Chore/deps 09 11 25

[LGLabGreg]

Summary by CodeRabbit

• Chores
  • Updated package dependencies across React, TypeScript, Vite, ESLint, Radix UI, and Tailwind CSS to improve compatibility and functionality
  • Updated package manager to a new version
  • Refined build and development tool configurations
  • Removed chart UI component

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
reactqrcode-com	Ready	Preview	Comment	Nov 9, 2025 9:56am

[coderabbitai]

Walkthrough

This PR performs a broad monorepo dependency upgrade, introduces Dependabot grouping strategies, refactors ESLint configuration to use defineConfig, updates CI/CD release workflow permissions, removes a chart UI component, and expands pnpm workspace package patterns.

Changes

Cohort / File(s)	Summary
Changesets & Release Management .changeset/true-peas-attack.md	Added changeset documenting patch updates for @lglab/react-qr-code and reactqrcode.com dependencies
CI/CD Configuration .github/dependabot.yml	Introduced package grouping filters for react, typescript, eslint, radix, vite|vitest, and tailwind to organize automated dependency updates
Release Workflow .github/workflows/release.yml	Added top-level permissions block (id-token, contents, pull-requests write); removed NPM_TOKEN and NODE_AUTH_TOKEN environment variables
Workspace & Build Configuration pnpm-workspace.yaml	Changed package pattern from single-level (packages/*) to recursive (packages/**) glob to include nested subdirectories
ESLint Configuration apps/docs/eslint.config.mjs	Refactored config from FlatCompat+array to defineConfig-based approach; moved ignores to globalIgnores() top-level call; changed default export from array to config object
TypeScript Configuration apps/docs/tsconfig.json	Multi-lined lib, path arrays; updated jsx from "preserve" to "react-jsx"; extended include with Next.js dev types path
TypeScript Declarations apps/docs/next-env.d.ts	Added import for .next/dev/types/routes.d.ts to extend route type definitions
UI Component Removal apps/docs/src/components/ui/chart.tsx	Deleted entire Recharts-based chart component module including ChartContainer, ChartTooltip, ChartLegend, and supporting utilities
Dependency Updates — Docs apps/docs/package.json	Upgraded react-hook-form, extensive Radix UI packages, @uiw/react-color, lucide-react, Next, React, tailwind utilities; added eslint-config-next; bumped devDependencies (tailwind, postcss, typescript, vitest)
Dependency Updates — Playground apps/playground/package.json	Updated @tailwindcss/vite, react, react-dom, tailwindcss; bumped @types packages, @vitejs/plugin-react, globals, typescript, vite
Dependency Updates — Root & Packages package.json, packages/react-qr-code/package.json	Root: pnpm from 10.6.3 to 10.20.0; widespread devDeps bumps (@eslint/js, typescript-eslint, vitest, vite, @types/*, eslint, react, react-dom, etc.); packages: updated all devDependencies across @types, @vitejs, typescript-eslint, vite, vite-plugin-dts

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

• Extra attention areas:
  • .github/workflows/release.yml — verify permissions block configuration and validate authentication flow without NPM_TOKEN/NODE_AUTH_TOKEN
  • apps/docs/eslint.config.mjs — confirm defineConfig and globalIgnores() refactoring maintains correct ESLint behavior and ignore patterns
  • apps/docs/src/components/ui/chart.tsx — audit codebase for chart component usage/imports to prevent runtime failures
  • pnpm-workspace.yaml — verify recursive glob pattern doesn't inadvertently include unintended directories
  • Cross-package dependency consistency — multiple package.json updates need validation for potential version conflicts or breaking changes (e.g., vitest 3→4, vite 6→7)

Possibly related PRs

• PR #272 — Overlapping dependency patches for @lglab/react-qr-code and reactqrcode.com with similar version bumps across package manifests
• PR #52 — Shares changeset entry for @lglab/react-qr-code and modifications to .github/workflows/release.yml workflow configuration
• PR #87 — Overlapping devDependency version bumps (vite, globals, @types/\*, vitest) across apps/playground and packages/react-qr-code

Poem

🐰 A rabbit's ode to the upgrade spree:
Dependencies dance, from old to new—
ESLint hops with defineConfig grace,
Charts retire, workflows embrace
Permissions bold, while pnpm leaps,
Through nested paths the workspace creeps! 🌱

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Chore/deps 09 11 25' is vague and does not clearly convey what changes are made; it lacks descriptive content about the dependency updates.	Use a more descriptive title that summarizes the main change, such as 'chore: update dependencies across project' or 'chore: upgrade tooling and package dependencies'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/deps-09-11-25

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

.github/dependabot.yml (1)

13-36: Dependency grouping configuration looks good.

The grouping strategy will reduce PR noise by combining related dependency updates. All pattern filters are appropriate for their respective ecosystems.

Minor naming suggestion: Consider renaming vite|vitest to vite-vitest or vite (since the patterns already cover both). The pipe character in group names, while valid, may be unconventional.

pnpm-workspace.yaml (1)

2-2: No nested packages currently exist; glob pattern change is unnecessary.

Verification confirms only one top-level package exists (packages/react-qr-code/). The glob pattern change from packages/* to packages/** is not required for the current structure—both patterns work identically. If nested packages are not planned, revert to packages/* for clarity; otherwise, document the future-proofing intent.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8117e54 and fb20ec4.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (12)

• .changeset/true-peas-attack.md (1 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• apps/docs/eslint.config.mjs (1 hunks)
• apps/docs/next-env.d.ts (1 hunks)
• apps/docs/package.json (1 hunks)
• apps/docs/src/components/ui/chart.tsx (0 hunks)
• apps/docs/tsconfig.json (2 hunks)
• apps/playground/package.json (1 hunks)
• package.json (2 hunks)
• packages/react-qr-code/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• apps/docs/src/components/ui/chart.tsx

🔇 Additional comments (13)

apps/docs/tsconfig.json (2)

35-36: Next.js 15+ typed routes integration looks correct.

The addition of .next/types/**/*.ts and .next/dev/types/**/*.ts aligns with Next.js 15's stable typed routes feature, providing better type safety for navigation.

---

18-18: Revert jsx setting to "preserve" or verify this change is intentional.

The jsx setting was changed from "preserve" to "react-jsx". Next.js uses its own optimized JSX transform and sets jsx to "preserve" by default. Setting "react-jsx" enables React 17+ automatic JSX transform, but Next.js may auto-reset it to "preserve" at dev/build time. This can cause build inconsistencies or tooling conflicts.

For Next.js 16 with React 19, keep jsx: "preserve" to align with Next.js's expected configuration. If this change is intentional, manually verify the build completes successfully and test the application in development and production modes.

apps/docs/next-env.d.ts (1)

3-3: Typed routes integration is correctly configured.

This import works in tandem with the tsconfig.json changes to enable Next.js 15.5+ typed routes, providing compile-time type checking for route parameters and paths.

apps/docs/package.json (4)

15-41: Radix UI package updates look consistent.

All Radix UI packages have been updated to their latest patch/minor versions, maintaining consistency across the component library.

---

55-57: I need to verify the actual breaking changes and compatibility concerns.

No code adjustments required for the stated compatibility concerns.

In React 19, forwardRef is no longer necessary to use as a pattern going forward, but will be deprecated in a future release—it remains fully functional and backward compatible today. The react-hook-form v7.66.0 release contains feature improvements and bug fixes with no breaking changes from v7.55.0. React 19 allows passing ref as a prop directly to function components, replacing the need for forwardRef, but existing code continues to work without modification. The current usage patterns in your codebase—Controller, useFormContext, and register—are stable and unaffected by these version changes.

---

52-52: Verify Next.js 16 migration — multiple breaking changes require code updates.

Next.js 16 introduces breaking changes beyond those in 15.x. Key changes affecting documentation sites include:

• Request/data APIs now asynchronous: params, searchParams, cookies(), headers(), draftMode() return promises and must be awaited — requires converting layouts/pages to async.
• Caching API changes: revalidateTag() signature and new APIs (updateTag(), refresh()), different default caching semantics.
• Turbopack becomes the default bundler (Webpack still available).
• Node.js 20.9+ and TypeScript 5.1+ minimum versions required.
• next/image defaults tightened (TTL, quality, remote patterns).

Verify that all layouts, pages, API routes, and middleware have been updated for async request APIs, test thoroughly, and confirm no Webpack-dependent plugins are in use.

---

13-13: @hookform/resolvers v5 compatibility verified.

The main breaking changes in v5 are the requirement for react-hook-form v7.55.0 or newer and TypeScript typing changes for input/output type inference. Apps/docs has react-hook-form "^7.66.0", which satisfies the version requirement. No manual useForm generic type annotations or @hookform/resolvers usage found in apps/docs, so TypeScript breaking changes pose no risk.

packages/react-qr-code/package.json (1)

52-62: ✓ Library builds and tests pass with React 19 and Vite 7 — no breaking changes detected.

Build completed successfully with React 19.2.0, Vite 7.2.2, and TypeScript 5.9.3. All 99 tests pass. Source code review confirms compatibility: useRef properly initialized with required arguments, no deprecated React types present, and standard hooks (forwardRef, useImperativeHandle, useMemo, useId, useCallback) used correctly. The package is ready.

apps/playground/package.json (1)

18-24: Build verification successful — React 19 and Vite 7 are compatible with the application.

After building the monorepo dependencies (pnpm run build:lib) before the playground build, the application compiles and builds successfully with React 19.2.0, @types/react 19.2.2, and Vite 7.2.2. The initial error was not due to breaking changes from these versions, but rather from the build order: the react-qr-code package must be built before the playground can resolve it. Once dependencies are properly built, the playground builds and runs without issues.

package.json (1)

8-8: pnpm version upgrade looks good.

The pnpm upgrade from 10.6.3 to 10.20.0 is a minor version bump and should be compatible.

.changeset/true-peas-attack.md (1)

1-6: Changeset file looks good.

The changeset correctly documents the dependency updates as patch changes for the affected packages. The format follows changeset conventions.

apps/docs/eslint.config.mjs (2)

1-1: The import path is correct and follows official Next.js 16 documentation.

The review comment is incorrect. ESLint's exports explicitly include ./config with types and default paths, and the import statement import { defineConfig, globalIgnores } from 'eslint/config' is the officially recommended approach for Next.js 16. The code requires no changes.

Likely an incorrect or invalid review comment.

---

5-22: The API usage pattern is correct per official documentation for eslint-config-next 16.x.

The pattern of defineConfig([...]) wrapping an array with globalIgnores([...]) as an array element is the documented approach for eslint-config-next v16.x. The code follows the correct Next.js 16 ESLint configuration API.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify npm publishing configuration after removing authentication tokens.

The addition of id-token: write permission alongside removal of NPM_TOKEN and NODE_AUTH_TOKEN suggests a migration to npm provenance/trusted publishing. Ensure that:

1. The npm package is configured for trusted publishing, OR
2. The GITHUB_TOKEN has been granted npm registry access

---

🏁 Script executed:

#!/bin/bash
# Verify npm publishing setup in the changesets action

# Check if setup-node configures npm registry authentication
rg -n "registry-url" .github/workflows/release.yml

# Check for npm provenance configuration in package.json files
fd package.json --exec jq -r 'select(.publishConfig != null) | .publishConfig' {}

# Look for any npm authentication configuration
rg -n "npmAuthToken|npm.*token|provenance" .github/workflows/

Length of output: 55

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Get full setup-node and changesets action configuration context

# Show full setup-node action usage (lines 25-35)
sed -n '25,35p' .github/workflows/release.yml

# Show changesets action configuration
rg -n "changesets/action" -A 10 .github/workflows/release.yml

# Check if .npmrc exists in repo with auth config
find . -maxdepth 2 -name ".npmrc*" -type f 2>/dev/null

# Check package.json for node version or npm config
jq -r '.engines // .npm // empty' package.json 2>/dev/null || echo "No engines/npm config"

Length of output: 556

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check pnpm publish script and npm provenance configuration

# Search for ci:publish script definition in package.json
jq -r '.scripts["ci:publish"] // empty' package.json 2>/dev/null || echo "Script not found"

# Check for npm publishConfig or provenance settings in package.json
jq -r '.publishConfig // empty' package.json 2>/dev/null

# Verify pnpm version 10 supports provenance
# Check npm registry documentation reference if available
rg -n "provenance" . --type json

# Check if there's any .npmrc at repository root
cat .npmrc 2>/dev/null || echo "No .npmrc found"

Length of output: 71

---

---

🌐 Web query:

```web
npm provenance trusted publishing GitHub OIDC pnpm support 2024

💡 Result:

Short summary (2024 status + what changed afterward):

• npm provenance existed in 2023+ (provenance requires public source repos; private-repo provenance was disabled July 2023). [1][2]
• In 2024 npm had provenance and was piloting OIDC/trusted-publishing, but general availability of npm "trusted publishing" (OIDC publish + automatic provenance) was announced in 2025; npm docs describe trusted publishing and automatic provenance when publishing via OIDC. [3][4]
• As of mid‑2025, pnpm did not yet implement OIDC/trusted-publishing; there is an open feature request in the pnpm repo to add OIDC publishing support. [5]

Sources

1. GitHub changelog: publishing with provenance from private source repos no longer supported (July 2023). [turn0search3].
2. GitHub changelog duplicate/related entry (July 2023). [turn0search5].
3. npm Docs — Trusted publishing for npm packages (docs.npmjs.com). [turn0search0].
4. GitHub Blog changelog — "npm trusted publishing with OIDC is generally available" (announcement). [turn0search1].
5. pnpm GitHub issue requesting OIDC/trusted-publishing support (#9812). [turn0search2].

---

Restore NPM_TOKEN — pnpm does not yet support OIDC/trusted publishing.

pnpm as of mid-2025 does not implement OIDC/trusted publishing; an open feature request exists but remains unimplemented. The removal of NPM_TOKEN and NODE_AUTH_TOKEN without an alternative authentication method will cause pnpm publish to fail.

Restore NPM_TOKEN to the env section (line 47) until pnpm adds OIDC support, or migrate to npm/yarn if OIDC-based publishing is required.

🤖 Prompt for AI Agents

.github/workflows/release.yml lines 10-13: the workflow removed NPM_TOKEN (and
NODE_AUTH_TOKEN) but pnpm does not support OIDC/trusted publishing yet, causing
pnpm publish to fail; restore NPM_TOKEN to the env section (around line 47) by
adding NPM_TOKEN: ${{ secrets.NPM_TOKEN }} (and optionally NODE_AUTH_TOKEN: ${{
secrets.NPM_TOKEN }} for compatibility), so pnpm publish can authenticate until
OIDC is supported.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Tailwind CSS v4 requires comprehensive migration.

Tailwind CSS 4.1.17 has critical breaking changes that will break existing code:

1. Important modifier: !text-3xl → text-3xl! (moves to end)
2. Opacity utilities removed: bg-opacity-20 → bg-blue-500/20
3. CSS variables: bg-[--brand-color] → bg-(--brand-color)
4. Other changes: outline-none behavior, ring widths, flex utilities

Run comprehensive migration check:

#!/bin/bash
cd apps/docs

# Check for old important modifier syntax (most common)
echo "=== Checking important modifier syntax ==="
rg -n '!\w+-' src/ | head -20

# Check for removed opacity utilities
echo "=== Checking opacity utilities ==="
rg -n '(bg|text|border|ring)-opacity-' src/ | head -20

# Check for old CSS variable syntax
echo "=== Checking CSS variable syntax ==="
rg -n '\[--\w+\]' src/ | head -20

# Check for flex-grow/flex-shrink old syntax
echo "=== Checking flex utilities ==="
rg -n 'flex-(grow|shrink)-' src/ | head -10

Run the official Tailwind v4 migration codemod:

cd apps/docs && npx @tailwindcss/upgrade@latest

Based on learnings: As per Tailwind CSS v4 documentation, these are mandatory migrations.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Tailwind CSS v4 requires migration for breaking changes.

Tailwind CSS upgraded from 4.1.4 to 4.1.17 (both v4). However, if this app was previously on Tailwind v3, the following breaking changes MUST be addressed:

1. Important modifier - moves to end: !text-3xl → text-3xl!
2. Opacity utilities - removed: bg-opacity-20 → bg-blue-500/20
3. CSS variables - syntax changed: bg-[--brand-color] → bg-(--brand-color)
4. Other changes: outline-none, ring widths, flex-grow-*/flex-shrink-* syntax

Verify the migration status:

#!/bin/bash
# Check for Tailwind v3 syntax patterns that will break in v4
cd apps/playground

# Check for old important modifier syntax
rg -n '!\w+-\w+' src/

# Check for removed opacity utilities
rg -n 'bg-opacity-|text-opacity-|border-opacity-|ring-opacity-' src/

# Check for old CSS variable syntax in arbitrary values
rg -n '\[--\w+\]' src/

# Check if Tailwind v4 migration codemod was run
echo "Run: npx @tailwindcss/upgrade@latest --help"

Run the official migration tool:

cd apps/playground && npx @tailwindcss/upgrade@latest

🤖 Prompt for AI Agents

In apps/playground/package.json around lines 12 to 15, the project upgraded to
Tailwind v4 which introduces breaking syntax changes from v3; scan the src/ tree
for legacy v3 patterns (old important modifier like !text-3xl, removed opacity
utilities such as bg-opacity-*, text-opacity-*, border-opacity-*,
ring-opacity-*, and old arbitrary CSS var syntax like [--var]) and replace them
with v4 equivalents (move "!" to the end: text-3xl!, convert opacity utilities
to slash notation: bg-blue-500/20, change bg-[--brand-color] to
bg-(--brand-color), and update outline/ring/flex-* usages per v4 docs), run the
official codemod npx @tailwindcss/upgrade@latest in apps/playground, commit the
automated fixes, and then run the app build and visually test key pages to
verify no remaining v3 syntax errors.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify compatibility for major version upgrades.

This PR includes several major version upgrades that may contain breaking changes:

• Vite 6.4.1 → 7.2.2 (major)
• Vitest 3.0.7 → 4.0.8 (major)
• @types/node 22.14.1 → 24.10.0 (major)
• @types/jsdom 21.1.7 → 27.0.0 (major)
• @vitejs/plugin-react 4.4.0 → 5.1.0 (major)

Please ensure:

1. The build and test pipelines pass successfully
2. All type definitions remain compatible
3. Review migration guides for breaking changes

Verify version compatibility and check for breaking changes:

---

🏁 Script executed:

#!/bin/bash
# Run build and test to verify compatibility

echo "=== Running build ==="
pnpm run build:lib 2>&1 | head -50

echo -e "\n=== Running tests ==="
pnpm run test 2>&1 | head -50

echo -e "\n=== Running lint ==="
pnpm run lint 2>&1 | head -50

Length of output: 8440

---

🌐 Web query:

Vite 7 migration guide breaking changes

💡 Result:

Summary of the main breaking changes being introduced for the next major (Vite 7) and short migration notes:

1. Move to per-environment APIs — many server APIs moved to environment instances (e.g. server.moduleGraph -> environment.moduleGraph, server.transformRequest -> environment.transformRequest). Migrate usages to the appropriate environment instance. [1]

2. SSR: ModuleRunner API replaces server.ssrLoadModule — use moduleRunner.import(...) / Environment APIs instead of server.ssrLoadModule; stack-trace helpers are handled by the ModuleRunner unless sourcemapInterceptor is disabled. [2]

3. HMR: hotUpdate plugin hook replaces handleHotUpdate — update plugin hooks to hotUpdate and use this.environment for environment-aware HMR; adapt to the new modules list and added watch event types (create/delete). Example migrations shown in docs. [3]

4. Shared plugins during build (plugin state must be keyed per-environment) — plugins must avoid global state shared across environments; key plugin state by environment to support shared plugin pipelines. [4]

5. this.environment in hooks (and related Environment API shifts) — plugin hooks will receive/use this.environment; update plugin code that relied on server/global APIs to use per-environment APIs. [1][4]

Notes:

• Many of these changes are opt-in warnings now and can be enabled/checked via the vite config future flags before upgrading; see the Breaking Changes / Migration pages for exact migration snippets and recommended vite config flags to surface warnings. [1][4]

Sources:
[1] Vite — Breaking Changes / Planned (per-environment APIs). (main.vitejs.dev)
[2] Vite — SSR Using ModuleRunner API (migration notes). (main.vitejs.dev)
[3] Vite — HMR hotUpdate Plugin Hook (migration examples). (main.vitejs.dev)
[4] Vite — Shared Plugins During Build (guidance for plugin authors). (main.vitejs.dev)

If you want, I can produce specific code snippets showing how to update a plugin or server script you have to the new APIs — paste the code and I’ll convert it.

Citations:

• 1: https://main.vitejs.dev/changes/?utm_source=openai
• 2: https://main.vitejs.dev/changes/ssr-using-modulerunner?utm_source=openai
• 3: https://main.vitejs.dev/changes/hotupdate-hook?utm_source=openai
• 4: https://main.vitejs.dev/changes/shared-plugins-during-build?utm_source=openai

---

🌐 Web query:

Vitest 4 migration guide breaking changes

💡 Result:

Here are the main Vitest 4 breaking changes from the official migration guide and release notes (short summary; review the full Migration Guide before upgrading):

• V8 code-coverage provider changed (new AST-based remapping). Coverage reports may differ; coverage.ignoreEmptyLines removed; ignore hints updated. [1]
• Mocking redesign: vi.fn().getMockName() default name changed; vi.restoreAllMocks no longer resets automocks (only restores vi.spyOn spies); vi.spyOn on a mock returns same mock; mock.settledResults populated immediately with 'incomplete'. [1]
• Environment / runner and internals:
  • Vitest no longer injects __vitest_executor; injects moduleRunner (ModuleRunner instance) instead. vitest/execute entrypoint removed. vite-node is no longer a dependency. [1][2]
  • Custom envs: replace transformMode with viteEnvironment; server.environments used for transforming. [1]
• Browser provider API changed: provider accepts an object (not a string); preview no longer default; @vitest/browser package deprecated in favor of vitest/browser (context/utils imports moved). [1]
• Config / env rename: VITE_NODE_DEPS_MODULE_DIRECTORIES → VITEST_MODULE_DIRECTORIES. deps.optimizer.web renamed to deps.optimizer.client (server.deps still supported). [1][2]
• Snapshot & public API changes: Snapshot public API changed to support multiple states (affects direct Snapshot API consumers). Some reporter/type exports reorganized (see guide). [2]

Sources: Vitest 4 announcement and Migration Guide. [1] Vitest blog “Vitest 4.0 is out!” (Oct 22, 2025). [2] Vitest Migration Guide / Changelog.

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check if @types/react exists in package.json
cat package.json | grep -i "@types/react"

# Also show full dependencies structure to understand context
echo "=== Full devDependencies section ==="
cat package.json | jq '.devDependencies' 2>/dev/null || grep -A 100 '"devDependencies"' package.json

Length of output: 126

---

---

🏁 Script executed:

#!/bin/bash
# Find all package.json files
echo "=== Locating package.json files ==="
fd package.json

# Find root package.json
echo -e "\n=== Root package.json location ==="
ls -la | grep package.json

# Try to read root package.json if it exists
if [ -f ./package.json ]; then
  echo -e "\n=== Checking @types/react in root package.json ==="
  grep -A 50 '"devDependencies"' ./package.json | head -60
fi

Length of output: 1242

---

---

🏁 Script executed:

#!/bin/bash
# Check react-qr-code package.json for @types/react
echo "=== packages/react-qr-code/package.json ==="
cat packages/react-qr-code/package.json | jq '.devDependencies' 2>/dev/null || grep -A 30 '"devDependencies"' packages/react-qr-code/package.json

# Also check dependencies section
echo -e "\n=== packages/react-qr-code dependencies section ==="
cat packages/react-qr-code/package.json | jq '.dependencies' 2>/dev/null || grep -A 10 '"dependencies"' packages/react-qr-code/package.json

Length of output: 414

---

Add missing @types/react to root devDependencies—blocking all builds and verification.

The root package.json is missing @types/react@^19.2.2, which is required for React 19 TypeScript support. This causes immediate TypeScript compilation failure in the build pipeline and blocks verification of the Vite 7 and Vitest 4 upgrades.

Add "@types/react": "^19.2.2" and "@types/react-dom": "^19.2.2" to root devDependencies (matching the versions in packages/react-qr-code/package.json) before attempting to verify the major version upgrades.

🤖 Prompt for AI Agents

In package.json around lines 39 to 62, the root devDependencies are missing
TypeScript types for React which causes build failures; add "@types/react":
"^19.2.2" and "@types/react-dom": "^19.2.2" to the devDependencies block
(matching versions used in packages/react-qr-code/package.json), run yarn/npm
install to update the lockfile, and re-run the TypeScript build to verify the
compilation error is resolved.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Next.js 16 compatibility with eslint-config-next.

The upgrade to eslint-config-next 16.0.1 aligns with Next.js 16, which may introduce new ESLint configuration patterns. This relates to the changes in apps/docs/eslint.config.mjs.

Ensure the new ESLint configuration in apps/docs/eslint.config.mjs is compatible with this version:

---

🌐 Web query:

eslint-config-next 16.0.1 configuration migration guide

💡 Result:

Summary migration steps for eslint-config-next → v16.0.1 (Next 16)

1. Key changes to know

• Next removed built-in next lint and the eslint CLI integration; linting is now handled by ESLint directly. [1][2]
• @next/eslint-plugin-next and eslint-config-next now prefer ESLint Flat Config (eslint.config.mjs) to support ESLint v10/flat format. [1][2]
• Next provides a codemod to help migrations (see docs). [2]

2. Quick migration checklist

• Install ESLint and the Next config/plugin:

  • npm/yarn/pnpm add -D eslint eslint-config-next @next/eslint-plugin-next

• Replace legacy .eslintrc.* with an eslint.config.mjs (flat config). Example:
  import { defineConfig, globalIgnores } from 'eslint/config'
  import nextVitals from 'eslint-config-next/core-web-vitals'

  export default defineConfig([
  ...nextVitals,
  globalIgnores([
  '.next/',
  'out/',
  'build/**',
  'next-env.d.ts',
  ]),
  ])
  (Adapt to your chosen preset: core-web-vitals or recommended plugin usage.) [1]

• If you already use a separate ESLint setup, prefer extending @next/eslint-plugin-next directly (install @next/eslint-plugin-next) to avoid plugin/parser collisions, or ensure eslint-config-next is extended last. [1]

• Update npm scripts to run ESLint CLI (next lint removed):
  "lint": "eslint ."
  or use the ESLint migrator/codemod steps recommended by Next. [2]

3. Tools to help

• Use Next’s codemod (mentioned in the v16 release notes) to automate config changes. [2]
• If migrating legacy .eslintrc.* files to flat format, consider the ESLint Configuration Migrator (@eslint/migrate-config) to convert to eslint.config.*. It will handle simple JS configs and .eslintignore integration. [3]

4. Common issues & fixes

• If you used next lint or next.config.js eslint option, remove those and rely on eslint CLI. [2]
• Ensure other shared configs/plugins don’t override parser/plugins required by the Next config; if conflicts occur, extend the Next config last or import the plugin directly. [1]
• Follow Next docs for monorepo rootDir setting via plugin settings when Next app is not at repo root. [1]

References

• Next.js ESLint docs (configuration, examples, migration notes). [1]
• Next.js v16 release / upgrade guide (notes about next lint removal, Flat Config, codemod). [2]
• ESLint Configuration Migrator (@eslint/migrate-config) docs. [3]

If you want, I can: run the Next codemod for you (show commands), convert your existing .eslintrc.* to a flat eslint.config.mjs (paste your current config), or produce a ready-to-use eslint.config.mjs for your project.

---

---

🏁 Script executed:

#!/bin/bash

# Check if apps/docs/eslint.config.mjs exists and show its contents
echo "=== Checking apps/docs/eslint.config.mjs ==="
if [ -f "apps/docs/eslint.config.mjs" ]; then
  cat apps/docs/eslint.config.mjs
else
  echo "File not found at apps/docs/eslint.config.mjs"
fi

echo ""
echo "=== Checking package.json for eslint dependencies and lint script ==="
# Extract relevant sections from package.json
cat package.json | jq '.devDependencies | {eslint, "@next/eslint-plugin-next": .["@next/eslint-plugin-next"], "eslint-config-next": .["eslint-config-next"]}'

echo ""
echo "=== Checking npm scripts for lint ==="
cat package.json | jq '.scripts.lint'

Length of output: 841

---

---

🏁 Script executed:

#!/bin/bash

# Check package.json around line 66 and look for eslint-config-next
echo "=== Checking package.json around line 66 ==="
sed -n '60,75p' package.json

echo ""
echo "=== Searching for eslint-config-next and @next/eslint-plugin-next in entire package.json ==="
cat package.json | jq 'to_entries[] | select(.value | objects | has("eslint-config-next") or has("@next/eslint-plugin-next")) | .key'

echo ""
echo "=== Full devDependencies keys containing 'eslint' ==="
cat package.json | jq '.devDependencies | keys[] | select(contains("eslint"))'

echo ""
echo "=== Full dependencies keys containing 'eslint' ==="
cat package.json | jq '.dependencies | keys[] | select(contains("eslint"))'

Length of output: 603

---

Move eslint-config-next from dependencies to devDependencies.

The upgrade to eslint-config-next 16.0.1 requires installing it as a dev dependency. Currently it's in the dependencies section (line 66), which unnecessarily bloats the production bundle since ESLint configs are dev-only tools. Move it to devDependencies alongside eslint (already correctly placed).

Additionally, the migration guide recommends installing @next/eslint-plugin-next as a dev dependency, though the current eslint.config.mjs works without it by using eslint-config-next presets directly.

The ESLint configuration file itself is correctly set up for Next.js 16's Flat Config format and the lint script properly uses the ESLint CLI.

🤖 Prompt for AI Agents

In package.json around line 66, the eslint-config-next dependency is incorrectly
listed under "dependencies" which bloats production installs; remove the
"eslint-config-next": "16.0.1" entry from dependencies and add it to
"devDependencies" alongside "eslint" (keeping the same version), and optionally
add "@next/eslint-plugin-next" as a devDependency per the migration guide if you
want the plugin installed (no other changes to eslint.config.mjs or scripts are
required).