chore(deps): patch simple-git and Next.js for Dependabot alerts

[AviPeltz]

Summary

• Bump simple-git 3.33.0 → 3.36.0 in apps/desktop and packages/host-service to close GHSA-hffm-xvc3-vprc (alerts format #65, fix active tab #139)
• Bump next 16.2.1 → 16.2.6 across apps/web, apps/admin, apps/api, apps/marketing, apps/docs to close all flagged Next.js CVEs, most importantly the proxy/middleware bypass advisories that matter given web/admin/api enforce auth via proxy.ts

A follow-up PR will handle the remaining Hono, Vite, lodash, and PostCSS alerts.

Exposure assessment

• simple-git RCE: CVE requires user-controlled input to reach the options array argument. All call sites in this repo pass static option arrays (e.g. ["--depth=1"] in resolve-repo.ts:235) or no options. Bump is defense-in-depth.
• Next.js proxy bypass / RSC poisoning / RSC DoS: directly applicable — apps/web/src/proxy.ts, apps/admin/src/proxy.ts, apps/api/src/proxy.ts all gate routes on session, and apps use App Router + RSC throughout.

Test plan

• bun install succeeds, lockfile updated
• bun run typecheck passes for all 5 Next.js apps + host-service + desktop
• bun run lint passes (no Biome output)
• Reviewed Next 16.2.2–16.2.6 changelog — patch-only, no breaking changes to middleware/proxy/redirect APIs
• Reviewer to smoke-test sign-in redirect + public-route allowlist on dev server before merge

---

Summary by cubic

Patches dependencies to resolve security alerts and harden auth-protected routes. Updates simple-git for RCE hardening and next to fix proxy/middleware bypass CVEs; no breaking changes expected.

• Dependencies
  • Bump simple-git 3.33.0 → 3.36.0 in apps/desktop and packages/host-service (closes alerts format #65, fix active tab #139).
  • Bump next 16.2.1 → 16.2.6 in apps/web, apps/admin, apps/api, apps/marketing, apps/docs (patches all flagged Next.js CVEs).

^{Written for commit 2271b76. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated web framework dependencies to version 16.2.6 across multiple applications for improved stability.
  • Upgraded Git utility library to version 3.36.0 in desktop and backend services.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7906879-cc51-4d1f-9c8f-0f517b8ffda2

📥 Commits

Reviewing files that changed from the base of the PR and between f3e3e93 and 2271b76.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• apps/admin/package.json
• apps/api/package.json
• apps/desktop/package.json
• apps/docs/package.json
• apps/marketing/package.json
• apps/web/package.json
• packages/host-service/package.json

---

📝 Walkthrough

Walkthrough

The pull request updates dependency versions across multiple application and package manifests. Next.js is bumped to 16.2.6 across five app packages (admin, api, docs, marketing, web). Simple-git is bumped to 3.36.0 in desktop and host-service packages. All changes are patch-level version increments.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Next.js 16.2.6 updates across apps apps/admin/package.json, apps/api/package.json, apps/docs/package.json, apps/marketing/package.json, apps/web/package.json	next dependency version bumped from 16.2.1 to 16.2.6 across all five application manifests, maintaining consistency across the monorepo's Next.js-based apps.
Simple-git 3.36.0 updates apps/desktop/package.json, packages/host-service/package.json	simple-git dependency version bumped from 3.33.0 to 3.36.0 in both the desktop application and host-service package.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through deps with care,
Bumping versions here and there,
Next.js gleams at point-two-six,
Simple-git's new thirty-six,
Patches dance in package.json's air! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: patching simple-git and Next.js versions in response to Dependabot security alerts.
Description check	✅ Passed	The description includes a comprehensive summary of changes, related issues, exposure assessment, and test plan; it follows the repository template with all critical sections completed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch review-dependabot-alerts-2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[greptile-apps]

Greptile Summary

This is a security-patch dependency bump PR that upgrades next from 16.2.1 → 16.2.6 across all five Next.js apps and simple-git from 3.33.0 → 3.36.0 in the desktop app and host-service package to close active Dependabot alerts.

• Next.js 16.2.6: Bumped in apps/admin, apps/api, apps/docs, apps/marketing, and apps/web; the PR description correctly identifies that the proxy/middleware bypass CVEs are directly applicable given each app gates routes via proxy.ts.
• simple-git 3.36.0: Bumped in apps/desktop and packages/host-service; 3.36.0 introduces two new transitive dependencies (@simple-git/args-pathspec, @simple-git/argv-parser) which are properly reflected in bun.lock.
• The bun.lock is internally consistent with all package.json changes — all pinned SWC binaries for Next.js and all new simple-git sub-packages appear at the correct versions.

Confidence Score: 5/5

Safe to merge — all changes are version bumps on pinned patch releases with no API surface changes, and the lockfile is fully consistent with every package.json.

Every package.json pin is reflected correctly in bun.lock, including the two new transitive packages introduced by simple-git 3.36.0. The Next.js upgrade is patch-only (no middleware/proxy API changes across 16.2.2–16.2.6) and directly closes the auth-bypass advisories applicable to this repo's proxy pattern. The remaining open smoke-test checkbox is a reasonable pre-merge gate noted by the author.

No files require special attention. The bun.lock update is the most mechanically complex change but is internally consistent.

Important Files Changed

Filename	Overview
apps/web/package.json	next bumped from 16.2.1 to 16.2.6 — directly mitigates proxy/middleware bypass CVEs that affect auth-gated routes
apps/admin/package.json	next bumped from 16.2.1 to 16.2.6; no other changes
apps/api/package.json	next bumped from 16.2.1 to 16.2.6; no other changes
apps/docs/package.json	next bumped from 16.2.1 to 16.2.6; no other changes
apps/marketing/package.json	next bumped from 16.2.1 to 16.2.6; no other changes
apps/desktop/package.json	simple-git bumped from 3.33.0 to 3.36.0; no other changes
packages/host-service/package.json	simple-git bumped from 3.33.0 to 3.36.0; no other changes
bun.lock	Lockfile updated consistently: next 16.2.6 with all SWC platform binaries, simple-git 3.36.0 with two new transitive packages (@simple-git/args-pathspec, @simple-git/argv-parser) all present at correct versions

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot Alerts] --> B{Package}
    B --> C[next 16.2.1]
    B --> D[simple-git 3.33.0]

    C -->|bump to 16.2.6| E[apps/web]
    C -->|bump to 16.2.6| F[apps/admin]
    C -->|bump to 16.2.6| G[apps/api]
    C -->|bump to 16.2.6| H[apps/docs]
    C -->|bump to 16.2.6| I[apps/marketing]

    D -->|bump to 3.36.0| J[apps/desktop]
    D -->|bump to 3.36.0| K[packages/host-service]

    E & F & G --> L[Auth-gated proxy.ts routes\nProxy bypass CVEs mitigated]
    J & K --> M[GHSA-hffm-xvc3-vprc\nRCE alert closed]

    L --> N[bun.lock updated]
    M --> N
    N --> O[New transitive deps captured\n@simple-git/args-pathspec\n@simple-git/argv-parser]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): bump next 16.2.1 -> 16.2.6 ..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 8 files

_{You’re at about 94% of the monthly review limit. You may want to disable incremental reviews to conserve quota. Reviews will continue until that limit is exceeded. If you need help avoiding interruptions, please contact contact@cubic.dev.}

[github-actions]

🚀 Preview Deployment

🔗 Preview Links

Service	Status	Link
Database (Neon)	✅	View Branch
API (Vercel)	✅	Open Preview
Web (Vercel)	✅	Open Preview
Marketing (Vercel)	✅	Open Preview
Admin (Vercel)	✅	Open Preview
Docs (Vercel)	✅	Open Preview

---

Preview updates automatically with new commits