deps: refresh safe dependency drift

[Ronak-D-Shah]

Summary

Refreshes safe patch/minor dependency updates while leaving major version upgrades out of scope. Only package.json and package-lock.json changed.

Updated

• @insforge/shared-schemas → ^1.1.55 (latest)
• posthog-node
• eslint
• typescript-eslint
• vitest
• @types/node (stays on Node 22 types)

Deferred
Major-line upgrades (@clack/prompts, archiver, commander, open, typescript, etc.) left for follow-up.

Validation

• npm run lint — pass (0 errors; pre-existing warnings only)
• npm run test — 421 passed, 13 integration tests skipped by default
• npm run build — pass
• INTEGRATION_TEST_ENABLED=true npm run test:integration:real — 4/4 passed against live project

Fixes #152

---

Summary by cubic

Updates safe minor and patch dependencies to reduce drift; no major upgrades included. Only package.json and package-lock.json changed; lint, tests, build, and live integration tests pass.

• Dependencies
  • Runtime: @insforge/shared-schemas → ^1.1.55, posthog-node → ^5.36.3.
  • Tooling: eslint → ^10.4.1, typescript-eslint → ^8.60.1, vitest → ^4.1.8, @types/node → ^22.19.20 (Node 22 types).
  • Deferred: major-line upgrades (@clack/prompts, archiver, commander, open, typescript, etc.).

^{Written for commit 1e5e970. Summary will update on new commits.}

Note

Refresh npm dependency versions in package.json

Bumps several dependencies to their latest minor/patch versions: @insforge/shared-schemas to ^1.1.55, posthog-node to ^5.36.3, @types/node to ^22.19.20, eslint to ^10.4.1, typescript-eslint to ^8.60.1, and vitest to ^4.1.8. The package-lock.json is regenerated to match.

^{Macroscope summarized 1e5e970.}

Summary by CodeRabbit

• Chores
  • Updated core dependencies and development tooling to latest compatible versions to enhance platform stability, security, and performance.

[coderabbitai]

Too many files changed? Review this PR in Change Stack to see how the pieces fit before you dive in.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a1300777-cbdc-4969-b9fc-99099ee3e8ef

📥 Commits

Reviewing files that changed from the base of the PR and between d80617c and 1e5e970.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

Walkthrough

The CLI package dependencies and development tooling versions are refreshed to address version drift. Runtime dependencies (@insforge/shared-schemas, posthog-node, @types/node) and development tooling (eslint, typescript-eslint, vitest) receive patch and minor version updates.

Changes

CLI Dependency Updates

Layer / File(s)	Summary
Dependency Version Updates package.json	Version pins are updated for @insforge/shared-schemas (1.1.52→1.1.55), posthog-node (5.28.9→5.36.3), @types/node (22.13.4→22.19.20), eslint (10.0.0→10.4.1), typescript-eslint (8.56.0→8.60.1), and vitest (4.1.0→4.1.8).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• [Maintenance]: Refresh dependency and test tooling drift InsForge-sdk-js#84: Both changes update test and lint toolchain dependency versions (eslint, vitest, @typescript-eslint) as part of coordinated dependency refresh across InsForge projects.

Poem

🐰 Bump the versions, left and right,
Schemas, linters, shining bright,
No code to break, just pins to tweak,
InsForge CLI stays fresh each week! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'deps: refresh safe dependency drift' directly and concisely describes the main change: updating dependency versions to address version drift.
Linked Issues check	✅ Passed	The PR fulfills issue #152's acceptance criteria: safe patch/minor updates applied, @insforge/shared-schemas aligned to 1.1.55, and npm run test/lint/build all pass.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only package.json dependency/version updates were made, aligning with issue #152's objective to refresh safe patch/minor drift.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[agent-zhang-beihai]

Thanks for the PR, @Ronak-D-Shah! This links #152, but that issue isn't assigned to anyone yet. Our workflow is claim the issue first, then submit the PR. It'll still be reviewed — to keep ownership clear, comment on the issue that you'd like it assigned to you.

[agent-zhang-beihai]

Dependency refresh — review

Only package.json and package-lock.json change. No application logic was touched. High-effort review applied across all seven angles; no Critical or Important blockers found.

---

Summary of changes (package-lock resolved versions)

Package	Old	New	Kind
@insforge/shared-schemas	1.1.52	1.1.55	runtime
posthog-node / @posthog/core	5.28.9 / 1.24.4	5.36.3 / 1.30.9	runtime
eslint	10.0.0 → 10.0.1 (resolved)	10.4.1	dev
typescript-eslint	8.56.0 → 8.56.1 (resolved)	8.60.1	dev
vitest + rolldown bindings	4.1.0	4.1.8 + rolldown@1.0.3	dev
@types/node	22.13.4 → 22.19.13	22.19.20	dev

---

Observations (non-blocking)

1. @rolldown/binding-wasm32-wasi engine floor raised (package-lock.json line ~1080).
   The resolved 1.0.3 entry now declares "node": "^20.19.0 || >=22.12.0", up from >=14.0.0.
   The project's own engines field still allows >=18.0.0. In practice this is optional: true — npm will silently skip the WASM fallback — and native Rolldown bindings cover every tested platform. But a developer running Node 18 without a native rolldown binding would get a silent build degradation.
   Recommendation: no action required unless the project actively supports a Node 18 CI lane that lacks a native rolldown platform binary; worth tracking when engines is eventually narrowed.

2. @posthog/core internal dependency swap (package-lock.json ~line 851).
   cross-spawn was dropped as a direct dependency of @posthog/core; @posthog/types@1.381.0 was added in its place. This is an internal restructuring upstream — the public posthog-node API is unchanged and the integration tests confirm it. Worth knowing if a future incident involves cross-platform process spawning via posthog internals.

3. @insforge/shared-schemas 1.1.52 → 1.1.55 (runtime bump with no changelog visible in the diff).
   This is the only runtime-facing bump where tightened or renamed schema fields could silently change validation results without crashing tests. The four live integration tests passing is encouraging; confirming that no new required fields were added or optional fields removed across the .52 → .55 range is the remaining due diligence (a quick npm diff @insforge/shared-schemas@1.1.52 @insforge/shared-schemas@1.1.55 on the types folder would close this).

---

Verdict

All seven review angles (line-by-line diff scan, removed-behavior audit, cross-file callers, reuse, simplification, efficiency, altitude) return no Critical or blocking Important findings. Test evidence is strong: 421 unit tests + 4/4 live integration tests green. The PR correctly defers all major-version upgrades.

Ahead Four.

[greptile-apps]

Greptile Summary

Routine patch/minor dependency refresh across package.json and package-lock.json. No source files were modified.

• @insforge/shared-schemas bumped from 1.1.52 → 1.1.55 (production schema dependency; changelog not visible in this repo).
• posthog-node bumped from 5.28.9 → 5.36.3, pulling in a new transitive dependency (@posthog/types@1.381.0) and promoting @emnapi/core/@emnapi/runtime from direct deps to peer deps in @napi-rs/wasm-runtime@1.1.4.
• Dev tooling (eslint, typescript-eslint, vitest, @types/node) each received minor/patch bumps; all remain within their original semver ranges.

Confidence Score: 5/5

Safe to merge — only package manifests changed, all within semver ranges already declared, and CI (lint, tests, build, integration) is reported passing.

No source files were modified. Every bump is a patch or minor increment within the existing semver range operators, so no breaking-change risk according to semver. The one new transitive entry (@posthog/types) is an additive types-only package. The @napi-rs/wasm-runtime structural change (emnapi moved to peer deps) is already resolved in the lockfile and is a dev/optional-only path.

No files require special attention. @insforge/shared-schemas crossed three patch versions (1.1.52 → 1.1.55) and is a runtime schema dependency worth a quick changelog check if any schema-validation regressions are spotted post-deploy.

Important Files Changed

Filename	Overview
package.json	Version ranges bumped for 6 packages (2 runtime, 4 dev) consistent with minor/patch semver intent; no structural changes to scripts, engines, or dependency graph topology.
package-lock.json	Lock file is internally consistent with package.json changes; 62 resolved versions updated, new transitive entry @posthog/types@1.381.0 added, @napi-rs/wasm-runtime restructured emnapi deps as peer deps (all still present in the lockfile).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["@insforge/cli"] --> B["@insforge/shared-schemas\n1.1.52 → 1.1.55"]
    A --> C["posthog-node\n5.28.9 → 5.36.3"]
    C --> D["@posthog/core\n1.24.4 → 1.30.9"]
    D --> E["@posthog/types 1.381.0\n(new transitive dep)"]
    A -.->|devDep| F["eslint\n10.0.0 → 10.4.1"]
    A -.->|devDep| G["typescript-eslint\n8.56.0 → 8.60.1"]
    A -.->|devDep| H["vitest\n4.1.0 → 4.1.8"]
    A -.->|devDep| I["@types/node\n22.13.4 → 22.19.20"]
    F --> J["@eslint/core\n1.1.0 → 1.2.1"]
    F --> K["@eslint/plugin-kit\n0.6.0 → 0.7.2"]
    style E fill:#ffe0b2,stroke:#e65100

Loading

_{Reviews (1): Last reviewed commit: "deps: refresh safe dependency drift" | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}

[CarmenDou]

Did a test on this bump and I think one cleanup worth folding into this PR:

rm -rf node_modules && npm ci
npx tsc --noEmit

and it shows src/commands/metadata.ts(71,18): error TS2339: Property 'aiIntegration' does not exist on type

The root cause is that aiIntegration was removed from AppMetadataSchema, so if we bump the version, we also need to delete the dead code in src/commands/metadata.ts:
if (data.aiIntegration?.models?.length) {
......
and update the command description to drop the now-misleading AI models mention:
.description('Show backend metadata (auth, database, buckets, edge functions, realtime)')