chore: kysely and next version updates

[ymc9]

Summary by CodeRabbit

• Chores
  • Updated IDE extension to version 3.0.16
  • Updated internal dependencies to latest compatible versions

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates version numbers across two files: the VS Code extension version from 3.0.15 to 3.0.16 in package.json, and two workspace dependencies in pnpm-workspace.yaml—kysely from ~0.28.8 to ~0.28.9 and next from 16.0.7 to 16.0.10. No logic or configuration changes.

Changes

Cohort / File(s)	Summary
VS Code Extension Metadata packages/ide/vscode/package.json	Version bumped from 3.0.15 to 3.0.16
Workspace Dependencies pnpm-workspace.yaml	kysely constraint updated from ~0.28.8 to ~0.28.9; next constraint updated from 16.0.7 to 16.0.10

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

These are straightforward version constraint updates with no logic, functionality, or configuration changes beyond dependency version bumps.

Possibly related PRs

• chore: bump vscode version #448: Modifies packages/ide/vscode/package.json by bumping the extension version (3.0.13→3.0.14), following the same pattern as this PR.
• chore: bump vscode version #437: Updates the version property in packages/ide/vscode/package.json, the same field modified in this PR.
• merge from main #468: Modifies the pnpm-workspace.yaml Next.js dependency version constraint (bumps next to 16.0.7; this PR further bumps to 16.0.10).

Poem

🐰 A hop, a skip, a version tick!
Dependencies dance, so quick, so slick,
Kysely and Next take their stride,
While the VS Code extension rides the tide,
All numbered up with gentle precision,
A rabbit's delight—the upgrade mission! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions kysely and next version updates but omits the vscode package version update that is also present in the changeset.	Consider updating the title to reflect all changes, such as 'chore: update kysely, next, and vscode package versions' or clarify if vscode is intentionally excluded.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/dep-ver-updtes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

Pull Request Review

I've completed a comprehensive review of this dependency update PR. Here's my detailed feedback:

Todo List

• Read CLAUDE.md for repo-specific guidelines
• Examine changed files to understand what dependencies were updated
• Check for potential breaking changes in dependency updates
• Review workspace configuration changes
• Assess security implications
• Provide comprehensive feedback

Analysis Summary

This PR updates three components:

• Kysely: ~0.28.8 → ~0.28.9 (patch version bump)
• Next.js: 16.0.7 → 16.0.10 (patch version bump)
• VSCode extension version: 3.0.15 → 3.0.16 (manual version increment)

Review Feedback

✅ Code Quality & Best Practices

• Good: Follows proper semantic versioning for patch-level dependency updates
• Good: Uses pnpm catalog for centralized dependency management across the monorepo
• Good: Appropriate use of tilde (~) range for Kysely to allow patch updates while preventing minor version drift
• Good: Consistent versioning strategy aligns with repository guidelines in CLAUDE.md

⚠️ Potential Issues & Considerations

1. Package Manager Version Inconsistency (packages/ide/vscode/package.json:32)

   • VSCode package specifies "packageManager": "[email protected]"
   • Root package.json specifies "packageManager": "[email protected]"
   • Recommendation: Consider updating VSCode package to use the same pnpm version for consistency

2. Missing Changelog Context

   • No description or changelog links provided for the dependency updates
   • Recommendation: Include brief notes about what fixes/improvements these versions bring

✅ Security Assessment

• Low Risk: Both Kysely and Next.js are patch-level updates, typically containing only bug fixes
• Good: Using exact/tilde ranges prevents unexpected major version jumps
• Good: Dependencies are well-maintained, popular packages with active security monitoring

✅ Performance Considerations

• Positive: Patch updates often include performance improvements and bug fixes
• Good: No architectural changes that would impact performance
• Good: Bundle size impact should be minimal for patch-level updates

⚠️ Test Coverage Concerns

• Missing: No indication that tests were run after dependency updates
• Recommendation: Verify that pnpm test, pnpm lint, and pnpm build all pass
• Note: According to CLAUDE.md, the project has comprehensive test suites including E2E tests

✅ Workspace Configuration

• Good: Proper use of pnpm catalog system for dependency management
• Good: Maintains workspace structure and package organization
• Good: No breaking changes to workspace configuration

Recommendations

1. Add Testing Validation: Ensure CI tests pass and consider running key test suites manually
2. Version Consistency: Align pnpm versions across all package.json files
3. Documentation: Add brief notes about what improvements these updates bring
4. Consider Kysely API Changes: Review Kysely 0.28.9 changelog for any API adjustments that might affect ZenStack's ORM layer

Overall Assessment

✅ APPROVED: This is a well-structured dependency maintenance PR. The updates are conservative patch-level changes that follow best practices. The main concerns are minor inconsistencies rather than blocking issues.

---

[Copilot]

Pull request overview

This PR performs routine maintenance by updating two key dependencies to their latest patch versions:

• kysely: Updated from 0.28.8 to 0.28.9 (patch update)
• next: Updated from 16.0.7 to 16.0.10 (patch update)
• VSCode extension: Version bumped from 3.0.15 to 3.0.16 to reflect the updated dependencies

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
pnpm-workspace.yaml	Updates kysely and next version specifications in the pnpm catalog
pnpm-lock.yaml	Reflects the updated dependency resolutions, including all transitive dependencies and platform-specific Next.js SWC binaries
packages/ide/vscode/package.json	Bumps VSCode extension version to 3.0.16

The changes are straightforward dependency updates at the patch level, which should be backward compatible. All modifications properly follow the project's catalog-based dependency management pattern where versions are centrally defined in pnpm-workspace.yaml and referenced throughout the monorepo using the catalog: specifier.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3172523 and b89f864.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• packages/ide/vscode/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to ide/vscode/**/{package.json,version.ts} : The VSCode IDE extension package should maintain a different version from other packages to comply with VSCode Marketplace requirements

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to ide/vscode/**/{package.json,version.ts} : The VSCode IDE extension package should maintain a different version from other packages to comply with VSCode Marketplace requirements

Applied to files:

• packages/ide/vscode/package.json

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Use `pnpm` with workspaces for package management, pinned to version `pnpm10.12.1`

Applied to files:

• pnpm-workspace.yaml

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to packages/zenstackhq/orm/**/*.{ts,tsx} : Use Kysely as the query builder interface for low-level database queries, avoiding raw SQL when possible

Applied to files:

• pnpm-workspace.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🔇 Additional comments (2)

packages/ide/vscode/package.json (1)

4-4: LGTM! VSCode extension version bump is appropriate.

The patch version increment from 3.0.15 to 3.0.16 aligns with the PR's objective of updating version numbers. Based on learnings, the VSCode extension correctly maintains its own version number independently of other packages to comply with VSCode Marketplace requirements.

pnpm-workspace.yaml (1)

15-15: Kysely version 0.28.9 is confirmed and safe to use.

Version 0.28.9 is the latest version and was published 2 days ago. This is a small crucial bug fix release with a PostgreSQL introspector fix for case handling. As a patch-level bump from 0.28.8, this is low-risk. No known security vulnerabilities were found for this version.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Update from 16.0.7 to 16.0.10 is a critical security patch, not a routine version bump.

Version 16.0.10 exists and was published 5 days ago. However, this is not a low-risk update. 16.0.10 was released on December 11, 2025 to address critical security vulnerabilities in React Server Components. Next.js 16.0.10 patches CVE-2025-55183 (Source Code Exposure), CVE-2025-55184 (Denial of Service), and CVE-2025-67779. This upgrade is necessary and appropriate.

🤖 Prompt for AI Agents

In pnpm-workspace.yaml around line 18, the Next.js entry was changed to 16.0.10
but the PR treated it as a routine bump; this is a critical security upgrade
(fixes CVE-2025-55183/55184/67779) so explicitly update the file to pin next:
16.0.10, regenerate the lockfile (pnpm install) and run the full test suite and
security/audit tooling, add a one-line changelog/PR description noting this is a
security patch and reference the CVE IDs, and notify the team/ops to prioritize
deployment.