feat: centralize TS dependency management via catalogs

[comatory]

This PR centralizes dependency management via pnpm catalogs feature. I identified several dependencies
that are shared across packages in our monorepo. These deps should use a single common version across
packages.

Caution

I went through the dependency versions by looking at what the current versions are vs what's in the
catalog file. I used the highest version that we had in the codebase to use as the base.
There were no situations where major version would be increased so I don't think we should run
into any issues but it's worth mentioning.

The intention is not to maintain every dependency in a catalog, but the ones that are shared and
important enough, should be using single version to avoid issues like:

1. inconsistent experience between monorepo packages (both on local machines and CI) - we want to see same results for common tools regardles of the package we're working in
2. simplified dependency management: let's just change it in one place and have other packages pick up the change.

Note

I had to re-format playground code as I'm touching the library.

After merging these changes, we should run release CI workflow. I ran pnpm release-preview script manually on local machine and nothing failed, so we should be OK.

Summary by CodeRabbit

• Chores
  • Centralized dependency resolution across the workspace by switching many packages to a shared catalog to unify version management.
• Style
  • Added a Prettier ignore entry to exclude a generated build artifact from formatting.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Multiple package.json files across the monorepo had dependency and devDependency version specifiers replaced with the literal "catalog:" resolver; a new top-level catalog block was added to pnpm-workspace.yaml to centralize those version entries. A .prettierignore file was added under composition-go.

Changes

Cohort / File(s)	Summary
Workspace config pnpm-workspace.yaml	Added a new top-level catalog section declaring centralized version pins for many tooling and runtime dependencies.
Root / workspace package.json package.json	Replaced several devDependency version specifiers with "catalog:". No other fields changed.
Server & CDN packages admission-server/package.json, cdn-server/package.json, cdn-server/cdn/package.json	Switched dependency/devDependency version strings (e.g., dotenv, hono, eslint, typescript, vitest, tsx, @types/node) to "catalog:".
CLI / tooling packages cli/package.json, connect/package.json, protographic/package.json, shared/package.json	Replaced explicit versions for runtime and dev tooling (e.g., @bufbuild/protobuf, @connectrpc/*, eslint*, typescript, vitest, tsx, @types/*) with "catalog:".
Control plane & emails controlplane/package.json, controlplane/emails/package.json	Changed many dependency and devDependency specifiers (e.g., axios, graphql, lodash, eslint, typescript, React in emails) to "catalog:".
Composition & Go shim composition/package.json, composition-go/shim/package.json	Updated graphql, @graphql-tools/utils, lodash, @types/*, and typescript entries to "catalog:".
Playground & studio playground/package.json, studio/package.json	Replaced versions for react, react-dom, graphql, axios, lodash, prettier, typescript, and related @types/* and tooling to "catalog:".
Formatting ignore composition-go/.prettierignore	Added file with entry index.global.js to exclude that file from Prettier formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: centralizing TypeScript/dependency management across the monorepo using pnpm catalogs, which aligns with the extensive package.json and pnpm-workspace.yaml modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.53%. Comparing base (0c2ca73) to head (7d3f7ae).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2782      +/-   ##
==========================================
+ Coverage   41.70%   47.53%   +5.82%     
==========================================
  Files         791     1065     +274     
  Lines      113325   144278   +30953     
  Branches     8768     9767     +999     
==========================================
+ Hits        47266    68578   +21312     
- Misses      65695    73925    +8230     
- Partials      364     1775    +1411     

see 274 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-03110f4df0345fbc7063777234784f9d03ef484c-nonroot

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

controlplane/emails/package.json (1)

20-23: Align React type package versions with catalog-managed React.

React is centrally managed via catalog: on line 22, but @types/react and @types/react-dom remain pinned to specific versions (lines 20-21). This pattern exists in playground/package.json and studio/package.json as well. Consider using catalog: for the type packages too to prevent runtime/type version drift during future React upgrades.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@controlplane/emails/package.json` around lines 20 - 23, The `@types` packages
are pinned to specific versions while "react" is managed via "catalog:", causing
potential drift; update the dependencies for "@types/react" and
"@types/react-dom" in controlplane/emails/package.json to use "catalog:" instead
of fixed versions, and apply the same change in playground/package.json and
studio/package.json so the type packages follow the catalog-managed React
version consistently (look for the dependency keys "@types/react" and
"@types/react-dom" to modify).

playground/package.json (1)

63-63: Move prettier from dependencies to devDependencies.

prettier is only used in the "format" script and has no runtime imports. Since this package is published, unnecessary production dependencies increase the install footprint for consumers.

Proposed change

   "dependencies": {
     "lodash": "catalog:",
     "monaco-editor": "^0.45.0",
-    "prettier": "catalog:",
     "prism-react-renderer": "^2.3.0",
   },
   "devDependencies": {
+    "prettier": "catalog:",
     "@tailwindcss/typography": "^0.5.10",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playground/package.json` at line 63, The package currently lists "prettier"
under dependencies in package.json but it's only used for the "format" script;
move "prettier" from the "dependencies" object into "devDependencies" so it
won't be installed for consumers—update the package.json entries accordingly and
ensure the "format" script still references "prettier" (no other changes to
script names or runtime imports like format should be required).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@studio/package.json`:
- Around line 32-34: The package.json currently mixes catalog resolution and
explicit version pins causing drift: either add "@connectrpc/connect-web" to the
catalog so it resolves consistently with "@connectrpc/connect" and
"@connectrpc/connect-query", or change "@connectrpc/connect" and
"@connectrpc/connect-query" to explicit pins matching "^1.4.0"/the same semver
you want; likewise, make the react typings consistent by adding "@types/react"
and "@types/react-dom" to the catalog or pinning "react" and "react-dom" to the
same versions as their `@types` packages—update package names
"@connectrpc/connect-web", "@connectrpc/connect", "@connectrpc/connect-query",
"react", "react-dom", "@types/react", and "@types/react-dom" accordingly.

---

Nitpick comments:
In `@controlplane/emails/package.json`:
- Around line 20-23: The `@types` packages are pinned to specific versions while
"react" is managed via "catalog:", causing potential drift; update the
dependencies for "@types/react" and "@types/react-dom" in
controlplane/emails/package.json to use "catalog:" instead of fixed versions,
and apply the same change in playground/package.json and studio/package.json so
the type packages follow the catalog-managed React version consistently (look
for the dependency keys "@types/react" and "@types/react-dom" to modify).

In `@playground/package.json`:
- Line 63: The package currently lists "prettier" under dependencies in
package.json but it's only used for the "format" script; move "prettier" from
the "dependencies" object into "devDependencies" so it won't be installed for
consumers—update the package.json entries accordingly and ensure the "format"
script still references "prettier" (no other changes to script names or runtime
imports like format should be required).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1fcc226-bce1-4718-8cad-9c462a3f7fd3

📥 Commits

Reviewing files that changed from the base of the PR and between ced6759 and 8022e63.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• admission-server/package.json
• cdn-server/cdn/package.json
• cdn-server/package.json
• cli/package.json
• composition-go/shim/package.json
• composition/package.json
• connect/package.json
• controlplane/emails/package.json
• controlplane/package.json
• package.json
• playground/package.json
• pnpm-workspace.yaml
• protographic/package.json
• shared/package.json
• studio/package.json

[Aenimus]

LGTM!

[SkArchon]

lgtm