fix(repo): patch vulnerable transitive dependencies flagged by Dependabot

[jacekradko]

Most of the open Dependabot alerts on this repo trace to dev tooling, build toolchains, or lazily-loaded web3 wallet transitives that never reach customer runtime. This clears the ones worth clearing with range-scoped pnpm.overrides plus a few dev-tooling bumps.

The only change that touches a published artifact is preact 10.27.2 → 10.27.3 inside clerk-js's lazily-loaded Coinbase wallet chunk, which is why the clerk-js patch changeset is here. The happy-dom 18 → 20 bump in @clerk/headless is the other thing worth a glance; its tests stay green (403 passing).

esbuild and webpack are deliberately left out: esbuild's patch is still inside the 3-day release-age window, and a webpack bump drags its entire @webassemblyjs tree for a low-severity, build-only advisory. Both can ride the normal Renovate flow. Lockfile was regenerated with pnpm dedupe.

Summary by CodeRabbit

• Chores
  • Updated development dependencies including test framework (vitest), coverage tools, and test environment (happy-dom)
  • Upgraded react-router to the latest available version
  • Updated preact bundled version for Coinbase Wallet integration support
  • Expanded pnpm dependency version overrides and constraints across multiple packages

[changeset-bot]

🦋 Changeset detected

Latest commit: ff82a6a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 13, 2026 2:11pm
swingset	Ready	Preview, Comment	Jun 13, 2026 2:11pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b4222c80-c982-4c21-9606-9dda68ccc17f

📥 Commits

Reviewing files that changed from the base of the PR and between d46f262 and ff82a6a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .changeset/clerk-js-coinbase-preact-patch.md
• package.json
• packages/headless/package.json
• packages/react-router/package.json

---

📝 Walkthrough

Walkthrough

This PR updates dependency versions and pnpm override constraints across the Clerk JavaScript monorepo. A patch release for @clerk/clerk-js documents the preact version bundled in the Coinbase Wallet web3 chunk being updated to 10.27.3. Root dev dependencies and workspace-enforced version constraints are bumped, and individual workspace packages receive targeted dev dependency updates.

Changes

Dependency and version constraint updates

Layer / File(s)	Summary
Preact bundling changelog .changeset/clerk-js-coinbase-preact-patch.md	Changesets entry declares a patch release for @clerk/clerk-js noting that the Coinbase Wallet web3 chunk's bundled preact version was updated to 10.27.3.
Root package dependency and constraint updates package.json	Root devDependencies bumps @vitest/coverage-v8 and vitest from 3.2.4 to 3.2.6. pnpm.overrides is extended with version constraints for @babel/plugin-transform-modules-systemjs, axios, fast-uri, flatted, follow-redirects, ip-address, jws, minimatch, picomatch, preact, semver, smol-toml, socket.io-parser, svgo, and tmp.
Workspace package dev dependency updates packages/headless/package.json, packages/react-router/package.json	happy-dom bumped from ^18.0.1 to ^20.8.9 and vitest bumped from 4.1.4 to 4.1.6 in headless. react-router bumped from 7.14.2 to 7.15.0 in react-router.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

clerk-js

Suggested reviewers

• dstaley
• wobsoriano

Poem

🐰 Preact hops to ten-point-three,
vitest patches flow so free,
Dependencies align with care,
Happy-dom climbs high in air,
React-router takes the lead—updates complete!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: patching vulnerable transitive dependencies flagged by Dependabot.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8856

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8856

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8856

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8856

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8856

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8856

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8856

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8856

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8856

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8856

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8856

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8856

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8856

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8856

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8856

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8856

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8856

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8856

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8856

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8856

commit: ff82a6a

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-13T14:12:42.638Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	1
🟡 Non-breaking changes	0
🟢 Additions	0

Warning
1 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

🔴 Breaking changes index (1)

Every breaking change, up front. Full diffs are in the package sections below.

Package	Subpath	Change
@clerk/shared	./types	HeadlessBrowserClerk.load

---

@clerk/shared

Current version: 4.17.1
Recommended bump: MAJOR → 5.0.0

Subpath ./types

🔴 Breaking Changes (1)

Changed: HeadlessBrowserClerk.load

- load: (opts?: ClerkOptions) => Promise<void>;
+ load: (opts?: Without<ClerkOptions, 'isSatellite'>) => Promise<void>;

Static analyzer: Breaking change in property HeadlessBrowserClerk.load: Type changed: (opts?:import("@clerk/shared").ClerkOptions)=>!Promise:interface<void> → (opts?:import("@clerk/shared").Without<import("@clerk/shared").ClerkOptions,'isSatellite'>)=>!Promise:interface<void>

🤖 AI review (confirmed) (85%): The parameter type narrowed from ClerkOptions to Without<ClerkOptions, 'isSatellite'>, meaning callers who pass { isSatellite: true, ... } to HeadlessBrowserClerk.load will now get a type error since isSatellite is excluded from the accepted type.

Migration: Remove any isSatellite property from the options object passed to HeadlessBrowserClerk.load, or cast the argument if you need to preserve the value.

---

Report generated by Break Check

_{Last ran on ff82a6a.}