Skip to content

chore(deps): consolidate verified dependency updates #656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yacosta738 merged 13 commits into from
Apr 25, 2026
Merged

chore(deps): consolidate verified dependency updates #656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
187a005
chore(deps): bump com.google.devtools.ksp from 2.3.5 to 2.3.6
dependabot[bot] Apr 21, 2026
9593e58
chore(deps): bump org.cyclonedx.bom from 3.1.0 to 3.2.4
dependabot[bot] Apr 21, 2026
f8bcb82
chore(deps): bump org.openrewrite.rewrite from 7.28.0 to 7.31.0
dependabot[bot] Apr 21, 2026
b997aa2
chore(deps): bump io.netty:netty-bom from 4.1.132.Final to 4.2.12.Final
dependabot[bot] Apr 21, 2026
2e9245f
chore(deps): bump com.github.spotbugs from 6.4.8 to 6.5.1
dependabot[bot] Apr 21, 2026
a36cd4b
chore(deps): bump com.autonomousapps.dependency-analysis
dependabot[bot] Apr 21, 2026
76d08c8
chore(deps): bump com.gradleup.shadow from 9.3.1 to 9.4.1
dependabot[bot] Apr 21, 2026
13099c7
chore(deps): bump the rust-cerebro-dependencies group across 1 direct…
dependabot[bot] Apr 25, 2026
71117a1
chore(deps): bump the rust-runtime-dependencies group across 1 direct…
dependabot[bot] Apr 25, 2026
61a2d68
chore(deps): bump the npm_and_yarn group across 1 directory with 2 up…
dependabot[bot] Apr 24, 2026
7d406a2
fix(deps): restore compatibility for consolidated dependency updates
yacosta738 Apr 25, 2026
46efee1
fix(deps): persist refreshed build-logic lockfile
yacosta738 Apr 25, 2026
54ea879
chore: sync Cargo.lock files after version bump
github-actions[bot] Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
220 changes: 98 additions & 122 deletions clients/agent-runtime/Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

14 changes: 7 additions & 7 deletions clients/agent-runtime/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ uuid = { version = "1.23.0", default-features = false, features = ["v4", "std"]
chacha20poly1305 = "0.10"

# HMAC for webhook signature verification
hmac = "0.12"
sha2 = "0.10"
hmac = "0.13"
sha2 = "0.11"
hex = "0.4"

# CSPRNG for secure token generation
Expand Down Expand Up @@ -103,10 +103,10 @@ ring = "0.17"
prost = { version = "0.14", default-features = false }

# Memory / persistence
rusqlite = { version = "0.38", features = ["bundled"] }
rusqlite = { version = "0.39", features = ["bundled"] }
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm no duplicate majors of these crates in the resolved graph
rg -nP '^name = "(const-oid|sha2|hmac|rusqlite|cron|tokio-tungstenite)"' clients/agent-runtime/Cargo.lock -A1
# Locate call sites for the bumped crates
rg -nP --type=rust -C2 '\b(rusqlite::|cron::Schedule|tokio_tungstenite::|const_oid::)' clients/agent-runtime/src/

Repository: dallay/corvus

Length of output: 35023

🏁 Script executed:

# Check which versions are directly specified in Cargo.toml
cat clients/agent-runtime/Cargo.toml | grep -A2 -E '(rusqlite|cron|tokio-tungstenite|const-oid|sha2|hmac) ='

# Run cargo tree -d to show duplicate crates
cargo tree -d 2>/dev/null | head -100

Repository: dallay/corvus

Length of output: 720

Resolve dependency duplication before merging.

The lock file contains multiple major version conflicts in the resolved graph that require active resolution:

  • const-oid: both 0.9.6 and 0.10.2 present
  • hmac: both 0.12.1 and 0.13.0 present
  • sha2: both 0.10.9 and 0.11.0 present
  • tokio-tungstenite: both 0.28.0 and 0.29.0 present

Likely causes are transitive pulls from sigstore and x509-cert conflicting with your direct pins. Verify that call sites handle the API changes correctly:

  • rusqlite::params! macro and Connection methods (v0.38→0.39 tightened error types)
  • cron::Schedule::At patterns in tools/schedule.rs
  • tokio_tungstenite::connect_async in channels (qq.rs, lark.rs, dingtalk.rs, discord.rs)

Run cargo tree -d to identify which transitive deps are pulling older versions, then either update those upstream deps or add explicit constraints to unify versions.

Also applies to: 109-109, 122-122, 128-128, 219-219

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/Cargo.toml` at line 106, Resolve the duplicated
dependency versions by running cargo tree -d to find which transitive crates
pull older versions (likely via sigstore and x509-cert), then unify versions by
either updating those upstream crates or adding explicit dependency overrides in
Cargo.toml to force the newer semver versions; after unifying, update call sites
to match any API changes: check uses of rusqlite::params! and
rusqlite::Connection APIs (v0.38→0.39 tightened errors), cron::Schedule::At
pattern usages, and tokio_tungstenite::connect_async calls in the modules that
open channels (qq, lark, dingtalk, discord) and adjust code to new function
signatures/types where required.

chrono = { version = "0.4", default-features = false, features = ["clock", "std", "serde"] }
chrono-tz = "0.10"
cron = "0.15"
cron = "0.16"

# Cerebro MCP service client
cerebro = { version = "3.6.1", path = "../../modules/cerebro" }
Expand All @@ -119,13 +119,13 @@ console = "0.16"
glob = "0.3"

# Discord WebSocket gateway
tokio-tungstenite = { version = "0.28", features = ["rustls-tls-webpki-roots"] }
tokio-tungstenite = { version = "0.29", features = ["rustls-tls-webpki-roots"] }
futures-util = { version = "0.3", default-features = false, features = ["sink"] }
futures = "0.3"
regex = "1.12.3"
ignore = "0.4"
fs2 = "0.4"
const-oid = "0.9"
const-oid = "0.10"
x509-cert = { version = "0.2", default-features = false, features = ["pem", "std"] }
sigstore = { version = "0.13", default-features = false, features = ["bundle", "sigstore-trust-root", "rustls-tls"] }
rustls-webpki = { version = "0.103", default-features = false, features = ["std"] }
Expand Down Expand Up @@ -216,7 +216,7 @@ panic = "abort"
[dev-dependencies]
tempfile = "=3.27.0"
criterion = { version = "=0.8.2", features = ["async_tokio"] }
wat = "=1.245.1"
wat = "=1.247.0"
rcgen = "0.14"
secrecy = "0.10"
http = "1.4.0"
Expand Down
2 changes: 1 addition & 1 deletion clients/agent-runtime/crates/robot-kit/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ directories = "6.0"

[target.'cfg(target_os = "linux")'.dependencies]
# GPIO (Raspberry Pi only, optional)
rppal = { version = "0.19", optional = true }
rppal = { version = "0.22", optional = true }

[dev-dependencies]
tokio-test = "=0.4.5"
Expand Down
3 changes: 2 additions & 1 deletion clients/agent-runtime/src/gateway/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ use axum::{
routing::{get, post},
Router,
};
use hmac::KeyInit;
use parking_lot::Mutex;
use regex::Regex;
use std::collections::hash_map::DefaultHasher;
Expand Down Expand Up @@ -8003,7 +8004,7 @@ always_ask = []
// ══════════════════════════════════════════════════════════

fn compute_whatsapp_signature_hex(secret: &str, body: &[u8]) -> String {
use hmac::{Hmac, Mac};
use hmac::{Hmac, KeyInit, Mac};
use sha2::Sha256;

let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes()).unwrap();
Expand Down
2 changes: 1 addition & 1 deletion clients/agent-runtime/src/gateway/whatsapp.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use axum::{
http::{HeaderMap, StatusCode},
response::{IntoResponse, Json},
};
use hmac::{Hmac, Mac};
use hmac::{Hmac, KeyInit, Mac};
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm there are indeed two definitions of verify_whatsapp_signature.
rg -nP --type=rust -C2 '\bfn\s+verify_whatsapp_signature\b'

# 2) Inspect the mod.rs version's imports to see if KeyInit is brought in elsewhere in the file/module.
rg -nP --type=rust -C1 '\buse\s+hmac::' clients/agent-runtime/src/gateway/

# 3) Find which version is actually exported/used by callers (router wiring, re-exports).
rg -nP --type=rust -C2 '\bverify_whatsapp_signature\b'

# 4) Check whether mod.rs re-exports the whatsapp.rs version (which would make the mod.rs copy dead code).
rg -nP --type=rust -C1 '\bpub\s+use\s+.*whatsapp' clients/agent-runtime/src/gateway/mod.rs

Repository: dallay/corvus

Length of output: 13562

Deduplicate verify_whatsapp_signature: move to single location in whatsapp.rs and re-export from mod.rs.

Two separate implementations of verify_whatsapp_signature exist (whatsapp.rs:135 and mod.rs:3136), creating a maintenance hazard on a security-critical path. While both have access to KeyInit (explicitly in whatsapp.rs:6, via module-level import in mod.rs:36), the duplication itself is the problem—any future update to one risks diverging from the other.

Keep whatsapp.rs as the single source of truth and have mod.rs re-export it (pub use self::whatsapp::verify_whatsapp_signature;), then remove the inline duplicate in mod.rs. This also aligns with the guideline: "Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/gateway/whatsapp.rs` at line 6, There are two
implementations of verify_whatsapp_signature; keep the implementation in
whatsapp.rs as the single source of truth, remove the duplicate implementation
in mod.rs, and add a re-export in the parent module so callers still resolve
verify_whatsapp_signature from the module root (e.g., add pub use
self::whatsapp::verify_whatsapp_signature; in the mod file). Ensure the
whatsapp.rs version retains the Hmac/KeyInit imports and signatures used by
callers and run cargo build/tests to confirm no symbol regressions.

use sha2::Sha256;
use crate::gateway::AppState;

Expand Down
2 changes: 1 addition & 1 deletion clients/agent-runtime/src/memory/response_cache.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ impl ResponseCache {
hasher.update(b"|");
hasher.update(user_prompt.as_bytes());
let hash = hasher.finalize();
format!("{:064x}", hash)
hex::encode(hash)
}

/// Look up a cached response. Returns `None` on miss or expired entry.
Expand Down
4 changes: 2 additions & 2 deletions clients/agent-runtime/src/search/index.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -766,11 +766,11 @@ fn workspace_fingerprint(workspace_dir: &Path) -> anyhow::Result<String> {
hasher.update(SCHEMA_VERSION.as_bytes());
hasher.update(FORMAT_VERSION.as_bytes());
hasher.update(DISCOVERY_RULES_VERSION.as_bytes());
Ok(format!("{:x}", hasher.finalize()))
Ok(hex::encode(hasher.finalize()))
}

fn sha256_hex(bytes: &[u8]) -> String {
format!("{:x}", Sha256::digest(bytes))
hex::encode(Sha256::digest(bytes))
}

#[cfg(not(windows))]
Expand Down
2 changes: 1 addition & 1 deletion clients/agent-runtime/src/security/pairing.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ fn generate_token() -> String {

/// SHA-256 hash a bearer token for storage. Returns lowercase hex.
fn hash_token(token: &str) -> String {
format!("{:x}", Sha256::digest(token.as_bytes()))
hex::encode(Sha256::digest(token.as_bytes()))
}

/// Check if a stored value looks like a SHA-256 hash (64 hex chars)
Expand Down
2 changes: 1 addition & 1 deletion clients/agent-runtime/tests/whatsapp_webhook_security.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
//! 3. Webhooks with missing signatures are rejected
//! 4. Webhooks are rejected even if JSON is valid but signature is bad

use hmac::{Hmac, Mac};
use hmac::{Hmac, KeyInit, Mac};
use sha2::Sha256;

/// Compute valid HMAC-SHA256 signature for a webhook payload
Expand Down
2 changes: 1 addition & 1 deletion clients/web/apps/docs/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,6 @@
"astro-vtbot": "catalog:",
"portless": "catalog:",
"typescript": "catalog:",
"vite": "7.3.2"
"vite": "8.0.10"
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the files exist and examine the package.json
find . -name "package.json" -path "*/clients/web/apps/docs/*" | head -5

Repository: dallay/corvus

Length of output: 94

🏁 Script executed:

# Look for pnpm-workspace.yaml
find . -name "pnpm-workspace.yaml" | head -5

Repository: dallay/corvus

Length of output: 113

🏁 Script executed:

# List files in the relevant directory
git ls-files clients/web/apps/docs/ | head -20

Repository: dallay/corvus

Length of output: 1335

🏁 Script executed:

# Examine the package.json file to check line 30 and devDependencies
cat -n clients/web/apps/docs/package.json | grep -A 30 -B 5 "vite"

Repository: dallay/corvus

Length of output: 286

🏁 Script executed:

# Get the full package.json to see all devDependencies
cat -n clients/web/apps/docs/package.json

Repository: dallay/corvus

Length of output: 1363

🏁 Script executed:

# Examine pnpm-workspace.yaml, especially line 32 and context
cat -n clients/web/pnpm-workspace.yaml | head -50

Repository: dallay/corvus

Length of output: 1260

🏁 Script executed:

# Also check the root pnpm-workspace.yaml to understand the catalog setup
cat -n pnpm-workspace.yaml | grep -A 5 -B 5 "vite"

Repository: dallay/corvus

Length of output: 722

🏁 Script executed:

# Check if there are any comments in clients/web/pnpm-workspace.yaml explaining the Vite/Astro issue
cat clients/web/pnpm-workspace.yaml

Repository: dallay/corvus

Length of output: 966

🏁 Script executed:

# Check Vite 8 and Astro 6.1 compatibility via web search would be better, but first let's see if there are any comments in the file
rg -i "vite|astro" clients/web/pnpm-workspace.yaml -B 2 -A 2

Repository: dallay/corvus

Length of output: 620

🏁 Script executed:

# Search for any comments in the codebase mentioning vite and astro compatibility issues
rg -i "vite.*astro|astro.*vite" --type-list | head -20

Repository: dallay/corvus

Length of output: 447

🏁 Script executed:

# Check git history or comments about this hard pin
rg -i "vite|astro" clients/web/apps/docs/ -B 3 -A 3 --type-list

Repository: dallay/corvus

Length of output: 447

🏁 Script executed:

# Look for any issue tracking or TODO comments in the entire clients/web directory
rg -i "todo|fixme|bug|issue" clients/web/ --type-list | grep -i "vite\|astro"

Repository: dallay/corvus

Length of output: 447

🏁 Script executed:

# Check astro.config.mjs to see if there's any indication of compatibility issues
cat -n clients/web/apps/docs/astro.config.mjs

Repository: dallay/corvus

Length of output: 10654

🏁 Script executed:

# Search for any TODO, FIXME, or comments about vite/astro in the codebase
rg "TODO|FIXME|NOTE|BUG" clients/web/ -B 2 -A 2

Repository: dallay/corvus

Length of output: 1792

🏁 Script executed:

# Look for any issues or comments in git history about vite pinning
git log --all --oneline --grep="vite" | head -10

Repository: dallay/corvus

Length of output: 656

🏁 Script executed:

# Check if there are other package.json files with similar patterns to understand the intent
find clients/web -name "package.json" -exec grep -l "vite" {} \;

Repository: dallay/corvus

Length of output: 259

🏁 Script executed:

# Check how other apps handle vite in their package.json
for file in clients/web/apps/dashboard/package.json clients/web/apps/marketing/package.json clients/web/apps/rook-dashboard/package.json; do
  echo "=== $file ==="
  cat "$file" | grep -A 10 "devDependencies"
done

Repository: dallay/corvus

Length of output: 1063

🏁 Script executed:

# Check the git commit history for the vite hard pin to understand why it was done
git log -p --all -- clients/web/apps/docs/package.json | grep -B 10 -A 10 "vite.*8.0.10" | head -40

Repository: dallay/corvus

Length of output: 39

🏁 Script executed:

# Verify Vite 8 and Astro 6.1 compatibility - let's look at package lock files
rg "vite.*8.0.10|astro.*6.1" clients/web/apps/docs/pnpm-lock.yaml -B 2 -A 2 | head -20

Repository: dallay/corvus

Length of output: 832

🏁 Script executed:

# Let's check the full git history to see if there was an issue or discussion
git log --all --format="%h %s" --grep="astro\|vite" | head -20

Repository: dallay/corvus

Length of output: 1575

🏁 Script executed:

# Search for any comments or issues in markdown files about vite/astro incompatibility
rg -i "vite.*astro|astro.*vite|incompatible|break" clients/web/ --type md

Repository: dallay/corvus

Length of output: 405

🏁 Script executed:

# Let's check what version of Astro is actually being used in the lock file
rg "astro@" clients/web/apps/docs/pnpm-lock.yaml | head -5

Repository: dallay/corvus

Length of output: 543

🏁 Script executed:

# Check if marketing app also has the same issue and if this is deliberate
cat -n clients/web/apps/marketing/package.json

Repository: dallay/corvus

Length of output: 1536

🏁 Script executed:

# Look for any recent commits specifically about the vite pin in these apps
git log --all -p -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | grep -B 5 -A 5 "vite" | head -50

Repository: dallay/corvus

Length of output: 1478

🏁 Script executed:

# Check what the actual resolved vite version is in the lock file
rg "vite@8" clients/web/apps/docs/pnpm-lock.yaml -B 2 -A 10 | head -30

Repository: dallay/corvus

Length of output: 39

🏁 Script executed:

# Let me check when vite was bumped to 8.0.10 specifically
git log --all --oneline --follow -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | head -20

Repository: dallay/corvus

Length of output: 103

🏁 Script executed:

# Check the specific commit that added 8.0.10
git show 0ef9b53 | head -100

Repository: dallay/corvus

Length of output: 5296

🏁 Script executed:

# Find the specific commit that introduced vite 8.0.10
git log --all --oneline -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | xargs -I {} git show {} | grep -B 5 "vite.*8.0.10" | head -30

Repository: dallay/corvus

Length of output: 2756

🏁 Script executed:

# More direct search for when vite 8.0.10 was introduced
git log --all -p -- clients/web/apps/docs/package.json | grep -B 20 "8.0.10" | head -50

Repository: dallay/corvus

Length of output: 884

🏁 Script executed:

# Let me check if there are any build or runtime errors related to vite in the test logs or CI
find . -name "*.md" -o -name "*.txt" | xargs grep -l "vite.*astro\|astro.*vite" 2>/dev/null | head -10

Repository: dallay/corvus

Length of output: 69

🌐 Web query:

Vite 8 Astro 6.1 compatibility issues

💡 Result:

Astro 6.1 is not compatible with Vite 8. Astro 6 uses Vite 7 internally and actively warns against using Vite 8, as full support is still in progress (WIP PR #15819).

Citations:

🏁 Script executed:

# Check the README for any mention of vite/astro compatibility
cat README.md | grep -i "vite\|astro" -B 2 -A 2

Repository: dallay/corvus

Length of output: 1123

Change vite to use catalog: instead of hard-pinning to 8.0.10.

All other devDependencies use catalog:, but vite is hard-pinned here and in clients/web/apps/marketing/package.json, bypassing the workspace catalog and risking silent desyncs. More critically: Astro 6.1.6 (in the catalog) is incompatible with Vite 8. Astro 6 uses Vite 7 internally and actively warns against Vite 8, as full support is still in progress. This pin forces a broken combination.

♻️ Proposed change 
-    "vite": "8.0.10"
+    "vite": "catalog:"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"vite": "8.0.10"
"vite": "catalog:"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/package.json` at line 30, The devDependency "vite" is
hard-pinned to "8.0.10" in package.json which bypasses the workspace catalog and
forces an incompatible Vite/Astro combo; change the "vite" entry to use the
workspace catalog alias (e.g., replace the literal "8.0.10" value with the same
catalog spec used elsewhere like "catalog:vite") so the project picks up the
catalog-managed, Astro-compatible Vite version; also apply the same change to
the other package that was hard-pinned (the marketing app) and run your
workspace install/update to refresh the lockfile.

}
}
2 changes: 1 addition & 1 deletion clients/web/apps/marketing/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,6 @@
"devDependencies": {
"portless": "catalog:",
"typescript": "catalog:",
"vite": "7.3.2"
"vite": "8.0.10"
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "package.json" -path "*/clients/web/apps/*" 2>/dev/null | head -5

Repository: dallay/corvus

Length of output: 39

🏁 Script executed:

git ls-files clients/web/apps/ | grep -E "(package\.json|pnpm-workspace\.yaml)"

Repository: dallay/corvus

Length of output: 217

🏁 Script executed:

cat -n clients/web/apps/marketing/package.json | sed -n '25,40p'

Repository: dallay/corvus

Length of output: 282

🏁 Script executed:

cat -n clients/web/pnpm-workspace.yaml | sed -n '25,40p'

Repository: dallay/corvus

Length of output: 457

🏁 Script executed:

cat -n clients/web/pnpm-workspace.yaml | sed -n '1,30p'

Repository: dallay/corvus

Length of output: 969

🏁 Script executed:

for file in clients/web/apps/*/package.json; do
  echo "=== $file ==="; 
  grep -A2 '"devDependencies"' "$file" | grep -E '"vite"|"astro"' || true;
done

Repository: dallay/corvus

Length of output: 249

🏁 Script executed:

for file in clients/web/apps/*/package.json; do
  echo "=== $(basename $(dirname $file)) ===";
  sed -n '/"devDependencies"/,/^  }/p' "$file" | grep -E '"(vite|astro)"';
done

Repository: dallay/corvus

Length of output: 219

🌐 Web query:

Vite 8 Astro 6.1 incompatibility compatibility

💡 Result:

Astro 6.1 is incompatible with Vite 8. Astro 6.1 requires Vite ^7 (specifically ^7.3.1 as seen in dependencies for Astro 6.x), and explicitly warns users when Vite 8 is detected. Full support for Vite 8 is in progress via an open pull request but not yet merged into a stable release as of 2026-04-25. To avoid issues: - Do not install or override to Vite 8. - If using packages that hoist Vite 8 (e.g., @tailwindcss/vite), add overrides: {"vite": "^7"} to package.json. - Astro dev server shows a warning on Vite 8 detection, and astro add cloudflare auto-adds the override.

Citations:

Align with catalog dependency management, but note the root cause is incompatibility in the catalog itself.

The hard-pinned version is inconsistent with the catalog pattern (though docs also hard-pins). However, the underlying issue is more critical: Astro 6.1 is incompatible with Vite 8, and the catalog defines both together. Using catalog: would propagate this incompatibility rather than solve it. The catalog should be fixed to require Vite 7.x with Astro 6.1.x, or both packages updated together to compatible versions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/marketing/package.json` at line 31, The package.json
currently hard-pins "vite": "8.0.10", which conflicts with Astro 6.1 and breaks
the catalog pattern; change the dependency to a Vite 7.x semver (e.g., "vite":
"7.x") so this app is compatible with Astro 6.1, and add a short TODO noting to
switch to the catalog-managed dependency (catalog:vite) once the catalog is
fixed to require Vite 7.x for Astro 6.1; update package.json's "vite" entry and
any related install/test steps to use the new semver.

}
}
Loading
Loading