chore: upgrade all dependencies to fix dependabot alerts and react2shell

[mattinannt]

This PR upgrades all dependencies in formbricks/js to the newest available version.

This PR is sensitive as it also upgrades React to solve the critical React2Shell vulnerability.

[CLAassistant]

All committers have signed the CLA.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Walkthrough

This pull request updates dependencies and development dependencies across the monorepo workspace. The playground application receives updates to core packages (Next.js, React, lucide-react) and development tooling. Root-level package manager dependencies (prettier, turbo, rimraf) and the pnpm version specification are updated. The JavaScript packages directory updates multiple development tooling versions including ESLint, Vitest, Vite, and TypeScript-ESLint. The playground's TypeScript configuration is reformatted and the JSX runtime option is changed from "preserve" to "react-jsx", while a new include path for Next.js development types is added. No changes to public APIs or exported entities occur.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective of the PR - upgrading dependencies to fix dependabot alerts and address the React2Shell vulnerability.
Description check	✅ Passed	The description clearly relates to the changeset by explaining that all dependencies are being upgraded to fix dependabot alerts and the critical React2Shell vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86de6f7 and f4ce6e8.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/playground/package.json (1 hunks)
• apps/playground/tsconfig.json (2 hunks)
• package.json (1 hunks)
• packages/js/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-24T17:04:00.743Z

Learnt from: pandeymangg
Repo: formbricks/js PR: 6
File: packages/js/src/lib/load-formbricks.test.ts:96-114
Timestamp: 2025-09-24T17:04:00.743Z
Learning: The formbricks/js project uses happy-dom as the test environment in Vitest configuration, not jsdom. This is configured in packages/js/vite.config.ts and works well for DOM-dependent tests.

Applied to files:

• packages/js/package.json

📚 Learning: 2025-09-24T17:04:00.743Z

Learnt from: pandeymangg
Repo: formbricks/js PR: 6
File: packages/js/src/lib/load-formbricks.test.ts:96-114
Timestamp: 2025-09-24T17:04:00.743Z
Learning: The formbricks/js project uses happy-dom as the test environment in Vitest configuration (packages/js/vite.config.ts), not jsdom. This configuration works well for DOM-dependent tests and is faster than jsdom.

Applied to files:

• packages/js/package.json

📚 Learning: 2025-09-24T16:54:10.968Z

Learnt from: pandeymangg
Repo: formbricks/js PR: 6
File: .github/workflows/build.yml:14-16
Timestamp: 2025-09-24T16:54:10.968Z
Learning: For the formbricks/js repository, the maintainer prefers to keep GitHub Actions build workflows simple with a single Node.js version rather than using matrix strategies to test multiple Node.js versions.

Applied to files:

• packages/js/package.json

🔇 Additional comments (4)

package.json (1)

15-20: LGTM — tooling patches are low-risk.

These updates (prettier, turbo, rimraf, pnpm) are patch/minor versions with no anticipated breaking changes. The pnpm update aligns with the monorepo structure.

apps/playground/tsconfig.json (1)

4-8: ✅ JSX config change to "react-jsx" is correct for React 19; new include path aligns with Next.js 16.

React 19 requires the modern JSX Transform (2020+). The change from "preserve" to "react-jsx" is the correct configuration and requires no JSX code changes in components.

The addition of .next/dev/types/**/*.ts to the include array is a standard Next.js 16 practice to surface development-time type information. The lib and paths reformatting are cosmetic.

Also applies to: 18-18, 25-40

packages/js/package.json (1)

45-58: ✅ DevDependency tooling updates are low-risk.

These are patch/minor version bumps to ESLint, Vitest, Vite, and related tools. All are devDependencies and do not affect the published @formbricks/js library. Based on learnings, the project uses happy-dom for Vitest, which is compatible with the upgrade to 20.0.11. No API-breaking changes are anticipated in these versions.

apps/playground/package.json (1)

14-28: ✅ Dependency upgrades are correct: React 19.2.1 fixes CVE-2025-55182 and Next.js 16.0.8 resolves the same vulnerability.

The playground app is a simple client-side demo ("use client" components) and does not use any of the Next.js 16 breaking change patterns—no middleware, no server-side async APIs (params, searchParams, cookies, headers, draftMode), and no custom webpack configuration. The Image component usage without width/height is compatible with Next.js 16. No code changes are required for this app.

Likely an incorrect or invalid review comment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}