fix(deps): update npm minor and patch dependencies

[red-hat-konflux]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@babel/compat-data (source)	^7.28.6 → ^7.29.3			dependencies	minor
@babel/core (source)	^7.28.6 → ^7.29.0			devDependencies	minor
@babel/plugin-proposal-decorators (source)	^7.28.6 → ^7.29.0			devDependencies	minor
@babel/plugin-transform-runtime (source)	^7.28.5 → ^7.29.0			devDependencies	minor
@babel/preset-env (source)	^7.28.6 → ^7.29.5			devDependencies	minor
@babel/runtime (source)	^7.28.6 → ^7.29.2			dependencies	minor
@babel/types (source)	^7.28.6 → ^7.29.0			dependencies	minor
@data-driven-forms/common (source)	^4.1.5 → ^4.1.15			dependencies	patch
@data-driven-forms/pf4-component-mapper (source)	^4.1.6 → ^4.1.16			dependencies	patch
@data-driven-forms/react-form-renderer (source)	^4.1.5 → ^4.1.14			dependencies	patch
@formatjs/cli	6.8.8 → 6.14.5			dependencies	minor
@jest/test-sequencer (source)	^30.2.0 → ^30.3.0			devDependencies	minor
@msw/data	^1.1.2 → ^1.1.5			devDependencies	patch
@patternfly/react-core	^6.4.0 → ^6.4.3			dependencies	patch
@patternfly/react-table (source)	^6.4.0 → ^6.4.3			dependencies	patch
@playwright/test (source)	^1.57.0 → ^1.59.1			devDependencies	minor
@project-kessel/react-kessel-access-check (source)	^0.2.6 → ^0.5.0			dependencies	minor
@redhat-cloud-services/eslint-config-redhat-cloud-services (source)	^3.0.12 → ^3.1.1			devDependencies	minor
@redhat-cloud-services/frontend-components (source)	^7.0.40 → ^7.4.1			dependencies	minor
@redhat-cloud-services/frontend-components-config (source)	^6.7.51 → ^6.9.2			devDependencies	minor
@redhat-cloud-services/frontend-components-notifications (source)	^6.1.41 → ^6.6.1			dependencies	minor
@redhat-cloud-services/frontend-components-utilities (source)	^7.0.36 → ^7.3.1			dependencies	minor
@redhat-cloud-services/javascript-clients-shared	^2.0.5 → ^2.0.6			dependencies	patch
@redhat-cloud-services/rbac-client	^9.0.0 → ^9.0.1			dependencies	patch
@redhat-cloud-services/tsc-transform-imports (source)	^1.0.37 → ^1.1.1			devDependencies	minor
@redhat-cloud-services/types (source)	^3.4.1 → ^3.5.1			dependencies	minor
@storybook/addon-docs (source)	^10.2.19 → ^10.3.6			devDependencies	minor
@storybook/addon-webpack5-compiler-swc	^4.0.2 → ^4.0.3			devDependencies	patch
@storybook/react-webpack5 (source)	^10.2.19 → ^10.3.6			devDependencies	minor
@storybook/test-runner	^0.24.2 → ^0.24.3			devDependencies	patch
@tanstack/react-query (source)	^5.90.16 → ^5.100.9			dependencies	minor
@tanstack/react-query-devtools (source)	^5.91.2 → ^5.100.9			dependencies	minor
@typescript-eslint/eslint-plugin (source)	^8.53.0 → ^8.59.2			devDependencies	minor
@typescript-eslint/parser (source)	^8.53.0 → ^8.59.2			devDependencies	minor
@vitest/coverage-v8 (source)	^4.0.17 → ^4.1.5			devDependencies	minor
@vitest/ui (source)	^4.0.17 → ^4.1.5			devDependencies	minor
dotenv	^17.2.3 → ^17.4.2			devDependencies	minor
eslint-plugin-storybook (source)	^10.2.8 → ^10.3.6			devDependencies	minor
eslint-plugin-testing-library	^7.15.4 → ^7.16.2			devDependencies	minor
glob	^13.0.0 → ^13.0.6			dependencies	patch
happy-dom	^20.3.4 → ^20.9.0			devDependencies	minor
jest-environment-jsdom (source)	^30.2.0 → ^30.3.0			devDependencies	minor
jsdom	^27.0.1 → ^27.4.0			devDependencies	minor
msw (source)	^2.12.7 → ^2.14.3			devDependencies	minor
msw-storybook-addon (source)	^2.0.6 → ^2.0.7			devDependencies	patch
node (source)	>=22.12.0 → >=22.22.2			engines	minor
npm (source)	>=7.0.0 → >=7.24.2			engines	minor
playwright (source)	^1.57.0 → ^1.59.1			devDependencies	minor
storybook (source)	^10.2.15 → ^10.3.6			devDependencies	minor
ts-jest (source)	^29.4.6 → ^29.4.9			devDependencies	patch
vitest (source)	^4.0.17 → ^4.1.5			devDependencies	minor
webpack	^5.104.1 → ^5.106.2			devDependencies	minor
yaml (source)	^2.8.2 → ^2.8.4			devDependencies	patch

---

Release Notes

babel/babel (@​babel/compat-data)

v7.29.3

Compare Source

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #​17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #​17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #​17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #​17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #​17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #​17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #​17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #​17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #​17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #​17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #​17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #​17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

data-driven-forms/react-forms (@​data-driven-forms/common)

v4.1.15

Compare Source

4.1.15 (2026-04-10)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.14

v4.1.14

Compare Source

4.1.14 (2026-03-09)

🩹 Fixes

• wizard: show submit button correctly (c7f896f1)

❤️ Thank You

• LightOfHeaven1994

v4.1.13

Compare Source

4.1.13 (2026-02-16)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.13

v4.1.12

Compare Source

4.1.12 (2026-02-11)

🩹 Fixes

• common: relax base typings (30b75127)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.12

❤️ Thank You

• Martin Marosi @​Hyperkid123

v4.1.11

Compare Source

4.1.11 (2026-02-09)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.11

v4.1.10

Compare Source

4.1.10 (2026-02-05)

🩹 Fixes

• common: select and dual list select types (c8738a32)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.10

❤️ Thank You

• Martin Marosi @​Hyperkid123

v4.1.9

Compare Source

4.1.9 (2026-02-04)

🚀 Features

• common: fully migrate to TS (feb4e4c5)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.9

❤️ Thank You

• Martin Marosi @​Hyperkid123

v4.1.8

Compare Source

4.1.8 (2026-02-02)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.8

v4.1.7

Compare Source

4.1.7 (2026-02-02)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.7

v4.1.6

Compare Source

4.1.6 (2026-01-21)

🚀 Features

• wizard: add wizard progress after submission option (bf96224a)

🧱 Updated Dependencies

• Updated @​data-driven-forms/react-form-renderer to 4.1.6

❤️ Thank You

• LightOfHeaven1994

jestjs/jest (@​jest/test-sequencer)

v30.3.0

Compare Source

Features

• [jest-config] Add defineConfig and mergeConfig helpers for type-safe Jest config (#​15844)
• [jest-fake-timers] Add setTimerTickMode to configure how timers advance
• [*] Reduce token usage when run through LLMs (3f17932)

Fixes

• [jest-config] Keep CLI coverage output when using --json with --outputFile (#​15918)
• [jest-mock] Use Symbol from test environment (#​15858)
• [jest-reporters] Fix issue where console output not displayed for GHA reporter even with silent: false option (#​15864)
• [jest-runtime] Fix issue where user cannot utilize dynamic import despite specifying --experimental-vm-modules Node option (#​15842)
• [jest-test-sequencer] Fix issue where failed tests due to compilation errors not getting re-executed even with --onlyFailures CLI option (#​15851)
• [jest-util] Make sure process.features.require_module is false (#​15867)

Chore & Maintenance

• [*] Replace remaining micromatch uses with picomatch
• [deps] Update to sinon/fake-timers v15
• [docs] Update V30 migration guide to notify users on jest.mock() work with case-sensitive path (#​15849)
• Updated Twitter icon to match the latest brand guidelines (#​15869)

mswjs/data (@​msw/data)

v1.1.5

Compare Source

v1.1.5 (2026-04-20)

Bug Fixes

• support an array as the orderBy value (#​362) (12d6d1a) @​kettanaito

v1.1.4

Compare Source

v1.1.4 (2026-04-19)

Bug Fixes

• update rettime (#​360) (fb3c509) @​kettanaito

v1.1.3

Compare Source

v1.1.3 (2026-04-19)

Bug Fixes

• update dependencies (#​359) (75d80ca) @​kettanaito
• support relational updates via array push (#​358) (0397d5c) @​kettanaito
• update one-to-many relation with array reassignment (#​357) (ffa09aa) @​kettanaito
• clear relation listeners to prevent leaks (#​356) (9f9845c) @​kettanaito
• correctly check for unique relation updates (#​355) (fa1c709) @​kettanaito
• support deeply nested relations (#​349) (2ad167b) @​kettanaito

patternfly/patternfly-react (@​patternfly/react-core)

v6.4.3

Compare Source

v6.4.2

Compare Source

v6.4.1

Compare Source

Updates Include:

- fix(Wizard): Fix crash in nav when first sub-step is hidden
- fix(CodeEditor): prevent focus loss (#​12211)
- chore: Updated with snyk react router, and lodash requests

microsoft/playwright (@​playwright/test)

v1.59.1

Compare Source

Bug Fixes

• [Windows] Reverted hiding console window when spawning browser processes, which caused regressions including broken codegen, --ui and show commands (#​39990)

v1.59.0

Compare Source

🎬 Screencast

New page.screencast API provides a unified interface for capturing page content with:

• Screencast recordings
• Action annotations
• Visual overlays
• Real-time frame capture
• Agentic video receipts

Screencast recording — record video with precise start/stop control, as an alternative to the recordVideo option:

await page.screencast.start({ path: 'video.webm' });
// ... perform actions ...
await page.screencast.stop();

Action annotations — enable built-in visual annotations that highlight interacted elements and display action titles during recording:

await page.screencast.showActions({ position: 'top-right' });

screencast.showActions() accepts position ('top-left', 'top', 'top-right', 'bottom-left', 'bottom', 'bottom-right'), duration (ms per annotation), and fontSize (px). Returns a disposable to stop showing actions.

Action annotations can also be enabled in test fixtures via the video option:

// playwright.config.ts
export default defineConfig({
  use: {
    video: {
      mode: 'on',
      show: {
        actions: { position: 'top-left' },
        test: { position: 'top-right' },
      },
    },
  },
});

Visual overlays — add chapter titles and custom HTML overlays on top of the page for richer narration:

await page.screencast.showChapter('Adding TODOs', {
  description: 'Type and press enter for each TODO',
  duration: 1000,
});

await page.screencast.showOverlay('<div style="color: red">Recording</div>');

Real-time frame capture — stream JPEG-encoded frames for custom processing like thumbnails, live previews, AI vision, and more:

await page.screencast.start({
  onFrame: ({ data }) => sendToVisionModel(data),
  size: { width: 800, height: 600 },
});

Agentic video receipts — coding agents can produce video evidence of their work. After completing a task, an agent can record a walkthrough video with rich annotations for human review:

await page.screencast.start({ path: 'receipt.webm' });
await page.screencast.showActions({ position: 'top-right' });

await page.screencast.showChapter('Verifying checkout flow', {
  description: 'Added coupon code support per ticket #​1234',
});

// Agent performs the verification steps...
await page.locator('#coupon').fill('SAVE20');
await page.locator('#apply-coupon').click();
await expect(page.locator('.discount')).toContainText('20%');

await page.screencast.showChapter('Done', {
  description: 'Coupon applied, discount reflected in total',
});

await page.screencast.stop();

The resulting video serves as a receipt: chapter titles provide context, action annotations highlight each interaction, and the visual walkthrough is faster to review than text logs.

🔗 Interoperability

New browser.bind() API makes a launched browser available for playwright-cli, @playwright/mcp, and other clients to connect to.

Bind a browser — start a browser and bind it so others can connect:

const { endpoint } = await browser.bind('my-session', {
  workspaceDir: '/my/project',
});

Connect from playwright-cli — connect to the running browser from your favorite coding agent.

playwright-cli attach my-session
playwright-cli -s my-session snapshot

Connect from @​playwright/mcp — or point your MCP server to the running browser.

@​playwright/mcp --endpoint=my-session

Connect from a Playwright client — use API to connect to the browser. Multiple clients at a time are supported!

const browser = await chromium.connect(endpoint);

Pass host and port options to bind over WebSocket instead of a named pipe:

const { endpoint } = await browser.bind('my-session', {
  host: 'localhost',
  port: 0,
});
// endpoint is a ws:// URL

Call browser.unbind() to stop accepting new connections.

📊 Observability

Run playwright-cli show to open the Dashboard that lists all the bound browsers, their statuses, and allows interacting with them:

• See what your agent is doing on the background browsers
• Click into the sessions for manual interventions
• Open DevTools to inspect pages from the background browsers.

- `playwright-cli` binds all of its browsers automatically, so you can see what your agents are doing. - Pass `PLAYWRIGHT_DASHBOARD=1` env variable to see all `@playwright/test` browsers in the dashboard.

🐛 CLI debugger for agents

Coding agents can now run npx playwright test --debug=cli to attach and debug tests over playwright-cli — perfect for automatically fixing tests in agentic workflows:

$ npx playwright test --debug=cli

### Debugging Instructions
- Run "playwright-cli attach tw-87b59e" to attach to this test

$ playwright-cli attach tw-87b59e

### Session `tw-87b59e` created, attached to `tw-87b59e`.
Run commands with: playwright-cli --session=tw-87b59e <command>

### Paused
- Navigate to "/" at output/tests/example.spec.ts:4

$ playwright-cli --session tw-87b59e step-over

### Page
- Page URL: https://playwright.dev/
- Page Title: Fast and reliable end-to-end testing for modern web apps | Playwright

### Paused
- Expect "toHaveTitle" at output/tests/example.spec.ts:7

📋 CLI trace analysis for agents

Coding agents can run npx playwright trace to explore Playwright Trace and understand failing or flaky tests from the command line:

$ npx playwright trace open test-results/example-has-title-chromium/trace.zip
  Title:        example.spec.ts:3 › has title

$ npx playwright trace actions --grep="expect"
     # Time       Action                                                  Duration
  ──── ─────────  ─────────────────────────────────────────────────────── ────────
    9. 0:00.859  Expect "toHaveTitle"                                        5.1s  ✗

$ npx playwright trace action 9
  Expect "toHaveTitle"
  Error: expect(page).toHaveTitle(expected) failed
    Expected pattern: /Wrong Title/
    Received string:  "Fast and reliable end-to-end testing for modern web apps | Playwright"
    Timeout: 5000ms
  Snapshots
    available: before, after
    usage:     npx playwright trace snapshot 9 --name <before|after>

$ npx playwright trace snapshot 9 --name after

### Page
- Page Title: Fast and reliable end-to-end testing for modern web apps | Playwright

$ npx playwright trace close

♻️ await using

Many APIs now return async disposables, enabling the await using syntax for automatic cleanup:

await using page = await context.newPage();
{
  await using route = await page.route('**/*', route => route.continue());
  await using script = await page.addInitScript('console.log("init script here")');
  await page.goto('https://playwright.dev');
  // do something
}
// route and init script have been removed at this point

🔍 Snapshots and Locators

• Method page.ariaSnapshot() to capture the aria snapshot of the page — equivalent to page.locator('body').ariaSnapshot().
• Options depth and mode in locator.ariaSnapshot().
• Method locator.normalize() converts a locator to follow best practices like test ids and aria roles.
• Method page.pickLocator() enters an interactive mode where hovering over elements highlights them and shows the corresponding locator. Click an element to get its Locator back. Use page.cancelPickLocator() to cancel.

New APIs

Screencast

• page.screencast provides video recording, real-time frame streaming, and overlay management.
• Methods screencast.start() and screencast.stop() for recording and frame capture.
• Methods screencast.showActions() and screencast.hideActions() for action annotations.
• Methods screencast.showChapter() and screencast.showOverlay() for visual overlays.
• Methods screencast.showOverlays() and screencast.hideOverlays() for overlay visibility control.

Storage, Console and Errors

• Method browserContext.setStorageState() clears existing cookies, local storage, and IndexedDB for all origins and sets a new storage state — no need to create a new context.
• Methods page.clearConsoleMessages() and page.clearPageErrors() to clear stored messages and errors.
• Option filter in page.consoleMessages() and page.pageErrors() controls which messages are returned.
• Method consoleMessage.timestamp().

Miscellaneous

• browserContext.debugger provides programmatic control over the Playwright debugger.
• Method browserContext.isClosed().
• Method request.existingResponse() returns the response without waiting.
• Method response.httpVersion() returns the HTTP version used by the response.
• Events cdpSession.on('event') and cdpSession.on('close') for CDP sessions.
• Option live in tracing.start() for real-time trace updates.
• Option artifactsDir in browserType.launch() to configure the artifacts directory.

🛠️ Other improvements

• UI Mode has an option to only show tests affected by source changes.
• UI Mode and Trace Viewer have improved action filtering.
• HTML Reporter shows the list of runs from the same worker.
• HTML Reporter allows filtering test steps for quick search.
• New trace mode 'retain-on-failure-and-retries' records a trace for each test run and retains all traces when an attempt fails — great for comparing a passing trace with a failing one from a flaky test.

Known Issues ⚠️⚠️

• navigator.platform emulation can cause Ctrl or Meta dispatching errors (#​40009). Pass PLAYWRIGHT_NO_UA_PLATFORM = '1' environment variable while we are issuing a patch release. Let us know in the issue how it affected you.

Breaking Changes ⚠️

• Removed macOS 14 support for WebKit. We recommend upgrading your macOS version, or keeping an older Playwright version.
• Removed @playwright/experimental-ct-svelte package.

Browser Versions

• Chromium 147.0.7727.15
• Mozilla Firefox 148.0.2
• W

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[github-actions]

Chromatic Build

	Link
Storybook	https://687a10bbc18d4b17063770ba-oebplsxatc.chromatic.com/
Build	https://www.chromatic.com/build?appId=687a10bbc18d4b17063770ba&number=1755

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated package.json: raised Node and npm engine minimums, applied broad dependency and devDependency version bumps across build/test/UI tooling, and added zod as a new runtime dependency.

Changes

Cohort / File(s)	Summary
Package manifest package.json	Increased engines to node >=22.22.0, npm >=7.24.2. Wide version bumps across dependencies and devDependencies (Babel, Data Driven Forms, PatternFly, Red Hat frontend libs, TanStack, Storybook, Vitest, Playwright, jsdom, MSW, webpack, ESLint tooling, etc.). Added runtime dependency zod ^3.25.76.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

"I hopped through versions, light and quick,
Engines nudged — a tiny tick.
Libraries minted, old ones fed,
Zod found a cozy, leafy bed.
A rabbit's patchwork update, neat and slick 🐇"

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description lacks required sections from template: missing 'What and why' with issue link, no Screenshots section, and missing 'Anything non-obvious reviewers should know?' details.	Add 'What and why' section with RHCLOUD ticket link, include Screenshots section or note about non-visual changes, and provide 'Anything non-obvious reviewers should know?' section explaining dependency update strategy and any breaking changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: updating npm minor and patch dependencies. It directly reflects the package.json modifications shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/master/npm-minor-and-patch-dependencies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

132-132: ⚠️ Potential issue | 🟠 Major

zod ^3.25.76 bundles Zod v4 internally and is used at runtime in CLI validation—consider upgrading to v4 or moving to dependencies.

Starting from v3.25.76, zod ships zod v4 bundled inside the v3 package, resulting in roughly 3.59 MB unpacked with significant overhead from the dual distribution. Since zod is used for runtime validation in the CLI—via .safeParse() calls in src/cli/cli.tsx and src/cli/commands/seeder.ts—it should either be in dependencies rather than devDependencies, or the project should upgrade to zod v4 directly.

Given that this project already targets TypeScript ^5.9.3 (which satisfies zod v4's requirements) and v4 is now stable (v4.3.6+), upgrading to ^4.0.0 would be cleaner and eliminate the double-bundle overhead entirely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 132, The package.json currently lists "zod": "^3.25.76"
which bundles Zod v4 internally and causes a double-distribution overhead used
at runtime by CLI validation (calls to .safeParse() in src/cli/cli.tsx and
src/cli/commands/seeder.ts); fix this by either moving the zod entry from
devDependencies to dependencies or upgrade it to an official v4 release (e.g.,
"zod": "^4.0.0" or a newer stable v4.x.y) in package.json so the runtime CLI
uses the proper v4 package rather than the bundled v4 inside v3.25.76—update
lockfile (npm/yarn/pnpm) afterwards and run the CLI validation paths
(.safeParse()) to verify nothing breaks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 40: package.json currently lists "glob" in dependencies but it is only
used by build/dev scripts (scripts/createDataJson.js and
scripts/convert-patternfly-imports.js); move "glob" from "dependencies" to
"devDependencies" by removing the entry under dependencies and adding the same
version under devDependencies so runtime installs no longer include it and dev
tooling still has access.

---

Outside diff comments:
In `@package.json`:
- Line 132: The package.json currently lists "zod": "^3.25.76" which bundles Zod
v4 internally and causes a double-distribution overhead used at runtime by CLI
validation (calls to .safeParse() in src/cli/cli.tsx and
src/cli/commands/seeder.ts); fix this by either moving the zod entry from
devDependencies to dependencies or upgrade it to an official v4 release (e.g.,
"zod": "^4.0.0" or a newer stable v4.x.y) in package.json so the runtime CLI
uses the proper v4 package rather than the bundled v4 inside v3.25.76—update
lockfile (npm/yarn/pnpm) afterwards and run the CLI validation paths
(.safeParse()) to verify nothing breaks.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e34d206 and 11dbbe6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's check the actual structure of package.json around the glob dependency
cat -n package.json | head -100

Repository: RedHatInsights/insights-rbac-ui

Length of output: 4762

---

🏁 Script executed:

# Check specifically where glob is located in package.json
rg -n '"glob"' package.json

Repository: RedHatInsights/insights-rbac-ui

Length of output: 100

---

🏁 Script executed:

# Check for any direct invocations of the glob CLI in project scripts and config files
echo "=== Checking package.json scripts for glob CLI usage ==="
rg -n '"glob ' package.json

echo "=== Checking for glob CLI usage in common locations ==="
fd -e js -e ts -e json -e sh . --max-depth 4 | xargs rg -l 'glob\b' 2>/dev/null | head -20

Repository: RedHatInsights/insights-rbac-ui

Length of output: 413

---

🏁 Script executed:

# Check how glob is being used in the flagged files
echo "=== src/cli/commands/safety.ts ==="
rg -A 3 -B 3 'glob' src/cli/commands/safety.ts

echo "=== scripts/createDataJson.js ==="
rg -A 3 -B 3 'glob' scripts/createDataJson.js

echo "=== scripts/convert-patternfly-imports.js ==="
rg -A 3 -B 3 'glob' scripts/convert-patternfly-imports.js

Repository: RedHatInsights/insights-rbac-ui

Length of output: 2571

---

🏁 Script executed:

# Check if glob is imported as a module anywhere (would be safe in v13)
rg "import.*glob|require.*glob" --type=js --type=ts

Repository: RedHatInsights/insights-rbac-ui

Length of output: 212

---

🏁 Script executed:

# Verify that these scripts are dev-only (not executed in production code)
echo "=== Checking if scripts are called from package.json ==="
rg -n '"createDataJson\.|"convert-patternfly' package.json

echo "=== Checking if these modules are imported from source code (not just build scripts) ==="
rg -r 'createDataJson|convert-patternfly' src/ 2>/dev/null || echo "No matches in src/"

echo "=== Confirm these are build/dev scripts only ==="
ls -la scripts/

Repository: RedHatInsights/insights-rbac-ui

Length of output: 19066

---

Move glob to devDependencies — it's only used in build scripts.

The glob package is only consumed by build/dev scripts (scripts/createDataJson.js and scripts/convert-patternfly-imports.js) which use its JavaScript API. It should be listed under devDependencies, not dependencies.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 40, package.json currently lists "glob" in dependencies
but it is only used by build/dev scripts (scripts/createDataJson.js and
scripts/convert-patternfly-imports.js); move "glob" from "dependencies" to
"devDependencies" by removing the entry under dependencies and adding the same
version under devDependencies so runtime installs no longer include it and dev
tooling still has access.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

package.json (1)

40-40: ⚠️ Potential issue | 🟡 Minor

glob in runtime dependencies still appears unresolved from prior review.

This was previously flagged as dev-only usage; if still true, it should live in devDependencies.

#!/bin/bash
set -euo pipefail

echo "== glob declaration =="
rg -n '"glob"' package.json

echo
echo "== glob module usage =="
rg -nP --type=js --type=jsx --type=ts --type=tsx 'from\s+["'\'']glob["'\'']|require\(\s*["'\'']glob["'\'']\s*\)' || true

echo
echo "== glob usage in scripts folder =="
rg -nP '\bglob\b' scripts package.json || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 40, The package.json currently lists "glob" as a
runtime dependency but the reviewer found it’s only used for development
tooling; move the "glob" entry from dependencies to devDependencies in
package.json, update any lockfile (run npm/yarn/pnpm install) and verify there
are no runtime imports of "glob" by searching the repo (the provided ripgrep
commands) to ensure only build/scripts reference it; if any runtime imports
exist, either refactor them to use a runtime-safe alternative or keep "glob" in
dependencies and document why.

🧹 Nitpick comments (1)

package.json (1)

6-7: Tighten the npm engine floor for Node 24 parity.

Your .nvmrc specifies Node 24.13.1, which ships with npm 11.6.1, but "npm": ">=7.24.2" allows npm from mid-2021—over 3 major versions behind. This inconsistency can lead to lockfile/install behavior divergence between development and CI environments. Align the npm floor to at least ">=10.9.0" (Node 22 LTS standard) or ">=11.6.0" (Node 24 parity). The lockfileVersion 3 requirement is already satisfied at these levels.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 6 - 7, The package.json engines entry currently
pins "node": ">=22.22.0" but leaves "npm": ">=7.24.2", which is too low for the
.nvmrc Node 24.13.1 environment; update the "npm" engine value in package.json
(the "engines" object) to a tighter floor such as ">=11.6.0" (or at minimum
">=10.9.0" if you prefer Node 22 parity) so the npm runtime requirement matches
Node 24 parity and prevents install/lockfile discrepancies.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 16: The package.json currently lists "@formatjs/cli": "6.13.0" under
dependencies but it's only used by the build scripts (translations:extract and
translations:compile); remove the "@formatjs/cli" entry from dependencies and
add the same version under devDependencies, then regenerate the lockfile (run
npm install or yarn install) so the lockfile reflects the move. Locate
references to "@formatjs/cli" in package.json and update dependency sections
accordingly.

---

Duplicate comments:
In `@package.json`:
- Line 40: The package.json currently lists "glob" as a runtime dependency but
the reviewer found it’s only used for development tooling; move the "glob" entry
from dependencies to devDependencies in package.json, update any lockfile (run
npm/yarn/pnpm install) and verify there are no runtime imports of "glob" by
searching the repo (the provided ripgrep commands) to ensure only build/scripts
reference it; if any runtime imports exist, either refactor them to use a
runtime-safe alternative or keep "glob" in dependencies and document why.

---

Nitpick comments:
In `@package.json`:
- Around line 6-7: The package.json engines entry currently pins "node":
">=22.22.0" but leaves "npm": ">=7.24.2", which is too low for the .nvmrc Node
24.13.1 environment; update the "npm" engine value in package.json (the
"engines" object) to a tighter floor such as ">=11.6.0" (or at minimum
">=10.9.0" if you prefer Node 22 parity) so the npm runtime requirement matches
Node 24 parity and prevents install/lockfile discrepancies.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7d3f6d3 and fe84072.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Checking package.json structure (dependencies section) =="
rg -n '"@formatjs/cli"' package.json -A 2 -B 2

echo
echo "== Checking lines 179-180 (build scripts) =="
sed -n '175,185p' package.json

echo
echo "== Checking for direct runtime imports =="
rg -nP --type=js --type=jsx --type=ts --type=tsx 'from\s+["'"'"']@formatjs/cli["'"'"']|require\(\s*["'"'"']@formatjs/cli["'"'"']\s*\)' || echo "No runtime imports found"

echo
echo "== Full dependencies vs devDependencies check =="
python3 <<'PYTHON'
import json
with open('package.json') as f:
    data = json.load(f)
    
if '@formatjs/cli' in data.get('dependencies', {}):
    print("@formatjs/cli is in: dependencies")
if '@formatjs/cli' in data.get('devDependencies', {}):
    print("@formatjs/cli is in: devDependencies")
if '@formatjs/cli' not in data.get('dependencies', {}) and '@formatjs/cli' not in data.get('devDependencies', {}):
    print("@formatjs/cli not found in either dependencies or devDependencies")
PYTHON

Repository: RedHatInsights/insights-rbac-ui

Length of output: 1332

---

Move @formatjs/cli to devDependencies.

@formatjs/cli is used only in build-time scripts (translations:extract and translations:compile in package.json) and has no runtime imports. It should be in devDependencies, not dependencies.

Suggested manifest change

   "dependencies": {
-    "@formatjs/cli": "6.13.0",
     ...
   },
   "devDependencies": {
+    "@formatjs/cli": "6.13.0",
     ...
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 16, The package.json currently lists "@formatjs/cli":
"6.13.0" under dependencies but it's only used by the build scripts
(translations:extract and translations:compile); remove the "@formatjs/cli"
entry from dependencies and add the same version under devDependencies, then
regenerate the lockfile (run npm install or yarn install) so the lockfile
reflects the move. Locate references to "@formatjs/cli" in package.json and
update dependency sections accordingly.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

package.json (1)

16-16: ⚠️ Potential issue | 🟡 Minor

Move @formatjs/cli and glob to devDependencies.

Line 16 and Line 40 still classify build-time tooling as runtime dependencies; this should stay dev-only.

Proposed manifest adjustment

  "dependencies": {
-   "@formatjs/cli": "6.13.0",
    ...
-   "glob": "^13.0.6",
    ...
  },
  "devDependencies": {
+   "@formatjs/cli": "6.13.0",
+   "glob": "^13.0.6",
    ...
  }

#!/bin/bash
set -euo pipefail

echo "== Direct imports of `@formatjs/cli` or glob (all JS/TS sources) =="
rg -nP --type=js --type=jsx --type=ts --type=tsx \
  'from\s+["'"'"'](`@formatjs/cli`|glob)["'"'"']|require\(\s*["'"'"'](`@formatjs/cli`|glob)["'"'"']\s*\)' \
  -g '!**/node_modules/**'

echo
echo "== package.json script usage (build-time) =="
rg -n '"translations:extract"|"translations:compile"|"glob"' package.json

Also applies to: 40-40

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 16, package.json incorrectly lists build-time tools
"@formatjs/cli" and "glob" under dependencies; move both entries from
"dependencies" into "devDependencies" preserving their versions, update any
package.json scripts if needed (e.g., translations:extract /
translations:compile) to ensure tooling is invoked from devDependencies, run the
package manager reinstall (npm/yarn/pnpm) to update lockfile, and verify there
are no runtime imports of `@formatjs/cli` or glob in source files (search for
import/require of "@formatjs/cli" or "glob") before finalizing the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 6-7: Move `@formatjs/cli` and glob from "dependencies" into
"devDependencies" in package.json so they aren't installed in production (locate
the entries for "@formatjs/cli" and "glob" and cut/paste them under
"devDependencies"); then update your GitHub Actions workflow files to explicitly
pin node-version to at least "22.22.0" (find uses of actions/setup-node or
similar and set node-version to >=22.22.0 or a specific 22.22.x value) to match
the engine floor and ensure CI uses a compatible Node runtime.

---

Duplicate comments:
In `@package.json`:
- Line 16: package.json incorrectly lists build-time tools "@formatjs/cli" and
"glob" under dependencies; move both entries from "dependencies" into
"devDependencies" preserving their versions, update any package.json scripts if
needed (e.g., translations:extract / translations:compile) to ensure tooling is
invoked from devDependencies, run the package manager reinstall (npm/yarn/pnpm)
to update lockfile, and verify there are no runtime imports of `@formatjs/cli` or
glob in source files (search for import/require of "@formatjs/cli" or "glob")
before finalizing the change.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between f7634c6 and 52068c7.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== package.json engines =="
rg -n '"engines"|"node"|"npm"' package.json -A3 -B1

echo
echo "== GitHub Actions Node setup =="
if [ -d .github/workflows ]; then
  fd -HI -e yml -e yaml . .github/workflows | xargs -r rg -n 'actions/setup-node|node-version|npm-version' || echo "No Node setup found in workflows"
else
  echo "No .github/workflows directory found."
fi

echo
echo "== Docker base images using Node =="
fd -HI -t f 'Dockerfile*' . | xargs -r rg -n 'FROM\s+node:' || echo "No Dockerfile with Node found"

echo
echo "== package.json dependencies (formatjs/cli and glob) =="
rg -n '"@formatjs/cli"|"glob"' package.json -B1 -A1

Repository: RedHatInsights/insights-rbac-ui

Length of output: 645

---

Move @formatjs/cli and glob to devDependencies and pin Node version in CI workflows.

1. @formatjs/cli (line 16) and glob (line 40) are build-time tools and must be in devDependencies, not dependencies. They should not be installed in production.

2. No explicit Node version pin found in GitHub Actions workflows. With the engine floor now at Node >=22.22.0, workflows must be updated to explicitly pin node-version to at least 22.22.0 to ensure CI compatibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 6 - 7, Move `@formatjs/cli` and glob from
"dependencies" into "devDependencies" in package.json so they aren't installed
in production (locate the entries for "@formatjs/cli" and "glob" and cut/paste
them under "devDependencies"); then update your GitHub Actions workflow files to
explicitly pin node-version to at least "22.22.0" (find uses of
actions/setup-node or similar and set node-version to >=22.22.0 or a specific
22.22.x value) to match the engine floor and ensure CI uses a compatible Node
runtime.

[lucasrc]

Code Review - Hermes Agent

Looks Good

No common issues detected.

---

Reviewed by Hermes Agent