chore(deps): remove dspyground from dependencies

[marcusquinn]

Summary

• Remove dspyground from package.json dependencies
• Remove overrides section (no longer needed)
• Add note to dspyground.md clarifying it's installed separately

Why

npm overrides don't work for global installs (npm install -g), so the next.js CVE-2025-66478 vulnerability warning persists even with the override in place.

Since dspyground is optional tooling for prompt optimization (not core CLI functionality), removing it as a dependency eliminates the security warning entirely.

Impact

• Users who need DSPyGround can install it separately: npm install -g dspyground
• The npm run dspy:* scripts still work for local development (they just call the dspyground CLI)
• No change to core aidevops CLI functionality

Testing

After merge and release:

npm install -g aidevops
# Should no longer show next.js vulnerability warning

Closes the vulnerability issue from v2.54.2.

Summary by CodeRabbit

• Documentation

  • Clarified in the documentation that DSPyGround is an optional tool requiring separate installation from the aidevops CLI. Multiple documentation sections updated to provide better clarity on this optional component.

• Chores

  • Removed DSPyGround from project dependencies.
  • Removed Next.js version override from package configuration to simplify dependency management.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR removes the dspyground dependency from package.json and its Next.js version override, while adding documentation that clarifies DSPyGround is an optional tool installed separately from the aidevops CLI.

Changes

Cohort / File(s)	Summary
Documentation \.agent/tools/context/dspyground\.md	Added clarifying notes that DSPyGround is an optional tool installed separately, inserted after initial overview and section heading
Dependencies package\.json	Removed dspyground dependency (^0.3.10) and entire overrides block containing Next.js version pin (^16.1.1)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix(deps): resolve next.js security vulnerability CVE-2025-66478 #79: Directly inverse operation — adds the same dspyground dependency and overrides block that this PR removes from package.json.

Poem

📦 Dependencies trimmed, clarity gained,
Optional tools now properly maintained,
DSPyGround stands apart and free,
One less constraint, DevOps pristine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically reflects the main change in the changeset: removing dspyground from package.json dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

🧹 Recent nitpick comments

.agent/tools/context/dspyground.md (1)

37-38: LGTM - Clear documentation of optional dependency.

The note accurately reflects the PR's objective of removing DSPyGround as a core dependency and clarifies installation expectations. The placement after the Overview is logical and the wording is clear.

📝 Optional: Enhance visibility with markdown callout

Consider using a markdown blockquote or callout for better visual prominence:

-**Note**: DSPyGround is an optional tool installed separately from the aidevops CLI. Install it when you need visual prompt optimization capabilities.
+> **Note**: DSPyGround is an optional tool installed separately from the aidevops CLI. Install it when you need visual prompt optimization capabilities.

This makes the note stand out more clearly in the documentation flow.

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ae7c0f and 9e3768b.

📒 Files selected for processing (2)

• .agent/tools/context/dspyground.md
• package.json

💤 Files with no reviewable changes (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a persistent next.js security vulnerability warning that arose due to npm's overrides not functioning correctly for global installations. By removing dspyground, an optional prompt optimization tool, from the core dependencies, the vulnerability warning is entirely eliminated. This change ensures that the aidevops CLI remains secure and streamlined, while users who require DSPyGround can still install it independently without affecting the main application.

Highlights

• Dependency Removal: The dspyground package has been removed from the project's direct dependencies in package.json.
• Overrides Section Removal: The overrides section, previously used to manage next.js versions, has been removed from package.json as it is no longer needed.
• Documentation Update: A note has been added to dspyground.md to clarify that DSPyGround is an optional tool and should be installed separately.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[augmentcode]

🤖 Augment PR Summary

Summary: Removes dspyground (and the now-unneeded next override) from package.json so global installs of aidevops no longer surface the Next.js CVE warning.

Changes: Updates DSPyGround documentation to clarify it’s an optional tool that’s installed separately when needed.

_{🤖 Was this summary useful? React with 👍 or 👎}

[gemini-code-assist]

Code Review

This pull request effectively addresses a security vulnerability warning by removing the dspyground dependency. The changes are logical and well-justified: dspyground and its associated overrides are removed from package.json, and the documentation is updated to reflect that it's now an optional, separate installation. This is a clean solution for the issue affecting global installs. I have one minor suggestion to improve the new documentation note.

[gemini-code-assist]

This note is a great addition for clarity. To make it even more helpful for the user, I suggest including the installation command directly within the note. This provides a complete, actionable instruction in one place.

Suggested change

	**Note**: DSPyGround is an optional tool installed separately from the aidevops CLI. Install it when you need visual prompt optimization capabilities.
	**Note**: DSPyGround is an optional tool installed separately from the aidevops CLI. You can install it via `npm install -g dspyground`.

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 260 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Jan 14 01:58:59 UTC 2026: Code review monitoring started
Wed Jan 14 01:59:00 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 260
Wed Jan 14 01:59:00 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Wed Jan 14 01:59:02 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 260
• VULNERABILITIES: 0

Generated on: Wed Jan 14 01:59:41 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring