fix: remediate several vulnerabilities

[pepol]

• fix(cli): upgrade ajv from 8.17.1 to 8.18.0 (CVE-2025-69873)
• fix: add pnpm override for markdown-it >=14.1.1 (CVE-2026-2327)
• fix: upgrade lodash and lodash-es to 4.18.1 (CVE-2025-13465)
• fix(studio): upgrade next from 15.4.11 to 15.5.15 (CVE-2025-59471)

Summary by CodeRabbit

• Chores

  • Updated runtime and framework dependencies across packages to the latest stable versions for improved performance and security updates.
  • Added version pinning for additional dependencies to ensure consistent and predictable dependency resolution during builds.

• Documentation

  • Enhanced README documentation with improved formatting, spacing, and overall consistency throughout the guides.

• Style

  • Refined TypeScript configuration file formatting for enhanced consistency.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 239abdfc-0207-417d-8ffd-3159b73744e8

📥 Commits

Reviewing files that changed from the base of the PR and between 3607c59 and 4c7b60a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• admission-server/README.md
• admission-server/tsconfig.json
• cli/package.json
• package.json
• router/internal/graphiql/graphiql.html
• studio/package.json

✅ Files skipped from review due to trivial changes (3)

• studio/package.json
• admission-server/tsconfig.json
• admission-server/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• cli/package.json

---

Walkthrough

This PR updates multiple dependency versions across the project: ajv (8.17.1→8.18.0) in CLI, next (15.4.11→15.5.15) in root and studio packages, and adds new pnpm overrides for markdown-it (14.1.1) and lodash (4.18.1). Documentation and TypeScript configuration files are also reformatted.

Changes

Cohort / File(s)	Summary
Dependency Version Updates cli/package.json, package.json, studio/package.json	Updates ajv to 8.18.0 in CLI package, bumps next from 15.4.11 to 15.5.15 in root and studio packages, and adds pnpm overrides for markdown-it (14.1.1) and lodash (4.18.1).
Documentation and Configuration Formatting admission-server/README.md, admission-server/tsconfig.json	Adds blank lines around code blocks, removes trailing whitespace, adds terminal newlines, and reformats tsconfig.json types array to single-line format.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: update lodash and lodash-es #2780: Updates lodash to 4.18.1 across multiple package.json files, aligning with the new pnpm override being added in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: remediate several vulnerabilities' accurately summarizes the main objective of the PR, which is to address multiple CVEs across various packages by upgrading dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.52%. Comparing base (e95aaed) to head (4c7b60a).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2787      +/-   ##
==========================================
+ Coverage   46.28%   47.52%   +1.24%     
==========================================
  Files        1045     1065      +20     
  Lines      139773   144269    +4496     
  Branches     8768     9767     +999     
==========================================
+ Hits        64687    68571    +3884     
- Misses      73332    73925     +593     
- Partials     1754     1773      +19     

see 23 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-aeb37bd78ae5e86f5c2af1ceb53cb53a78e17b61-nonroot

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

106-107: Use caret ranges instead of unbounded versions for stability.

>=14.1.1 and >=4.18.1 allow floating to future major versions, risking uncontrolled upgrades and potential breakage. Use ^14.1.1 and ^4.18.1 for reproducible, bounded upgrades within the same major line.

Recommended override

-      "markdown-it": ">=14.1.1",
-      "lodash": ">=4.18.1"
+      "markdown-it": "^14.1.1",
+      "lodash": "^4.18.1"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 106 - 107, The package.json currently uses
unbounded version ranges ("markdown-it": ">=14.1.1" and "lodash": ">=4.18.1")
which can float to future major releases; update these to caret ranges
("markdown-it": "^14.1.1" and "lodash": "^4.18.1") so upgrades remain within the
same major version, ensuring more stable, reproducible dependency
resolution—locate the dependency entries for "markdown-it" and "lodash" in
package.json and replace the ">=" prefixes with "^".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 106-107: The package.json currently uses unbounded version ranges
("markdown-it": ">=14.1.1" and "lodash": ">=4.18.1") which can float to future
major releases; update these to caret ranges ("markdown-it": "^14.1.1" and
"lodash": "^4.18.1") so upgrades remain within the same major version, ensuring
more stable, reproducible dependency resolution—locate the dependency entries
for "markdown-it" and "lodash" in package.json and replace the ">=" prefixes
with "^".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bc6c0bd4-c5e1-424a-afff-ef26d53f91bf

📥 Commits

Reviewing files that changed from the base of the PR and between e48e072 and 796f907.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• cli/package.json
• composition/package.json
• controlplane/package.json
• package.json
• playground/package.json
• protographic/package.json
• studio/package.json

[Aenimus]

LGTM!