CLI: Upgrade jscodeshift to 17.3.0

[afurm]

What

Upgrades jscodeshift from ^0.15.1 to ^17.3.0 in code/lib/codemod and code/lib/cli-storybook.

Why

Old jscodeshift@0.15.1 pulls in deprecated transitive deps: temp→rimraf→glob→inflight. Latest jscodeshift@17.3.0 removed temp dependency, fixing all npm warnings.

Closes #34438

Manual testing

1. Run yarn install and confirm the deprecation warnings for temp, rimraf, glob, and inflight (previously pulled in transitively via jscodeshift) no longer appear.
2. Run the codemod transform tests: yarn vitest run csf-2-to-3 upgrade-deprecated-types find-implicit-spies — all should pass (these exercise the jscodeshift transform API at runtime).
3. Run the a11y automigration test, which uses jscodeshift's runtime API (jscodeshift.withParser): yarn vitest run addon-a11y-addon-test — should pass.
4. Run a codemod end-to-end against a sample project, e.g. npx storybook migrate csf-2-to-3 --glob "src/**/*.stories.js", and confirm the stories are transformed correctly and the jscodeshift CLI binary still resolves and runs.

Summary by CodeRabbit

• Chores
  • Upgraded the code transformation engine and its type definitions to a new major version across codemod and CLI tooling. This brings improved compatibility with modern JavaScript, updated typings, and potential performance and reliability benefits for automated code migrations with minimal risk.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cb211024-7759-493f-ac49-b211574e7eb0

📥 Commits

Reviewing files that changed from the base of the PR and between 520c4b0 and e4e8100.

📒 Files selected for processing (1)

• code/lib/codemod/package.json

✅ Files skipped from review due to trivial changes (1)

• code/lib/codemod/package.json

---

📝 Walkthrough

Walkthrough

Two Storybook packages update jscodeshift from ^0.15.1 to ^17.3.0; additionally code/lib/codemod/package.json updates @types/jscodeshift from ^0.11.10 to ^17.3.0. No source code or exported/public API changes.

Changes

Cohort / File(s)	Summary
Dependency Version Updates code/lib/cli-storybook/package.json, code/lib/codemod/package.json	Bumped jscodeshift from ^0.15.1 → ^17.3.0 in both packages. Also updated @types/jscodeshift from ^0.11.10 → ^17.3.0 in code/lib/codemod/package.json. No other files or exports changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@code/lib/codemod/package.json`:
- Line 47: The package.json currently upgrades "jscodeshift" to "^17.3.0" but
leaves "@types/jscodeshift" pinned at "^0.11.10"; update the
"@types/jscodeshift" dependency to "^17.3.0" so the runtime and types match
(change the version string for the "@types/jscodeshift" entry), then run the
lockfile install to refresh package-lock/yarn.lock so type-checking uses the
matching DefinitelyTyped release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4363bdd2-1f68-4dc2-bb4e-69279f67cb7d

📥 Commits

Reviewing files that changed from the base of the PR and between 70c6b16 and 520c4b0.

📒 Files selected for processing (2)

• code/lib/cli-storybook/package.json
• code/lib/codemod/package.json

[storybook-app-bot]

Package Benchmarks

^{Commit: 85ef40b, ran on 22 May 2026 at 13:32:42 UTC}

The following packages have significant changes to their size or dependencies:

@storybook/cli

	Before	After	Difference
Dependency count	203	183	🎉 -20 🎉
Self size	908 KB	909 KB	🚨 +144 B 🚨
Dependency size	87.71 MB	87.64 MB	🎉 -64 KB 🎉
Bundle Size Analyzer	Link	Link

@storybook/codemod

	Before	After	Difference
Dependency count	196	176	🎉 -20 🎉
Self size	32 KB	32 KB	🎉 -1 B 🎉
Dependency size	86.19 MB	86.13 MB	🎉 -64 KB 🎉
Bundle Size Analyzer	Link	Link

[valentinpalkovic]

Maintainer update — I've brought this PR up to date so it's ready for review.

Changes made on top of the original commits:

• Rebased onto current next.
• Added a yarn.lock update for the jscodeshift bump and ran yarn dedupe (CI's Check for dedupe step requires a fully-deduped lockfile). yarn install --immutable and yarn dedupe --check both pass. This also drops the deprecated temp → rimraf → glob → inflight chain — the goal of npm warnings about glob, rimraf and inflight, all caused by a too old version of jscodeshift in Storybook's dependencies #34438.
• Adjusted the PR title/description to satisfy Danger JS (title format + Manual testing section).

Verified locally (Node 22.22.1):

• nx compile + nx check (typecheck) for @storybook/codemod and @storybook/cli — clean, no type errors with @types/jscodeshift@17.
• Codemod transform tests (csf-2-to-3, upgrade-deprecated-types, find-implicit-spies) and the a11y automigration test (exercises jscodeshift.withParser at runtime) — all pass.
• oxfmt --check — clean. CLI repro command — runs end-to-end.

CI status: The checks that were genuinely failing on this PR — build--linux, format-check, Danger JS — are now green.

The remaining red checks (typescript-validation, the sandbox *--create jobs, tests--linux, benchmarks) are not caused by this PR. They are a pre-existing breakage on next that every freshly-run PR currently inherits:

• Cannot find package 'oxc-parser' — sandbox *--create jobs
• type-fest has no exported member 'OmitIndexSignature' — typescript-validation
• command not found: vitest — tests--linux

For reference, #34883 (a Node.js version bump touching neither yarn.lock nor jscodeshift) fails with the identical errors. This PR's yarn.lock diff only touches the jscodeshift dependency subtree — it does not touch type-fest, oxc-parser, or vitest.

Once the next breakage is resolved, re-running CI here should go green. The change itself (jscodeshift ^0.15.1 → ^17.3.0 + matching lockfile) is ready for review.