerHTML.
#9298 1003229 Thanks @Netail! - Fixed #9296, so comments are moved along with the attributes in the useSortedAttributes assist rule code fix.
#9329 855b451 Thanks @dyc3! - Improved performance of noEmptyBlockStatements. The rule is now smarter about short-circuiting its logic.
#9326 85dfe9b Thanks @dyc3! - Improved performance for noImportCycles by explicitly excluding node_modules from the cycle detection. The performance improvement is directly proportional to how big your dependency tree is.
#9323 d5ee469 Thanks @ematipico! - Fixed #9217 and biomejs/biome-vscode#959, where the Biome language server didn't correctly resolve the editor setting configurationPath when the provided value is a relative path.
#9302 86fbc70 Thanks @sepagian! - Fixed #9300: Lowercase component member expressions like <form.Field> in Svelte and Astro files are now correctly formatted.
```
-<form .Field></form.Field>
+<form.Field></form.Field>
```

`v2.4.5`

Compare Source

Patch Changes

#9185 e43e730 Thanks @dyc3! - Added the nursery rule useVueScopedStyles for Vue SFCs. This rule enforces that <style> blocks have the scoped attribute (or module for CSS Modules), preventing style leakage and conflicts between components.
#9184 49c8fde Thanks @chocky335! - Improved plugin performance by batching all plugins into a single syntax visitor with a kind-to-plugin lookup map, reducing per-node dispatch overhead from O(N) to O(1) where N is the number of plugins.
#9283 071c700 Thanks @dyc3! - Fixed noUndeclaredVariables erroneously flagging functions and variables defined in the <script setup> section of Vue SFCs.
#9221 4612133 Thanks @ematipico! - Fixed an issue where the JSON reporter didn't contain the duration of the command.
#9294 1805c8f Thanks @Netail! - Extra rule source reference. biome migrate eslint should do a bit better detecting rules in your eslint configurations.
#9178 101b3bb Thanks @Bertie690! - Fixed #9172 and #9168:
Biome now considers more constructs as valid test assertions.

Previously, assert, expectTypeOf and assertType
were not recognized as valid assertions by Biome's linting rules, producing false positives in lint/nursery/useExpect and other similar rules.

Now, these rules will no longer produce errors in test cases that used these constructs instead of expect:
```
import { expectTypeOf, assert, assertType } from "vitest";

const myStr = "Hello from vitest!";
it("should be a string", () => {
  expectTypeOf(myStr).toBeString();
});
test("should still be a string", () => {
  assertType<string>(myStr);
});
it.todo("should still still be a string", () => {
  assert(typeof myStr === "string");
});
```
#9173 32dad2d Thanks @dyc3! - Added parsing support for Svelte's new comments-in-tags feature.

The HTML parser will now accept JS style comments in tags in Svelte files.
```
<button
  // single-line comment
  onclick={doTheThing}
>click me</button>

<div
  /* block comment */
  class="foo"
>text</div>
```
#8952 1d2ca15 Thanks @pkallos! - Added the nursery rule useNullishCoalescing. This rule suggests using the nullish coalescing operator (??) instead of logical OR (||) when the left operand may be nullish. This prevents bugs where falsy values like 0, '', or false are incorrectly treated as missing. Addresses #8043
```
// Invalid
declare const x: string | null;
const value = x || "default";

// Valid
const value = x ?? "default";
```
#9243 1992a85 Thanks @Netail! - Fixed #7813: improved the diagnostic of the rule useExhaustiveDependencies. The diagnostic now shows the name of the variable to add to the dependency array.

#9063 3d0648f Thanks @taga3s! - Added the nursery rule noVueRefAsOperand. This rule disallows cases where a ref is used as an operand.

The following code is now flagged:

import { ref } from "vue";

const count = ref(0);
count++; // Should be: count.value++

import { ref } from "vue";

const ok = ref(false);
if (ok) {
  // Should be: if (ok.value)
  //
}

#9273 f239e20 Thanks @denbezrukov! - Fixed #9253: parsing of @container scroll-state(...) queries.

@&#8203;container scroll-state(scrolled: bottom) {
}
@&#8203;container scroll-state(stuck) {
}
@&#8203;container scroll-state(not (stuck)) {
}
@&#8203;container scroll-state((stuck) and (scrolled: bottom)) {
}
@&#8203;container scroll-state((stuck) or (snapped: x)) {
}
@&#8203;container main-layout scroll-state(not ((stuck) and (scrolled: bottom))) {
}

#9259 96939c0 Thanks @ematipico! - Fixed CSS formatter incorrectly collapsing selectors when a BOM (Byte Order Mark) character is present at the start of the file. The formatter now correctly preserves line breaks between comments and selectors in BOM-prefixed CSS files, matching Prettier's behavior.
#9251 59e33fb Thanks @ematipico! - Fixed #9249: The CSS formatter no longer incorrectly breaks ratio values (like 1 / -1) across lines when followed by comments.
#9284 ec3a17f Thanks @denbezrukov! - Fixed #9253: removed false-positive diagnostics for valid @container/@supports general-enclosed queries.
```
@&#8203;container scroll-state(scrolled: bottom) {
}
@&#8203;supports foo(bar: baz) {
}
```
#9215 b2619a1 Thanks @FrederickStempfle! - Fixed #9189: biome ci in GitHub Actions now correctly disables colors so that ::error/::warning workflow commands are not wrapped in ANSI escape codes.
#9256 65ae4c1 Thanks @ematipico! - Fixed JSON reporter escaping of special characters in diagnostic messages. The JSON reporter now properly escapes double quotes, backslashes, and control characters in error messages and advice text, preventing invalid JSON output when diagnostics contain these characters.
#9223 5b9da81 Thanks @ematipico! - Fixed an issue where the JSON reporter didn't write output to a file when --reporter-file was specified. The output is now correctly written to the specified file instead of always going to stdout.
#9154 c487e54 Thanks @abossenbroek! - Fixed #9115: The noPlaywrightMissingAwait rule no longer produces false positives on jest-dom matchers like toBeVisible, toBeChecked, toHaveAttribute, etc. For matchers shared between Playwright and jest-dom, the rule now checks whether expect()'s argument is a Playwright locator or page object before flagging. Added semantic variable resolution so that extracted Playwright locators (e.g. const loc = page.locator('.item'); expect(loc).toBeVisible()) are still correctly flagged.
#9269 33e5cdf Thanks @dyc3! - Fixed a false positive where noUndeclaredVariables reported bindings from Vue <script setup> as undeclared when used in <template>.

This change ensures embedded bindings collected from script snippets (like imports and defineModel results) are respected by the rule.
#9267 2c2e060 Thanks @ematipico! - Fixed #9143 and #8849: The noUnresolvedImports rule no longer reports false positives for several common patterns:
- node:fs, node:path, node:url, and other Node.js built-in modules with the node: prefix are now accepted.
- Packages that declare their TypeScript entry point via "typings" (instead of "types") in package.json now resolve correctly.
- Named imports from aliased re-export chains (e.g. export { x as y } from "...") are now resolved correctly through the alias.
- Namespace re-exports (e.g. export * as Ns from "...") are now recognized as

Configuration

📅 Schedule: Branch creation - "before 9am on Monday" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

Chores
- Updated Node.js runtime version to the latest stable release.
- Updated development dependencies and package manager to their latest versions for improved tooling performance and compatibility.

renovate · 2026-03-02T01:35:51Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 8 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 44, reused 0, downloaded 0, added 0
Progress: resolved 172, reused 0, downloaded 0, added 0
Progress: resolved 358, reused 0, downloaded 0, added 0
Progress: resolved 523, reused 0, downloaded 0, added 0
Progress: resolved 655, reused 0, downloaded 0, added 0
Progress: resolved 693, reused 0, downloaded 0, added 0
 ERR_PNPM_UNUSED_PATCH  The following patches were not used: @inquirer/[email protected]

Either remove them from "patchedDependencies" or update them to match packages in your dependencies.

coderabbitai · 2026-03-02T01:35:57Z

📝 Walkthrough

Walkthrough

.nvmrc bumped from 22.21.0 to 22.22.2. package.json updates devDependencies: @biomejs/biome, @types/node, @vitest/coverage-v8, cspell, lint-staged, prettier, sort-package-json, tsdown, and vitest. The root packageManager field was updated from [email protected] to [email protected]. No runtime dependencies, scripts, engines, or exported/public API signatures were changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating non-major dependencies across the project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Updates Docs	✅ Passed	Routine dependency update with configuration-only changes. No new functionality or code logic introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 43-58: The package manifest (package.json) was updated
(devDependencies entries like "@biomejs/biome", "@types/node", "vitest", and the
"packageManager" field set to "[email protected]") but the pnpm lockfile is out of
sync; regenerate and commit an updated pnpm-lock.yaml by running pnpm install
--frozen-lockfile=false using pnpm 10.30.3 so the lockfile reflects the changed
devDependencies and packageManager, then add the updated pnpm-lock.yaml to the
commit.

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4f5b20f and 27488c8.

📒 Files selected for processing (2)

.nvmrc
package.json

package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile must match manifest bumps before merge.

Line 43-Line 58 updates manifest versions and packageManager; ensure pnpm-lock.yaml is regenerated with pnpm 10.30.3 and committed. This is the same blocker previously reported.

#!/bin/bash
set -euo pipefail

test -f package.json
test -f pnpm-lock.yaml

python - <<'PY' > /tmp/expected_specs.txt
import json
deps = [
  "@biomejs/biome",
  "@types/node",
  "@vitest/coverage-v8",
  "cspell",
  "lint-staged",
  "prettier",
  "sort-package-json",
  "tsdown",
  "vitest",
]
pkg = json.load(open("package.json"))
for d in deps:
  print(f"{d}@{pkg['devDependencies'][d]}")
print(f"packageManager={pkg['packageManager']}")
PY

while IFS= read -r spec; do
  if rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null; then
    echo "OK   $spec"
  else
    echo "MISS $spec"
  fi
done < /tmp/expected_specs.txt

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The package manifest was updated
(devDependencies like "@biomejs/biome", "@types/node", "@vitest/coverage-v8",
"cspell", "lint-staged", "prettier", "sort-package-json", "tsdown", "vitest" and
packageManager) but pnpm-lock.yaml was not regenerated; run pnpm using the
declared packageManager version ([email protected]) to regenerate the lockfile (e.g.,
pnpm install or pnpm -w install if workspace), ensure pnpm-lock.yaml now
contains entries matching the new devDependency versions and
[email protected], and commit the updated pnpm-lock.yaml alongside the
package.json change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The package manifest was updated (devDependencies like
"@biomejs/biome", "@types/node", "@vitest/coverage-v8", "cspell", "lint-staged",
"prettier", "sort-package-json", "tsdown", "vitest" and packageManager) but
pnpm-lock.yaml was not regenerated; run pnpm using the declared packageManager
version ([email protected]) to regenerate the lockfile (e.g., pnpm install or pnpm -w
install if workspace), ensure pnpm-lock.yaml now contains entries matching the
new devDependency versions and [email protected], and commit the
updated pnpm-lock.yaml alongside the package.json change.

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 27488c8 and 54ca4b2.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with updated deps (merge blocker).

CI already reports mismatches for these updated entries. Regenerate and commit pnpm-lock.yaml using [email protected] so Lines 43-58 are reflected.

#!/bin/bash
set -euo pipefail

test -f package.json
test -f pnpm-lock.yaml

python - <<'PY'
import json
with open("package.json") as f:
    pkg=json.load(f)
targets=[
  "@biomejs/biome","@types/node","@vitest/coverage-v8",
  "cspell","lint-staged","prettier","sort-package-json","tsdown","vitest"
]
for t in targets:
    print(f"{t}@{pkg['devDependencies'][t]}")
print("packageManager="+pkg["packageManager"])
PY

echo "--- lockfile hits ---"
python - <<'PY' | while read -r spec; do
import json
with open("package.json") as f:
    pkg=json.load(f)
targets=[
  "@biomejs/biome","@types/node","@vitest/coverage-v8",
  "cspell","lint-staged","prettier","sort-package-json","tsdown","vitest"
]
for t in targets:
    print(f"{t}@{pkg['devDependencies'][t]}")
PY
  rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null && echo "✓ $spec" || echo "✗ $spec"
done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The pnpm lockfile is out of sync with the
devDependencies (entries like `@biomejs/biome`, `@types/node`, `@vitest/coverage-v8`,
cspell, lint-staged, prettier, sort-package-json, tsdown, vitest) and the
packageManager field; regenerate pnpm-lock.yaml using [email protected] so the lock
reflects package.json, verify the lock contains those exact spec strings, and
commit the updated pnpm-lock.yaml and any lockfile metadata changes (ensuring
packageManager remains [email protected]).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The pnpm lockfile is out of sync with the devDependencies
(entries like `@biomejs/biome`, `@types/node`, `@vitest/coverage-v8`, cspell,
lint-staged, prettier, sort-package-json, tsdown, vitest) and the packageManager
field; regenerate pnpm-lock.yaml using [email protected] so the lock reflects
package.json, verify the lock contains those exact spec strings, and commit the
updated pnpm-lock.yaml and any lockfile metadata changes (ensuring
packageManager remains [email protected]).

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1d7003f and 49f2c26.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 43-56: The package.json pins packageManager to "[email protected]" but
engines.pnpm is currently ">=10.17.1", creating a mismatch; update the
engines.pnpm range to ">=10.30.3" so it aligns with the packageManager pin
(refer to the packageManager and engines.pnpm fields) while keeping tsdown at
root as-is for workspace hoisting.
- Around line 58-61: Update the engines.pnpm floor to match the pinned
packageManager version: change the value referenced by "engines": {"pnpm":
">=10.17.1"} to require at least the same version as "packageManager":
"[email protected]" (e.g., "pnpm": ">=10.30.3") so engines.pnpm and packageManager
are aligned; modify the JSON entry for engines.pnpm accordingly.

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 01943f5 and 5481be7.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai · 2026-03-03T11:28:09Z

package.json

+    "@biomejs/biome": "2.4.4",
+    "@types/node": "22.19.13",
+    "@vitest/coverage-v8": "4.0.18",
    "@xterm/headless": "^5.5.0",
-    "cspell": "9.2.2",
+    "cspell": "9.7.0",
    "husky": "9.1.7",
    "license-checker-rseidelsohn": "4.4.2",
-    "lint-staged": "16.2.5",
-    "prettier": "3.6.2",
-    "sort-package-json": "3.4.0",
-    "tsdown": "0.15.9",
+    "lint-staged": "16.3.1",
+    "prettier": "3.8.1",
+    "sort-package-json": "3.6.1",
+    "tsdown": "0.20.3",
    "typescript": "5.9.3",
    "vite-tsconfig-paths": "^6.0.0",
-    "vitest": "4.0.5"
+    "vitest": "4.0.18"


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Searching for tsdown declarations in all package.json files ===" rg -n '"tsdown"\s*:' -g '**/package.json' 2>/dev/null || echo "No tsdown declarations found" echo "" echo "=== Checking package.json structure around packageManager and engines.pnpm ===" fd 'package.json$' -t f | head -5 | while read pjson; do if rg -q '"packageManager"|"engines"' "$pjson" 2>/dev/null; then echo "File: $pjson" rg -B 2 -A 2 '"packageManager"|"engines"' "$pjson" | head -20 echo "---" fi done

Repository: deepnote/deepnote

Length of output: 664

Root tsdown placement is correct; align pnpm versions.

tsdown correctly declared only at root for workspace hoisting—good pattern. However, packageManager pins [email protected] while engines.pnpm allows >=10.17.1. Consider updating engines.pnpm to >=10.30.3 to match the enforced version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` around lines 43 - 56, The package.json pins packageManager to "[email protected]" but engines.pnpm is currently ">=10.17.1", creating a mismatch; update the engines.pnpm range to ">=10.30.3" so it aligns with the packageManager pin (refer to the packageManager and engines.pnpm fields) while keeping tsdown at root as-is for workspace hoisting.

coderabbitai · 2026-03-03T11:28:09Z

package.json

+  "packageManager": "pnpm@10.30.3",
  "engines": {
    "node": ">=22.14.0",
    "pnpm": ">=10.17.1"


🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail python - <<'PY' import json d = json.load(open("package.json")) print("packageManager:", d.get("packageManager")) print("engines.pnpm :", d.get("engines", {}).get("pnpm")) PY

Repository: deepnote/deepnote

Length of output: 114

Align engines.pnpm floor with pinned packageManager version.

packageManager is pinned to [email protected], but engines.pnpm still allows >=10.17.1. Matching them reduces local/CI drift.

Proposed diff

"engines": { "node": ">=22.14.0", - "pnpm": ">=10.17.1" + "pnpm": ">=10.30.3" },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"packageManager": "[email protected]",

"engines": {

"node": ">=22.14.0",

"pnpm": ">=10.17.1"

"packageManager": "[email protected]",

"engines": {

"node": ">=22.14.0",

"pnpm": ">=10.30.3"

},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` around lines 58 - 61, Update the engines.pnpm floor to match the pinned packageManager version: change the value referenced by "engines": {"pnpm": ">=10.17.1"} to require at least the same version as "packageManager": "[email protected]" (e.g., "pnpm": ">=10.30.3") so engines.pnpm and packageManager are aligned; modify the JSON entry for engines.pnpm accordingly.

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

58-58: 🧹 Nitpick | 🔵 Trivial

Align engines.pnpm with the pinned packageManager version.

Line 58 pins [email protected], but Line 61 still allows >=10.17.1, which permits older clients and version drift.

Proposed diff

   "engines": {
     "node": ">=22.14.0",
-    "pnpm": ">=10.17.1"
+    "pnpm": ">=10.30.3"
   },

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json, re

def parse(v):
    return tuple(int(x) for x in v.split("."))

with open("package.json", "r", encoding="utf-8") as f:
    d = json.load(f)

pm = d.get("packageManager", "")
eng = d.get("engines", {}).get("pnpm", "")

m_pm = re.match(r"^pnpm@(\d+\.\d+\.\d+)$", pm)
m_eng = re.match(r"^>=\s*(\d+\.\d+\.\d+)$", eng)

print("packageManager:", pm)
print("engines.pnpm :", eng)

if not (m_pm and m_eng):
    print("Could not parse one or both fields.")
else:
    pm_v = m_pm.group(1)
    eng_v = m_eng.group(1)
    aligned = parse(eng_v) >= parse(pm_v)
    print("packageManager version:", pm_v)
    print("engines floor        :", eng_v)
    print("aligned              :", aligned)
PY

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 58, package.json currently pins packageManager to
"[email protected]" but engines.pnpm still allows ">=10.17.1"; update the
engines.pnpm field to at least ">=10.30.3" (or exactly "10.30.3" if you prefer a
strict pin) so the engines.pnpm floor aligns with the packageManager value,
ensuring the version strings in the packageManager and engines.pnpm fields match
and use the same semver format.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Line 58: package.json currently pins packageManager to "[email protected]" but
engines.pnpm still allows ">=10.17.1"; update the engines.pnpm field to at least
">=10.30.3" (or exactly "10.30.3" if you prefer a strict pin) so the
engines.pnpm floor aligns with the packageManager value, ensuring the version
strings in the packageManager and engines.pnpm fields match and use the same
semver format.

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5481be7 and 639b865.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is still out of sync with updated dependency specifiers.

Lines 43-58 changed multiple devDependencies and packageManager, and CI is already failing pnpm install --frozen-lockfile for specifier mismatch. Please regenerate and commit pnpm-lock.yaml using pnpm 10.30.3 before merge.

#!/bin/bash
set -euo pipefail

python - <<'PY' > /tmp/expected_specs.txt
import json
d = json.load(open("package.json"))
keys = [
  "@biomejs/biome",
  "@types/node",
  "@vitest/coverage-v8",
  "cspell",
  "lint-staged",
  "prettier",
  "sort-package-json",
  "tsdown",
  "vitest",
]
for k in keys:
  print(f"{k}@{d['devDependencies'][k]}")
print(d["packageManager"])
PY

echo "Checking expected specs in pnpm-lock.yaml..."
while IFS= read -r spec; do
  if rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null; then
    echo "FOUND   $spec"
  else
    echo "MISSING $spec"
  fi
done < /tmp/expected_specs.txt

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The pnpm lockfile is out of sync with the
updated devDependencies and packageManager in package.json: update
pnpm-lock.yaml by running pnpm using the specified packageManager version
([email protected]) so the specifiers for the devDependencies (e.g.,
"@biomejs/biome", "@types/node", "@vitest/coverage-v8", "cspell", "lint-staged",
"prettier", "sort-package-json", "tsdown", "vitest") and the packageManager
entry are reflected in the lockfile, then commit the regenerated pnpm-lock.yaml
so CI no longer fails `pnpm install --frozen-lockfile`.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The pnpm lockfile is out of sync with the updated
devDependencies and packageManager in package.json: update pnpm-lock.yaml by
running pnpm using the specified packageManager version ([email protected]) so the
specifiers for the devDependencies (e.g., "@biomejs/biome", "@types/node",
"@vitest/coverage-v8", "cspell", "lint-staged", "prettier", "sort-package-json",
"tsdown", "vitest") and the packageManager entry are reflected in the lockfile,
then commit the regenerated pnpm-lock.yaml so CI no longer fails `pnpm install
--frozen-lockfile`.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9f1fc23c-f774-42ad-bb44-c27f3c88afb0

📥 Commits

Reviewing files that changed from the base of the PR and between 639b865 and be8f580.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

package.json (1)

58-58: ⚠️ Potential issue | 🔴 Critical

Lockfile still out of sync.

Pipeline fails with lockfile mismatch. Run pnpm install and commit pnpm-lock.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 58, The repository's pnpm lockfile is out of sync with
package.json's packageManager setting; run `pnpm install` locally to
regenerate/update pnpm-lock.yaml, verify the lockfile changes, and commit the
updated pnpm-lock.yaml alongside the package.json change so the pipeline's
lockfile check passes (refer to the "packageManager" field and ensure
pnpm-lock.yaml is included in the commit).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 43: Update the biome.json $schema to match the installed `@biomejs/biome`
version: change the "$schema" value in biome.json from the old 2.2.7 URL to the
2.4.5 schema URL so it corresponds to the dependency "@biomejs/biome": "2.4.5"
declared in package.json; ensure the schema string exactly references version
2.4.5.

---

Duplicate comments:
In `@package.json`:
- Line 58: The repository's pnpm lockfile is out of sync with package.json's
packageManager setting; run `pnpm install` locally to regenerate/update
pnpm-lock.yaml, verify the lockfile changes, and commit the updated
pnpm-lock.yaml alongside the package.json change so the pipeline's lockfile
check passes (refer to the "packageManager" field and ensure pnpm-lock.yaml is
included in the commit).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 311d6301-6eed-4895-bc60-5809661d936c

📥 Commits

Reviewing files that changed from the base of the PR and between be8f580 and f80cd18.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai · 2026-03-05T20:11:18Z

package.json

-    "@biomejs/biome": "2.2.7",
-    "@types/node": "22.18.12",
-    "@vitest/coverage-v8": "4.0.5",
+    "@biomejs/biome": "2.4.5",


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check biome.json for $schema field echo "=== Checking biome.json schema ===" if [ -f biome.json ]; then cat -n biome.json | head -20 echo "" rg '\$schema' biome.json else echo "biome.json not found" fi

Repository: deepnote/deepnote

Length of output: 952

Update biome.json schema version to match @biomejs/biome 2.4.5.

The $schema field in biome.json is currently pointing to version 2.2.7 but must be updated to 2.4.5:

biome.json schema update

- "$schema": "https://biomejs.dev/schemas/2.2.7/schema.json", + "$schema": "https://biomejs.dev/schemas/2.4.5/schema.json",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` at line 43, Update the biome.json $schema to match the installed `@biomejs/biome` version: change the "$schema" value in biome.json from the old 2.2.7 URL to the 2.4.5 schema URL so it corresponds to the dependency "@biomejs/biome": "2.4.5" declared in package.json; ensure the schema string exactly references version 2.4.5.

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with manifest changes (CI blocker).

Line 43-58 updates dependency specifiers and packageManager, and CI already reports specifier mismatches. Regenerate and commit pnpm-lock.yaml from this branch before merge.

#!/bin/bash
set -euo pipefail

python - <<'PY' > /tmp/updated-specs.txt
import json
d = json.load(open("package.json"))
for name in [
  "@biomejs/biome",
  "@types/node",
  "@vitest/coverage-v8",
  "cspell",
  "lint-staged",
  "prettier",
  "sort-package-json",
  "tsdown",
  "vitest",
]:
    print(f"{name}@{d['devDependencies'][name]}")
PY

echo "Checking whether updated specs are present in pnpm-lock.yaml..."
while IFS= read -r spec; do
  if rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null; then
    echo "✓ $spec"
  else
    echo "✗ missing: $spec"
  fi
done < /tmp/updated-specs.txt

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The lockfile is out of sync with the
manifest changes: regenerate pnpm-lock.yaml so the updated devDependency
specifiers (e.g. "@biomejs/biome", "@types/node", "@vitest/coverage-v8",
"cspell", "lint-staged", "prettier", "sort-package-json", "tsdown", "vitest",
and others shown in package.json) and the packageManager value
("packageManager": "[email protected]") are reflected in the lockfile; run the
appropriate pnpm command to update the lockfile (e.g. pnpm install or pnpm
install --lockfile-only with [email protected]), verify pnpm-lock.yaml contains the
new specifiers, and commit the updated pnpm-lock.yaml to this branch before
merging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The lockfile is out of sync with the manifest changes:
regenerate pnpm-lock.yaml so the updated devDependency specifiers (e.g.
"@biomejs/biome", "@types/node", "@vitest/coverage-v8", "cspell", "lint-staged",
"prettier", "sort-package-json", "tsdown", "vitest", and others shown in
package.json) and the packageManager value ("packageManager": "[email protected]")
are reflected in the lockfile; run the appropriate pnpm command to update the
lockfile (e.g. pnpm install or pnpm install --lockfile-only with [email protected]),
verify pnpm-lock.yaml contains the new specifiers, and commit the updated
pnpm-lock.yaml to this branch before merging.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 70899d20-39ca-4138-8de4-c1c9f93e60ee

📥 Commits

Reviewing files that changed from the base of the PR and between f80cd18 and 126ed1e.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with the updated specs (merge blocker).

CI already reports 9 specifier mismatches after these version bumps. Regenerate pnpm-lock.yaml with pnpm 10.30.3 and commit it with this PR.

#!/bin/bash
set -euo pipefail

python - <<'PY' | while read -r spec; do
import json
data = json.load(open("package.json"))
for p in [
  "@biomejs/biome",
  "@types/node",
  "@vitest/coverage-v8",
  "cspell",
  "lint-staged",
  "prettier",
  "sort-package-json",
  "tsdown",
  "vitest",
]:
  print(f"{p}@{data['devDependencies'][p]}")
PY
  if rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null 2>&1; then
    echo "OK  $spec"
  else
    echo "MISS $spec"
  fi
done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The pnpm lockfile is out of sync with the
bumped devDependencies in package.json (see packageManager "[email protected]" and
the devDependencies like "@biomejs/biome", "@types/node", "@vitest/coverage-v8",
"cspell", "lint-staged", "prettier", "sort-package-json", "tsdown", "vitest");
regenerate pnpm-lock.yaml using pnpm 10.30.3 (e.g. run pnpm install with that
pnpm binary or use pnpm env to ensure version), verify the nine specifier
mismatches are resolved, and commit the updated pnpm-lock.yaml to the PR so CI
no longer reports missing specs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The pnpm lockfile is out of sync with the bumped
devDependencies in package.json (see packageManager "[email protected]" and the
devDependencies like "@biomejs/biome", "@types/node", "@vitest/coverage-v8",
"cspell", "lint-staged", "prettier", "sort-package-json", "tsdown", "vitest");
regenerate pnpm-lock.yaml using pnpm 10.30.3 (e.g. run pnpm install with that
pnpm binary or use pnpm env to ensure version), verify the nine specifier
mismatches are resolved, and commit the updated pnpm-lock.yaml to the PR so CI
no longer reports missing specs.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2f94b670-c5a7-4d11-bfeb-68aae839b4b7

📥 Commits

Reviewing files that changed from the base of the PR and between 126ed1e and 34ae84c.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 43-56: The lockfile is out of sync with the package.json
dependencies (see entries like "@biomejs/biome", "typescript", "vitest", etc.),
causing CI to fail; to fix, run pnpm install using pnpm v10.30.3 to regenerate
pnpm-lock.yaml, verify the 9 mismatched specifiers are resolved, and commit the
updated pnpm-lock.yaml alongside your package.json changes so CI uses the synced
lockfile.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57b9f566-da68-40fd-84de-fffbde1155d3

📥 Commits

Reviewing files that changed from the base of the PR and between 34ae84c and 56ec06b.

📒 Files selected for processing (2)

.nvmrc
package.json

package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Commit the matching pnpm-lock.yaml.

Lines 43-58 change package specifiers and the pinned pnpm version, and CI is already reporting a manifest/lockfile mismatch. Regenerate pnpm-lock.yaml with pnpm 10.31.0 and include it in this PR.

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json
import subprocess
import sys

try:
    import yaml
except ImportError:
    subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "pyyaml"])
    import yaml

with open("package.json") as f:
    pkg = json.load(f)
with open("pnpm-lock.yaml") as f:
    lock = yaml.safe_load(f)

root = lock.get("importers", {}).get(".", {})
lock_specs = {}
for section in ("dependencies", "devDependencies", "optionalDependencies"):
    for name, meta in root.get(section, {}).items():
        lock_specs[name] = meta.get("specifier") if isinstance(meta, dict) else meta

targets = [
    "@biomejs/biome",
    "@types/node",
    "@vitest/coverage-v8",
    "cspell",
    "lint-staged",
    "prettier",
    "sort-package-json",
    "tsdown",
    "vitest",
]

failed = False
for name in targets:
    manifest_version = pkg["devDependencies"][name]
    lockfile_version = lock_specs.get(name)
    ok = manifest_version == lockfile_version
    print(f'{"OK" if ok else "MISMATCH"} {name}: manifest={manifest_version} lockfile={lockfile_version}')
    failed |= not ok

sys.exit(1 if failed else 0)
PY

Expected result: every line prints OK. If not, the lockfile still needs regeneration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The package manifest and pinned
packageManager were changed but the pnpm lockfile is out of sync; regenerate
pnpm-lock.yaml using [email protected] (as set in the packageManager field) so the
specifiers for the devDependencies (e.g., "@biomejs/biome", "@types/node",
"@vitest/coverage-v8", "cspell", "lint-staged", "prettier", "sort-package-json",
"tsdown", "vitest") match the lockfile, then add the updated pnpm-lock.yaml to
the PR and re-run CI to verify no manifest/lockfile mismatches.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The package manifest and pinned packageManager were changed
but the pnpm lockfile is out of sync; regenerate pnpm-lock.yaml using
[email protected] (as set in the packageManager field) so the specifiers for the
devDependencies (e.g., "@biomejs/biome", "@types/node", "@vitest/coverage-v8",
"cspell", "lint-staged", "prettier", "sort-package-json", "tsdown", "vitest")
match the lockfile, then add the updated pnpm-lock.yaml to the PR and re-run CI
to verify no manifest/lockfile mismatches.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1c6dbda2-8a41-467e-9e9f-64f77df142ee

📥 Commits

Reviewing files that changed from the base of the PR and between 56ec06b and b016a00.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)
43-58: ⚠️ Potential issue | 🔴 Critical

Regenerate pnpm-lock.yaml with the pinned pnpm version.

CI is already failing pnpm install --frozen-lockfile because these specifiers no longer match the lockfile. Commit the refreshed pnpm-lock.yaml alongside this manifest update.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, Update the lockfile to match the pinned
package manager by regenerating pnpm-lock.yaml after changing the packageManager
entry ("packageManager": "[email protected]"); run pnpm install using that pnpm
version (e.g., install with [email protected] or run pnpm install --frozen-lockfile
locally after switching to that pnpm) and commit the updated pnpm-lock.yaml
alongside the package.json change so CI passes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: Update the lockfile to match the pinned package manager by
regenerating pnpm-lock.yaml after changing the packageManager entry
("packageManager": "[email protected]"); run pnpm install using that pnpm version
(e.g., install with [email protected] or run pnpm install --frozen-lockfile locally
after switching to that pnpm) and commit the updated pnpm-lock.yaml alongside
the package.json change so CI passes.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3521c937-78e6-4905-9e3b-9aeecd5a1774

📥 Commits

Reviewing files that changed from the base of the PR and between dc6d6ea and aecfece.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

58-61: 🧹 Nitpick | 🔵 Trivial

Consider aligning engines.pnpm floor with Line 58 packageManager.
Keeping engines.pnpm at >=10.17.1 while pinning [email protected] can allow local/CI drift.

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json
d = json.load(open("package.json"))
print("packageManager:", d.get("packageManager"))
print("engines.pnpm :", d.get("engines", {}).get("pnpm"))
PY

Proposed diff

   "engines": {
     "node": ">=22.14.0",
-    "pnpm": ">=10.17.1"
+    "pnpm": ">=10.32.1"
   },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 58 - 61, The package.json currently pins
packageManager to "[email protected]" but leaves "engines.pnpm" at ">=10.17.1", which
can cause local/CI drift; update the engines.pnpm value to match the
packageManager floor (e.g., ">=10.32.1") or otherwise align it with the pinned
version so both packageManager and engines.pnpm reference the same minimum pnpm
version; change the engines entry for pnpm accordingly where "packageManager"
and "engines" are defined.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 58-61: The package.json currently pins packageManager to
"[email protected]" but leaves "engines.pnpm" at ">=10.17.1", which can cause
local/CI drift; update the engines.pnpm value to match the packageManager floor
(e.g., ">=10.32.1") or otherwise align it with the pinned version so both
packageManager and engines.pnpm reference the same minimum pnpm version; change
the engines entry for pnpm accordingly where "packageManager" and "engines" are
defined.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3a561e4a-9956-448f-a7f2-68d7ec6936c0

📥 Commits

Reviewing files that changed from the base of the PR and between bc86c34 and e4c8035.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)
43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with these manifest changes (merge blocker).

Line 43-Line 58 update dependency specifiers and packageManager, but CI already reports 9 manifest/lockfile mismatches. Regenerate and commit pnpm-lock.yaml using the pinned toolchain ([email protected]).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The package manifest was changed (updated
dependency specifiers like "@biomejs/biome", "@types/node", "prettier",
"typescript", "vitest", etc. and the "packageManager" field) but the pnpm
lockfile is out of sync; regenerate pnpm-lock.yaml using the pinned toolchain
[email protected] by running the exact pnpm binary (e.g., install using [email protected]
or npx [email protected]) and running pnpm install to update pnpm-lock.yaml, then
commit the updated pnpm-lock.yaml alongside the package.json changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The package manifest was changed (updated dependency
specifiers like "@biomejs/biome", "@types/node", "prettier", "typescript",
"vitest", etc. and the "packageManager" field) but the pnpm lockfile is out of
sync; regenerate pnpm-lock.yaml using the pinned toolchain [email protected] by
running the exact pnpm binary (e.g., install using [email protected] or npx
[email protected]) and running pnpm install to update pnpm-lock.yaml, then commit the
updated pnpm-lock.yaml alongside the package.json changes.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1fa4ccc1-f41d-4bce-8f2a-e53d55cd1faf

📥 Commits

Reviewing files that changed from the base of the PR and between e4c8035 and df56eeb.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

58-61: 🧹 Nitpick | 🔵 Trivial

Align engines.pnpm floor with pinned packageManager.

Line 58 pins [email protected], but Line 61 still allows >=10.17.1. Raising the floor reduces local/CI drift while keeping an open upper bound.

Proposed diff

   "engines": {
     "node": ">=22.14.0",
-    "pnpm": ">=10.17.1"
+    "pnpm": ">=10.32.1"
   },

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json, re
with open("package.json") as f:
    pkg = json.load(f)

pm = pkg.get("packageManager", "")
eng = pkg.get("engines", {}).get("pnpm", "")
m = re.search(r"pnpm@(\d+\.\d+\.\d+)", pm)

print("packageManager:", pm)
print("engines.pnpm:", eng)
if m and eng.startswith(">="):
    print("pinned pnpm:", m.group(1))
    print("engine floor:", eng[2:])
PY

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 58 - 61, The engines.pnpm floor is out of sync
with the pinned packageManager value; update the "engines". "pnpm" entry to
match the pinned version in "packageManager" (change the value from ">=10.17.1"
to ">=10.32.1") so the minimum allowed pnpm version aligns with the pinned
[email protected]; ensure you only adjust the floor (keep the ">=" form) in the
package.json fields "packageManager" and "engines"."pnpm".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 58-61: The engines.pnpm floor is out of sync with the pinned
packageManager value; update the "engines". "pnpm" entry to match the pinned
version in "packageManager" (change the value from ">=10.17.1" to ">=10.32.1")
so the minimum allowed pnpm version aligns with the pinned [email protected]; ensure
you only adjust the floor (keep the ">=" form) in the package.json fields
"packageManager" and "engines"."pnpm".

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c5e9cfb1-c072-4559-a3f5-70555ed485a5

📥 Commits

Reviewing files that changed from the base of the PR and between 2d54ef9 and 2659df6.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)
43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with updated specifiers (merge blocker).

Lines 43–58 changed dependency specifiers and packageManager, and CI already fails frozen install on manifest/lockfile mismatch. Regenerate and commit pnpm-lock.yaml using pnpm 10.32.1, then re-run CI.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The package manifest was changed
(dependency specifiers and packageManager) but pnpm-lock.yaml wasn’t updated;
run [email protected] to regenerate the lockfile, e.g. install with the pinned
packageManager (pnpm 10.32.1) so pnpm-lock.yaml is rewritten, commit the updated
pnpm-lock.yaml alongside the package.json changes, and push so CI’s frozen
install succeeds and the build can be re-run for verification.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The package manifest was changed (dependency specifiers and
packageManager) but pnpm-lock.yaml wasn’t updated; run [email protected] to
regenerate the lockfile, e.g. install with the pinned packageManager (pnpm
10.32.1) so pnpm-lock.yaml is rewritten, commit the updated pnpm-lock.yaml
alongside the package.json changes, and push so CI’s frozen install succeeds and
the build can be re-run for verification.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8953db76-535c-47f3-8d04-41425c94fc77

📥 Commits

Reviewing files that changed from the base of the PR and between 2659df6 and ae83d82.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with updated specifiers (merge blocker).

Line 43-58 changes dependency/package-manager specifiers, and CI already fails on frozen install due to specifier mismatch. Commit an updated pnpm-lock.yaml generated with the pinned pnpm version.

#!/bin/bash
set -euo pipefail

echo "Checking packageManager pin:"
node -e 'const p=require("./package.json"); console.log(p.packageManager)'

echo "Checking lockfile mismatch via pnpm frozen resolution:"
pnpm install --frozen-lockfile --ignore-scripts

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The package.json change updated
dependency specifiers and the packageManager field (packageManager) but the pnpm
lockfile is not updated, causing CI failures on frozen installs; regenerate and
commit an updated pnpm-lock.yaml using the pinned pnpm version ([email protected]) so
the lockfile matches the new specifiers and packageManager field—run pnpm
install with that pnpm to produce the updated pnpm-lock.yaml, verify pnpm
install --frozen-lockfile passes, and include the new pnpm-lock.yaml in the
commit.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The package.json change updated dependency specifiers and
the packageManager field (packageManager) but the pnpm lockfile is not updated,
causing CI failures on frozen installs; regenerate and commit an updated
pnpm-lock.yaml using the pinned pnpm version ([email protected]) so the lockfile
matches the new specifiers and packageManager field—run pnpm install with that
pnpm to produce the updated pnpm-lock.yaml, verify pnpm install
--frozen-lockfile passes, and include the new pnpm-lock.yaml in the commit.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d016c09c-c01c-4be2-baac-bab073311537

📥 Commits

Reviewing files that changed from the base of the PR and between 0c2987d and 07c2bbe.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (2)

package.json (2)

58-61: 🧹 Nitpick | 🔵 Trivial

Align engines.pnpm with pinned packageManager.

packageManager now pins [email protected], but engines.pnpm still allows >=10.17.1. Consider raising the floor to reduce local/CI version drift.

Proposed diff

   "engines": {
     "node": ">=22.14.0",
-    "pnpm": ">=10.17.1"
+    "pnpm": ">=10.32.1"
   },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 58 - 61, The package.json currently pins
"packageManager": "[email protected]" but the engines block still allows "pnpm":
">=10.17.1"; update the engines.pnpm entry to match the pinned manager (e.g.,
">=10.32.1") so local/CI pnpm versions align with the packageManager. Modify the
engines object (engines.pnpm) accordingly and run a quick install/check to
verify no CI/tooling warnings.

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with these dependency bumps (merge blocker).

pnpm install --frozen-lockfile is failing due to specifier mismatches for the updated deps. Regenerate and commit pnpm-lock.yaml with pnpm 10.32.1 before merge.

#!/bin/bash
set -euo pipefail

python - <<'PY' > /tmp/expected-specs.txt
import json
deps = [
  "@biomejs/biome",
  "@types/node",
  "@vitest/coverage-v8",
  "cspell",
  "lint-staged",
  "prettier",
  "sort-package-json",
  "tsdown",
  "vitest",
]
p = json.load(open("package.json"))
for d in deps:
  print(f"{d}@{p['devDependencies'][d]}")
PY

while read -r spec; do
  if rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null; then
    echo "OK   $spec"
  else
    echo "MISS $spec"
  fi
done < /tmp/expected-specs.txt

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The lockfile is out of sync with the
bumped devDependencies listed in package.json (see packageManager/[email protected]);
fix it by regenerating pnpm-lock.yaml using pnpm v10.32.1 (install that pnpm
version if needed), run pnpm install to update pnpm-lock.yaml, verify the new
lockfile satisfies the specifiers (e.g., the deps like `@biomejs/biome`,
`@types/node`, `@vitest/coverage-v8`, cspell, prettier, vitest), then commit the
updated pnpm-lock.yaml and push; after committing, run pnpm install
--frozen-lockfile (or the provided verification script) to confirm no specifier
mismatches remain.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 58-61: The package.json currently pins "packageManager":
"[email protected]" but the engines block still allows "pnpm": ">=10.17.1"; update
the engines.pnpm entry to match the pinned manager (e.g., ">=10.32.1") so
local/CI pnpm versions align with the packageManager. Modify the engines object
(engines.pnpm) accordingly and run a quick install/check to verify no CI/tooling
warnings.
- Around line 43-58: The lockfile is out of sync with the bumped devDependencies
listed in package.json (see packageManager/[email protected]); fix it by regenerating
pnpm-lock.yaml using pnpm v10.32.1 (install that pnpm version if needed), run
pnpm install to update pnpm-lock.yaml, verify the new lockfile satisfies the
specifiers (e.g., the deps like `@biomejs/biome`, `@types/node`,
`@vitest/coverage-v8`, cspell, prettier, vitest), then commit the updated
pnpm-lock.yaml and push; after committing, run pnpm install --frozen-lockfile
(or the provided verification script) to confirm no specifier mismatches remain.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6bfc5ff3-88ee-4f47-96e0-1ac251b33103

📥 Commits

Reviewing files that changed from the base of the PR and between 07c2bbe and e72686d.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (2)

package.json (2)

53-53: ⚠️ Potential issue | 🟠 Major

Migrate tsdown configs for v0.21 breaking changes.

v0.21.0 renames external → deps.neverBundle and noExternal → deps.alwaysBundle. Update affected configs in packages/convert/ and packages/reactivity/.

#!/bin/bash
# Check if tsdown configs still use old 'external' key
rg -n '"external"\s*:' packages/convert/tsdown.config.ts packages/reactivity/tsdown.config.ts || echo "✓ Already migrated or not using external"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 53, The tsdown upgrade to v0.21 requires migrating old
config keys: open packages/convert/tsdown.config.ts and
packages/reactivity/tsdown.config.ts, find any occurrences of the old "external"
and "noExternal" keys and replace them with the new shape under deps (map
"external" → deps.neverBundle and "noExternal" → deps.alwaysBundle), preserving
the existing arrays/values; validate the config object shape so deps is present
and contains neverBundle/alwaysBundle arrays; run the provided ripgrep check to
confirm no remaining "external" keys.

58-61: 🧹 Nitpick | 🔵 Trivial

Align engines.pnpm with packageManager.

packageManager pins [email protected] but engines.pnpm allows >=10.17.1. Update to >=10.32.1 to prevent local/CI drift.

Proposed diff

   "engines": {
     "node": ">=22.14.0",
-    "pnpm": ">=10.17.1"
+    "pnpm": ">=10.32.1"
   },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 58 - 61, The package.json currently pins
packageManager to "[email protected]" but engines.pnpm permits ">=10.17.1", causing
potential local/CI drift; update the engines.pnpm value to ">=10.32.1" so it
matches the packageManager pin (edit the engines block entry "pnpm" in
package.json to the new minimum).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 43-56: The lockfile is out of sync; run pnpm install using pnpm
v10.32.1 to regenerate and update pnpm-lock.yaml, then commit the updated
pnpm-lock.yaml so the 9 mismatched specifiers reported by the pipeline are
resolved (ensure you use the project dependencies shown in package.json when
running pnpm install).
- Line 43: Package.json pins `@biomejs/biome` to 2.4.8 but biome.json still
references the older schema; open biome.json and update the "$schema" string to
"https://biomejs.dev/schemas/2.4.8/schema.json" so the schema version matches
the dependency (verify by checking the existing "$schema" key in biome.json
before replacing).

---

Duplicate comments:
In `@package.json`:
- Line 53: The tsdown upgrade to v0.21 requires migrating old config keys: open
packages/convert/tsdown.config.ts and packages/reactivity/tsdown.config.ts, find
any occurrences of the old "external" and "noExternal" keys and replace them
with the new shape under deps (map "external" → deps.neverBundle and
"noExternal" → deps.alwaysBundle), preserving the existing arrays/values;
validate the config object shape so deps is present and contains
neverBundle/alwaysBundle arrays; run the provided ripgrep check to confirm no
remaining "external" keys.
- Around line 58-61: The package.json currently pins packageManager to
"[email protected]" but engines.pnpm permits ">=10.17.1", causing potential local/CI
drift; update the engines.pnpm value to ">=10.32.1" so it matches the
packageManager pin (edit the engines block entry "pnpm" in package.json to the
new minimum).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 69ccc9f5-ef17-45e1-841d-f9edf333dad1

📥 Commits

Reviewing files that changed from the base of the PR and between e72686d and fa38a66.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai · 2026-03-23T12:21:29Z

package.json

+    "@biomejs/biome": "2.4.8",
+    "@types/node": "22.19.15",
+    "@vitest/coverage-v8": "4.1.0",
    "@xterm/headless": "^5.5.0",
-    "cspell": "9.2.2",
+    "cspell": "9.7.0",
    "husky": "9.1.7",
    "license-checker-rseidelsohn": "4.4.2",
-    "lint-staged": "16.2.5",
-    "prettier": "3.6.2",
-    "sort-package-json": "3.4.0",
-    "tsdown": "0.15.9",
+    "lint-staged": "16.4.0",
+    "prettier": "3.8.1",
+    "sort-package-json": "3.6.1",
+    "tsdown": "0.21.4",
    "typescript": "5.9.3",
    "vite-tsconfig-paths": "^6.0.0",
-    "vitest": "4.0.5"
+    "vitest": "4.1.0"


⚠️ Potential issue | 🔴 Critical

Lockfile still out of sync—merge blocked.

Pipeline reports 9 mismatched specifiers. Run pnpm install with pnpm 10.32.1 and commit the updated pnpm-lock.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` around lines 43 - 56, The lockfile is out of sync; run pnpm install using pnpm v10.32.1 to regenerate and update pnpm-lock.yaml, then commit the updated pnpm-lock.yaml so the 9 mismatched specifiers reported by the pipeline are resolved (ensure you use the project dependencies shown in package.json when running pnpm install).

coderabbitai · 2026-03-23T12:21:29Z

package.json

-    "@biomejs/biome": "2.2.7",
-    "@types/node": "22.18.12",
-    "@vitest/coverage-v8": "4.0.5",
+    "@biomejs/biome": "2.4.8",


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check current biome.json schema version rg '\$schema' biome.json

Repository: deepnote/deepnote

Length of output: 122

Update biome.json schema to 2.4.8.

The $schema field currently references version 2.2.7 but @biomejs/biome is pinned to 2.4.8 in package.json. Update the schema URL to match: https://biomejs.dev/schemas/2.4.8/schema.json.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@package.json` at line 43, Package.json pins `@biomejs/biome` to 2.4.8 but biome.json still references the older schema; open biome.json and update the "$schema" string to "https://biomejs.dev/schemas/2.4.8/schema.json" so the schema version matches the dependency (verify by checking the existing "$schema" key in biome.json before replacing).

coderabbitai

♻️ Duplicate comments (1)

package.json (1)
43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is still out of sync (merge blocker).

CI already fails with ERR_PNPM_OUTDATED_LOCKFILE for the versions changed on Line 43–56 and Line 58. Regenerate and commit pnpm-lock.yaml using pnpm 10.32.1.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, CI fails due to an outdated lockfile
after dependency/version changes; regenerate pnpm-lock.yaml using the declared
package manager version (packageManager value "[email protected]") by running pnpm
install with pnpm 10.32.1 locally or in CI, ensure the updated pnpm-lock.yaml is
added and committed alongside the package.json changes so the lockfile matches
the dependency versions listed (the dependencies block including
"@biomejs/biome", "@types/node", "typescript", "vitest", etc.).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: CI fails due to an outdated lockfile after
dependency/version changes; regenerate pnpm-lock.yaml using the declared package
manager version (packageManager value "[email protected]") by running pnpm install
with pnpm 10.32.1 locally or in CI, ensure the updated pnpm-lock.yaml is added
and committed alongside the package.json changes so the lockfile matches the
dependency versions listed (the dependencies block including "@biomejs/biome",
"@types/node", "typescript", "vitest", etc.).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 060dc033-a0f4-448a-8fc0-614d5d86a8a6

📥 Commits

Reviewing files that changed from the base of the PR and between fa38a66 and f6483c9.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (2)

package.json (2)

53-53: ⚠️ Potential issue | 🟠 Major

Verify tsdown 0.21.4 migration compatibility before merging.

Line 53 upgrades tsdown across multiple minor lines with known config/CLI changes; please confirm no deprecated keys/flags remain in repo configs and scripts.

#!/bin/bash
set -euo pipefail

echo "== tsdown config files =="
fd -t f 'tsdown\.config\.(ts|js|mts|cts)$'

echo
echo "== deprecated tsdown keys potentially needing migration =="
rg -n -C2 --type=ts --type=js '\b(external|noExternal|failOnWarn)\b' $(fd -t f 'tsdown\.config\.(ts|js|mts|cts)$')

echo
echo "== possible old tsdown debug flag usage in package scripts or docs =="
rg -n -C2 --type=json --type=md -- '--debug(\s|$)|--debug-logs(\s|$)' package.json

Based on learnings, keep tsdown declared at root and inherited via workspace hoisting.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 53, The package.json bump to "tsdown": "0.21.4" may
require config/CLI changes; run the supplied verification script to locate
tsdown.config.* files and search for deprecated keys (external, noExternal,
failOnWarn) and old debug flags (--debug, --debug-logs) in package.json scripts
or docs, then update tsdown.config.* and any NPM scripts to the new 0.21.4
config/CLI shape (rename/remove deprecated keys or map to new equivalents) and
keep tsdown declared at the repo root so workspaces inherit it via hoisting
(check package.json "scripts" and tsdown.config.* files for edits).

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile drift is still a merge blocker.

Lines 43-58 changed dependency specifiers and packageManager, and CI already reports frozen-lockfile mismatch. Regenerate and commit pnpm-lock.yaml with pnpm 10.32.1 before merge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The packageManager value and dependency
spec changes in package.json have caused lockfile drift; regenerate the pnpm
lockfile (pnpm-lock.yaml) using [email protected] to match the packageManager field,
verify the lockfile reflects the updated dependency specifiers, and commit the
updated pnpm-lock.yaml alongside the package.json change so CI frozen-lockfile
checks pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Line 53: The package.json bump to "tsdown": "0.21.4" may require config/CLI
changes; run the supplied verification script to locate tsdown.config.* files
and search for deprecated keys (external, noExternal, failOnWarn) and old debug
flags (--debug, --debug-logs) in package.json scripts or docs, then update
tsdown.config.* and any NPM scripts to the new 0.21.4 config/CLI shape
(rename/remove deprecated keys or map to new equivalents) and keep tsdown
declared at the repo root so workspaces inherit it via hoisting (check
package.json "scripts" and tsdown.config.* files for edits).
- Around line 43-58: The packageManager value and dependency spec changes in
package.json have caused lockfile drift; regenerate the pnpm lockfile
(pnpm-lock.yaml) using [email protected] to match the packageManager field, verify
the lockfile reflects the updated dependency specifiers, and commit the updated
pnpm-lock.yaml alongside the package.json change so CI frozen-lockfile checks
pass.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ed240c3-7bf8-4519-9549-108ce076df70

📥 Commits

Reviewing files that changed from the base of the PR and between f6483c9 and 08d7090.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (1)

package.json (1)
43-58: ⚠️ Potential issue | 🔴 Critical

Regenerate pnpm-lock.yaml; CI is blocked.

Line 43–58 changed dependency specifiers/package manager, and CI already fails with ERR_PNPM_OUTDATED_LOCKFILE for these exact packages. Commit an updated lockfile generated with pnpm 10.32.1 before merge.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The CI failure is due to an outdated
lockfile after changing dependency specifiers and the packageManager; run pnpm
at the exact version declared in packageManager ("[email protected]") to regenerate
the pnpm-lock.yaml, e.g., install or use pnpm 10.32.1 and run `pnpm install` so
the lockfile reflects the updated deps (those listed in the diff such as
"@biomejs/biome", "typescript", "vitest", "vite-tsconfig-paths", etc.); commit
the regenerated pnpm-lock.yaml alongside the package.json change so CI no longer
errors with ERR_PNPM_OUTDATED_LOCKFILE.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Around line 43-58: The CI failure is due to an outdated lockfile after
changing dependency specifiers and the packageManager; run pnpm at the exact
version declared in packageManager ("[email protected]") to regenerate the
pnpm-lock.yaml, e.g., install or use pnpm 10.32.1 and run `pnpm install` so the
lockfile reflects the updated deps (those listed in the diff such as
"@biomejs/biome", "typescript", "vitest", "vite-tsconfig-paths", etc.); commit
the regenerated pnpm-lock.yaml alongside the package.json change so CI no longer
errors with ERR_PNPM_OUTDATED_LOCKFILE.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 18d63050-0b89-4cc5-8a13-bfec21b02d1b

📥 Commits

Reviewing files that changed from the base of the PR and between 08d7090 and 041c17c.

📒 Files selected for processing (2)

.nvmrc
package.json

coderabbitai

♻️ Duplicate comments (2)

package.json (2)

53-53: ⚠️ Potential issue | 🟠 Major

Verify tsdown config compatibility before merge.

tsdown moved to 0.21.4; verify configs/scripts don’t still use pre-0.21 keys/flags (e.g., external/noExternal, old debug flag patterns).

#!/bin/bash
set -euo pipefail

echo "Searching tsdown configs and scripts for potentially old options..."
fd -HI 'tsdown.config.ts$' -t f | while read -r f; do
  echo "--- $f"
  rg -n -C2 'external|noExternal|failOnWarn|debugLogs|--debug\b|deps\.neverBundle|deps\.alwaysBundle' "$f" || true
done

echo "--- package.json scripts using tsdown/debug flags ---"
rg -n -C2 'tsdown|--debug\b|--debug-logs' package.json

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 53, package.json bumped tsdown to 0.21.4; verify and
update any config keys or CLI flags that changed in v0.21 (search for
occurrences of external, noExternal, failOnWarn, debugLogs, --debug,
--debug-logs and deps.neverBundle/deps.alwaysBundle) and update them to the new
v0.21 equivalents or remove deprecated flags; check tsdown.config.ts files and
any package.json scripts that call "tsdown" and replace old patterns with the
current API (adjust option names or move settings into the new config shape) so
builds and scripts using tsdown succeed with 0.21.4.

43-58: ⚠️ Potential issue | 🔴 Critical

Lockfile is out of sync with manifest (merge blocker).

CI already fails on frozen lockfile. Regenerate and commit pnpm-lock.yaml with pnpm 10.33.0 so specifiers match package.json.

#!/bin/bash
set -euo pipefail

echo "Checking changed devDependency specifiers vs pnpm-lock.yaml..."
python - <<'PY' > /tmp/changed_specs.txt
import json
p = json.load(open("package.json"))
keys = [
  "@biomejs/biome","@types/node","@vitest/coverage-v8","cspell",
  "lint-staged","prettier","sort-package-json","tsdown","vitest"
]
for k in keys:
  print(f"{k}: {p['devDependencies'][k]}")
print(f"packageManager: {p['packageManager']}")
PY

cat /tmp/changed_specs.txt
echo "---"
echo "Lockfile presence check (heuristic):"
while IFS= read -r spec; do
  rg -n --fixed-strings "$spec" pnpm-lock.yaml >/dev/null && echo "✓ $spec" || echo "✗ $spec"
done < /tmp/changed_specs.txt

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 43 - 58, The lockfile (pnpm-lock.yaml) is out of
sync with the devDependency specifiers in package.json (see the packageManager
field and the devDependencies like
"@biomejs/biome","@types/node","@vitest/coverage-v8","cspell","lint-staged","prettier","sort-package-json","tsdown","vitest");
fix it by regenerating the pnpm lockfile using pnpm v10.33.0 (ensure your local
pnpm matches packageManager), e.g. run pnpm install (or pnpm install
--lockfile-only) with [email protected] to update pnpm-lock.yaml, verify the changed
specifiers are present, and commit the updated pnpm-lock.yaml alongside the
package.json change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@package.json`:
- Line 53: package.json bumped tsdown to 0.21.4; verify and update any config
keys or CLI flags that changed in v0.21 (search for occurrences of external,
noExternal, failOnWarn, debugLogs, --debug, --debug-logs and
deps.neverBundle/deps.alwaysBundle) and update them to the new v0.21 equivalents
or remove deprecated flags; check tsdown.config.ts files and any package.json
scripts that call "tsdown" and replace old patterns with the current API (adjust
option names or move settings into the new config shape) so builds and scripts
using tsdown succeed with 0.21.4.
- Around line 43-58: The lockfile (pnpm-lock.yaml) is out of sync with the
devDependency specifiers in package.json (see the packageManager field and the
devDependencies like
"@biomejs/biome","@types/node","@vitest/coverage-v8","cspell","lint-staged","prettier","sort-package-json","tsdown","vitest");
fix it by regenerating the pnpm lockfile using pnpm v10.33.0 (ensure your local
pnpm matches packageManager), e.g. run pnpm install (or pnpm install
--lockfile-only) with [email protected] to update pnpm-lock.yaml, verify the changed
specifiers are present, and commit the updated pnpm-lock.yaml alongside the
package.json change.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9a3c98ee-05f8-4a8a-bb0c-dedbe1d4e297

📥 Commits

Reviewing files that changed from the base of the PR and between 041c17c and 921d03a.

📒 Files selected for processing (2)

.nvmrc
package.json

renovate bot added dependencies renovate labels Mar 2, 2026

coderabbitai bot requested changes Mar 2, 2026

View reviewed changes

package.json Outdated Show resolved Hide resolved

renovate bot force-pushed the renovate/non-major branch from 27488c8 to 54ca4b2 Compare March 2, 2026 07:37

coderabbitai bot reviewed Mar 2, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 54ca4b2 to 1d7003f Compare March 2, 2026 07:53

coderabbitai bot previously approved these changes Mar 2, 2026

View reviewed changes

renovate bot dismissed coderabbitai[bot]’s stale review via 49f2c26 March 2, 2026 11:23

renovate bot force-pushed the renovate/non-major branch from 1d7003f to 49f2c26 Compare March 2, 2026 11:23

coderabbitai bot reviewed Mar 2, 2026

View reviewed changes

coderabbitai bot approved these changes Mar 2, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 2 times, most recently from 01943f5 to 5481be7 Compare March 3, 2026 11:22

coderabbitai bot requested changes Mar 3, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 5481be7 to 639b865 Compare March 3, 2026 17:05

coderabbitai bot reviewed Mar 3, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 639b865 to be8f580 Compare March 4, 2026 21:53

coderabbitai bot reviewed Mar 4, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from be8f580 to f80cd18 Compare March 5, 2026 20:07

coderabbitai bot requested changes Mar 5, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from f80cd18 to 126ed1e Compare March 6, 2026 13:02

coderabbitai bot reviewed Mar 6, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 126ed1e to 34ae84c Compare March 6, 2026 17:01

coderabbitai bot reviewed Mar 6, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 34ae84c to 56ec06b Compare March 7, 2026 02:09

coderabbitai bot requested changes Mar 7, 2026

View reviewed changes

package.json Outdated Show resolved Hide resolved

renovate bot force-pushed the renovate/non-major branch from 56ec06b to b016a00 Compare March 9, 2026 01:58

coderabbitai bot reviewed Mar 9, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 500c4a5 to aecfece Compare March 11, 2026 12:09

coderabbitai bot reviewed Mar 11, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 3 times, most recently from bc86c34 to e4c8035 Compare March 13, 2026 19:12

coderabbitai bot reviewed Mar 13, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from e4c8035 to df56eeb Compare March 15, 2026 01:09

coderabbitai bot reviewed Mar 15, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 2 times, most recently from 2d54ef9 to 2659df6 Compare March 15, 2026 13:06

coderabbitai bot reviewed Mar 15, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 2659df6 to ae83d82 Compare March 16, 2026 08:56

coderabbitai bot reviewed Mar 16, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch 3 times, most recently from 0c2987d to 07c2bbe Compare March 19, 2026 09:12

coderabbitai bot reviewed Mar 19, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 07c2bbe to e72686d Compare March 19, 2026 17:30

coderabbitai bot reviewed Mar 19, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from e72686d to fa38a66 Compare March 23, 2026 12:15

coderabbitai bot requested changes Mar 23, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from fa38a66 to f6483c9 Compare March 24, 2026 18:32

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from f6483c9 to 08d7090 Compare March 25, 2026 01:09

coderabbitai bot reviewed Mar 25, 2026

View reviewed changes

renovate bot force-pushed the renovate/non-major branch from 08d7090 to 041c17c Compare March 25, 2026 05:56

coderabbitai bot reviewed Mar 25, 2026

View reviewed changes

chore(deps): update non-major dependencies

921d03a

renovate bot force-pushed the renovate/non-major branch from 041c17c to 921d03a Compare March 25, 2026 21:12

coderabbitai bot reviewed Mar 25, 2026

View reviewed changes

Conversation

renovate bot commented Mar 2, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Patch Changes

Configuration

Summary by CodeRabbit

Uh oh!

renovate bot commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: pnpm-lock.yaml

Uh oh!

coderabbitai bot commented Mar 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Estimated code review effort

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

renovate bot commented Mar 2, 2026 •

edited by coderabbitai bot

Loading

renovate bot commented Mar 2, 2026 •

edited

Loading

coderabbitai bot commented Mar 2, 2026 •

edited

Loading