upstream 取り込み PR #6: version bump (1.5.5→1.5.10) + uuid v14

[MocA-Love]

Summary

upstream 取り込み PR #6: version bump + dependency bump 5 commits。Codex 事前調査を経て auto-updater 関連 2 commits と fork 既取り込み CVE bump を除外。

Codex が検出した bun.lock の p-retry@7.1.1 resolution 脱落問題 (main 側既存、CI Build fail の原因) も本 PR で修復。

取り込み内容（5 commits）

• chore(desktop): bump version to 1.5.6 (chore(desktop): bump version to 1.5.6 superset-sh/superset#3555)
• chore(desktop): bump version to 1.5.8 (chore(desktop): bump version to 1.5.8 superset-sh/superset#3617)
• chore(desktop): bump version to 1.5.9 (chore(desktop): bump version to 1.5.9 superset-sh/superset#3658)
• chore(desktop): bump version to 1.5.10 (chore(desktop): bump version to 1.5.10 superset-sh/superset#3673)
• chore(deps): bump uuid from ^13.0.0 to ^14.0.0 (chore(deps): bump uuid to ^14.0.0 (GHSA-w5hq-g745-h8pq) superset-sh/superset#3680)

追加 fix

• bun.lock 完全再生成 — main 側の lockfile 不整合 (@mastra/core/p-retry@^7.1.1 resolution 欠落) により electron-builder の production dependency traversal が fail していた問題を解消。Codex が P1 で指摘。rm bun.lock && bun install で再生成し、ローカル bun run --filter @superset/desktop build が exit 0 で成功

除外した 3 commits（理由別）

fork の独自 auto-updater 実装と文脈不一致（skip）

• 92b6701ce8e9 (fix(desktop): guard installUpdate against repeat clicks on macOS superset-sh/superset#3549 guard installUpdate against repeat clicks) — fork の installUpdate() は GitHub Releases URL を開く独自実装で quitAndInstall を使わない
• 872361c3dc97 (fix(desktop): show spinner on install update button while pending superset-sh/superset#3561 show spinner on install update button while pending) — fork の UpdateToast はボタン文言が「Open releases」で upstream の「Install / Installing...」前提 spinner と意味が合わない

fork 既取り込み相当（skip）

• 33848baf324f (security: bump drizzle-orm and better-auth to patch CVEs superset-sh/superset#3560 security bump drizzle-orm and better-auth) — fork に 19a3db58b として同内容相当 commit が既に存在

Fork 側のコンフリクト解決

• apps/desktop/package.json (chore(deps): bump uuid to ^14.0.0 (GHSA-w5hq-g745-h8pq) superset-sh/superset#3680): fork 独自依存 (vscode-*, ws, yaml-language-server, yauzl) を維持しつつ uuid を ^14.0.0 に更新
• bun.lock: 完全再生成で整合性担保、fork 独自依存 (ansi_up, @vscode/ripgrep, @xyflow/react) は全て維持

fork リリース運用との整合性

• apps/desktop version: 1.5.5 → 1.5.10 (upstream トラッキング、CLAUDE.md/AGENTS.md 方針)
• 次回 release tag: v1.5.10-fork.1 から再スタート
• release-desktop.yml は desktop-v*.*.* 発火条件、fork の手動運用 tag とは干渉しない

uuid v14 breaking change (Codex 検証済み)

• 使用箇所: packages/local-db/src/schema/*.ts, apps/desktop/src/main/lib/local-db/index.ts
• named import (v4 as uuidv4, validate as uuidValidate, version as uuidVersion) のみ使用、API 変更なし
• breaking change は Node 18 非対応化 (desktop は Electron 40 = Node 24)

Fork 固有機能ヘルスチェック

baseline 比較で 全項目健在:

• 19 tRPC プロシージャ (github-extended.ts 配下、PR feat(desktop): 大規模ファイル向け CodeMirror diff ビューア #5 で分離済み)
• ansi_up, @vscode/ripgrep, @xyflow/react
• TERMINAL_OPTIONS, SUPERSET_WORKSPACE_NAME, moonshot-ai.kimi-code
• listBranches sortOrder/pinDefault
• dmg.size="4g" (electron-builder.ts)

Codex 最終レビュー: マージ可

全観点 pass。P1 指摘の p-retry@7.1.1 脱落は本 commit で修復。

Test plan

• bun install 正常完了
• bun run typecheck グリーン (27/27)
• bun run lint グリーン
• bun run --filter @superset/desktop build ローカル exit 0 成功
• fork 固有機能 baseline 比較で regression ゼロ
• apps/desktop/package.json version = 1.5.10, uuid = ^14.0.0
• desktop dev 起動確認
• 次回 release で v1.5.10-fork.1 タグを切る運用に移行

次の PR

• PR #2b (最後の大物 feature / DB migration): v2 project create, scheduled agent runs, v1 review pane, v1→v2 migration 等

[coderabbitai]

Warning

Rate limit exceeded

@MocA-Love has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a99ab722-c34d-46e5-95f8-964311d642ba

📥 Commits

Reviewing files that changed from the base of the PR and between 99cbbec and 21af310.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• apps/desktop/package.json
• packages/local-db/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upstream/batch-6-version-bump

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ⚠️ Neon database branch
• ⚠️ Electric Fly.io app

Thank you for your contribution! 🎉

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8e06a0deb7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".