chore(deps): consolidate Dependabot updates + missed minor/patch bumps

[gcko]

Summary

Consolidates open Dependabot PRs into one tested branch and bundles non-major updates Dependabot missed.

• Closes chore(deps): bump the all-minor-patch group across 1 directory with 24 updates #1394 (npm minor/patch group)
• Closes chore(deps): bump js-cookie from 3.0.5 to 3.0.7 in /js #1392 (js-cookie — subset of chore(deps): bump the all-minor-patch group across 1 directory with 24 updates #1394)
• Closes chore(deps): bump idna from 3.11 to 3.15 #1384 (Python idna)

Defers #1378 (@vitejs/plugin-react 5.x -> 6.x) — that one requires chaining Vite 7 -> 8, both majors, out of scope here.

What changed

npm minor/patch (#1394): @amplitude/unified, @codemirror/view, @tanstack/react-query, @uiw/codemirror-theme-github, @uiw/react-codemirror, ag-grid-community/-react, date-fns, js-cookie, @amplitude/analytics-core, @types/node, @types/react, @vitest/coverage-v8, baseline-browser-mapping, postcss, vitest

Storybook 10.3.6 -> 10.4.0 (#1394): addon-docs, addon-vitest, react, react-vite, storybook, @vitest/browser-playwright

Missed by Dependabot (bundled):

• JS: write-excel-file 4.0.6 -> 4.0.7, read-excel-file 9.0.9 -> 9.0.10, plus latest-patch upgrades (e.g., @tanstack/react-query 5.100.14 over Dependabot's 5.100.11)
• Python: click 8.3.1 -> 8.4.1, pydantic 2.12.4 -> 2.13.4 (pydantic-core 2.41.5 -> 2.46.4), pygithub 2.8.1 -> 2.9.1, python-multipart 0.0.28 -> 0.0.29, requests 2.33.0 -> 2.34.2, mcp 1.27.0 -> 1.27.1, dbt-duckdb 1.10.0 -> 1.10.1, pytest-cov 7.0.0 -> 7.1.0, pre-commit 4.4.0 -> 4.6.0

Python (#1384): idna 3.11 -> 3.16 (CVE-2026-45409; uv resolved to 3.16 - latest 3.x; min Python 3.9, we're on 3.10+)

Security review

• pnpm audit: 0 vulnerabilities (was 1 high js-cookie + 1 moderate ws)
• pip-audit: 0 vulnerabilities
• Fixed via overrides:
  • js-cookie@<3.0.7 -> >=3.0.7 - @datarecce/ui declares ^3.0.5 so the root bump alone left a vulnerable 3.0.5 in the workspace tree. CVE-2026-46625 (cookie attribute injection). Per memory, @datarecce/ui's floor isn't bumped; the override enforces the patched version inside this repo.
  • ws@>=8.0.0 <8.20.1 -> >=8.20.1 - uninitialized memory disclosure CVE, transitively pulled by vitest/happy-dom/storybook.

Migration: date-fns pinned to ~4.2.1

date-fns 4.3.0 (released 2026-05-21) "Fixed missing modularized optimization fallback (for Next.js and others)". That change breaks vi.mock("date-fns", ...) in OSS TimelineEvent.test.tsx — the actual formatDistanceToNow runs instead of the mock, so the assertion for "5 minutes ago" sees "less than a minute ago" and the test fails.

Pinned date-fns to ~4.2.1 in pnpm-workspace.yaml overrides (Dependabot's intended target). The UI variant of the same test (packages/ui/.../TimelineEvent.test.tsx) was unaffected. Recommend updating the OSS test's mock to use importOriginal() + override before unpinning.

Deferred (separate PRs)

• chore(deps): bump @vitejs/plugin-react from 5.2.0 to 6.0.2 in /js #1378 @vitejs/plugin-react 5.x -> 6.x — major bump that removes Babel features and requires Vite 8+; we're on Vite 7.3.3, so this needs to be paired with a Vite major upgrade.
• Larger 0.x minor jumps not bundled: fastapi 0.121 -> 0.136, uvicorn 0.38 -> 0.48, sentry-sdk 2.44 -> 2.60, boto3 1.40 -> 1.43 — each spans many minor versions of libs that often ship breaking changes in 0.x or use calver-flavored minors. Treat individually.
• True majors deferred: deepdiff 8 -> 9, packaging 25 -> 26, rich 14 -> 15, websockets 15 -> 16, cryptography 46 -> 48 (recce-cloud-infra), black 25 -> 26 (calver), isort 7 -> 8.

Test plan

• pnpm audit clean
• pip-audit clean
• pytest tests — 1304 passed, 5 skipped
• pnpm test — 3779 passed, 5 skipped
• pnpm type:check clean
• pnpm lint clean
• pnpm build clean
• make flake8 clean
• make format clean

Notes

• DCO signoff present
• No recce/data edits
• pnpm-workspace.yaml reviewed for placeholder lines from pnpm 11 (none)

🤖 Generated with Claude Code

[gcko]

Code Review: PR #1402

SHA 23da373b · Verdict GO

Notes

1. pnpm-workspace.yaml:54-57 — date-fns: ~4.2.1 pins the workspace below the latest release to dodge a test-mock regression in js/src/components/check/timeline/TimelineEvent.test.tsx. Not a code fix; tracked only by the inline comment + PR body. No issue link or TODO ticket. If the OSS test mock isn't reworked, the pin silently rots — a future contributor bumping ~4.2.1 won't know why the comment exists in isolation from this PR. Pass F.
   Evidence: vi.mock("date-fns", () => ({ formatDistanceToNow: () => "5 minutes ago" })) at js/src/components/check/timeline/TimelineEvent.test.tsx:27-29 is the exact pattern that breaks under date-fns 4.3.0's modularized optimization fallback.

2. Commit 23da373b body — Closes #1394, #1392, #1384. is the comma-separated form the user already flagged as not triggering GitHub auto-close. The PR body was fixed to per-line - Closes #N; the commit body still carries the broken form. Auto-close fires off the PR description on merge, so this doesn't break the closure mechanism in practice. It does diverge from the PR body and from chore(deps): consolidate dependabot updates #1373's precedent (which used per-line Closes #N in both places). Pass F.
   Evidence: git log -1 --format=%B 23da373b line 3.

Verified

• pnpm audit clean; pnpm why js-cookie → single 3.0.7; pnpm why ws → 8.21.0 (both override targets honored).
• pip-audit clean; uv.lock resolved idna 3.16, click 8.4.1, pydantic 2.13.4, mcp 1.27.1, pygithub 2.9.1, requests 2.34.2 — matches PR claims.
• CI=true pnpm install --frozen-lockfile clean; no pnpm 11 placeholder lines appended to pnpm-workspace.yaml#allowBuilds.
• @datarecce/ui dependencies block untouched (memory rule honored); only devDependencies (tsdown, @tsdown/css, postcss) bumped — these don't ship to consumers.
• All 8 storybook-family packages (@storybook/addon-docs, @storybook/addon-vitest, @storybook/react, @storybook/react-vite, storybook, @vitest/browser-playwright, plus @vitest/coverage-v8, vitest) bumped consistently; lockfile resolved to 10.4.1.
• PR body format mirrors merged precedent chore(deps): consolidate dependabot updates #1373 (Summary / Updates rather than .github/PULL_REQUEST_TEMPLATE.md); no template violation flag.
• Sign-off present (Signed-off-by: Jared Scott).

[Copilot]

Pull request overview

This PR consolidates multiple Dependabot dependency updates into a single branch for Recce’s Python backend (uv lockfile) and the JS/TS workspace, including security-motivated pnpm overrides and a temporary date-fns pin to keep tests passing.

Changes:

• Updated Python locked dependencies in uv.lock (e.g., click, idna, pydantic, requests, pre-commit, dbt-duckdb).
• Updated JS workspace dependencies (root + Storybook + UI package dev deps) and refreshed pnpm overrides.
• Added pnpm overrides for js-cookie and ws, and pinned date-fns to ~4.2.1 to avoid a test-mocking regression.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
uv.lock	Refreshes Python dependency lock versions to newer minor/patch releases (incl. idna CVE fix).
js/pnpm-workspace.yaml	Updates workspace-wide overrides and adds security overrides + date-fns pin.
js/package.json	Bumps root JS dependencies/devDependencies (e.g., react-query, js-cookie, vitest, postcss).
js/packages/storybook/package.json	Updates Storybook + Vitest packages and tightens react-query version.
js/packages/ui/package.json	Updates UI package devDependencies (tsdown, postcss).

[kentwelcome]

LGTM