chore: bump deps

[zerob13]

• bump deps

Summary by CodeRabbit

• Chores

  • Bumped many dependencies and devDependencies across AI integrations, networking, document parsing, desktop runtime, UI/build tooling, and developer tooling.

• Build

  • Simplified Windows CI build matrix to x64 only (arm64 variant removed).

• Release

  • Windows ARM64 artifact publishing/copying disabled in release/deploy workflows.

• Performance

  • Upstream library updates may yield incremental stability and performance improvements.

• Security

  • Includes recent patch-level updates to reduce potential third-party vulnerabilities.

[coderabbitai]

Walkthrough

Updated dependency and devDependency versions in package.json (minor/patch bumps); disabled Windows ARM64 artifact builds/handling across CI: simplified Windows build matrix in .github/workflows/build.yml and commented-out ARM64 artifact copy blocks in .github/workflows/deploycdn.yml and .github/workflows/release.yml. No runtime code or exported API changes.

Changes

Cohort / File(s)	Summary of Changes
Dependencies package.json	Bumped versions for existing dependencies and devDependencies (multiple minor/patch upgrades; no additions or removals). Examples: bedrock & bedrock-runtime → 3.879.0, @google/genai → 1.16.0, axios → 1.11.0, cheerio → 1.1.2, dayjs → 1.11.18, openai → 5.18.0, undici → 7.15.0, zod → 3.25.76; dev tooling bumps include vite → 7.1.4, vue → 3.5.21, mermaid → 11.10.1, @electron/notarize → 3.1.0, etc.
CI — build matrix .github/workflows/build.yml	Removed arm64 from Windows arch matrix and dropped the win-arm64 include entry; Windows build now only targets x64.
CI — artifact deploy .github/workflows/deploycdn.yml	Commented-out/disabled blocks that handled deepchat-win-arm64 artifacts and copy steps to CDN upgrade2/winarm and download2 — Windows ARM64 executables no longer copied.
CI — release asset prep .github/workflows/release.yml	Commented-out/disabled block that copied artifacts from artifacts/deepchat-win-arm64 to release_assets (.exe/.msi/.zip) — Windows ARM64 artifacts are omitted from release assets.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant CI as CI Runner
  participant Build as Build Job
  participant Artifacts as Artifacts Store
  participant CDN as deploycdn Job
  participant Release as release Job

  Dev->>CI: push changes
  CI->>Build: run build matrix (win-x64, linux, mac)
  note right of Build #DDEEFF: win-arm64 removed
  Build-->>Artifacts: upload artifacts (no win-arm64)
  Artifacts->>CDN: process & copy artifact sets
  note right of CDN #F6F8E9: win-arm64 copy steps commented out
  Artifacts->>Release: prepare release assets
  note right of Release #FFF4E6: win-arm64 asset copy commented out
  Release-->>Dev: release assets ready

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: bump deps #721 — Overlapping dependency version bumps (e.g., @google/genai, @modelcontextprotocol/sdk, openai, vite, vue); likely related.

Poem

I thump my feet on versioned ground,
Bumps all snug, no logic found.
ARM64 sleeps, CI trims its pace,
Packages rise — the build keeps grace.
Hop, hop — a tidy, quieter race 🥕

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-up-safe-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

package.json (2)

69-69: Consider consolidating HTTP clients (axios vs undici/fetch) to reduce surface area.

We now depend on axios, undici, and SDKs that use fetch. If feasible, standardize on fetch/undici for Node and keep axios only where browser/XHR is required to trim bundle size and avoid adapter edge cases between Electron main/renderer.

Also applies to: 94-94, 87-87

---

60-61: AWS SDK v3 bump: ensure per-client timeouts/retries are set (avoid long-hanging requests).

If not already centralized, set request timeouts and reasonable retry strategy on Bedrock clients to avoid Electron main-thread stalls.

Provide a shared factory, e.g., createBedrockClient({requestHandler: new NodeHttpHandler({requestTimeout: ms})}).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0842a78 and 297dd64.

📒 Files selected for processing (1)

• package.json (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-check (x64)

🔇 Additional comments (5)

package.json (5)

101-106: No changes needed – notarize import matches v3.x API
The import { notarize } from '@electron/notarize' and subsequent calls align with the v3.0+ documentation (§API uses named notarize export) (packages.electronjs.org)

---

128-129: Install dependencies and verify type-check & SSR/hydration assumptions

After running pnpm install, execute pnpm run typecheck:web and ensure no vue-tsc errors occur. Also scan your src/ for any defineComponent, withDefaults, or defineModel usages and confirm that component types, SSR, and hydration behaviors remain correct.

---

137-141: Commit the pnpm lockfile and re-run dependency audits
No pnpm-lock.yaml was found after these bumps—run pnpm install to generate and commit the lockfile, then execute pnpm audit --prod and pnpm audit --dev and confirm there are no advisories for axios, minimatch, yaml, zod, cheerio, undici, openai. Applies also to the other bumped sections (package.json lines 166–167, 97, 71).

---

59-98: Verify LLM client API usage against bumped SDKs

• No legacy OpenAI (ChatCompletion/Completions) or Anthropic (anthropic.completions) calls were found.
• Detected numerous this.ollama.generate() and this.ollama.chat() calls in ollamaProvider.ts—confirm these methods remain valid in ollama@0.5.17.
• Check your uses of @google/genai for any renamed or removed endpoints after the upgrade.
• (Optional) Run pnpm install && pnpm dedupe to reconcile lockfile changes.

---

153-156: Verify Vite dev build

Config files load without syntax errors—please run the Vite dev server (e.g. npm run dev or npx vite dev --config electron.vite.config.ts) to confirm PostCSS/Tailwind integration works correctly with Vite 7.1.4.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/build.yml (4)

66-74: Remove stale exclude for win-arm64 unpacked dir

Since Windows arm64 is no longer built, this exclude is dead weight.

Apply:

       path: |
         dist/*
         !dist/win-unpacked
-        !dist/win-arm64-unpacked

---

35-39: Speed up CI: enable pnpm cache

Enable pnpm cache in pnpm/action-setup to cut install time.

Apply in each job:

-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 10.12.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 10.12.1
+          cache: true

Also applies to: 92-96, 147-150

---

97-108: Duplicate install on Linux may be redundant

You run pnpm install, then install:sharp, then pnpm install again (without env). If not needed for native rebuilds, drop the second install to save minutes.

Example:

       - name: Install dependencies
         run: pnpm install

       - name: Configure pnpm workspace for Linux ${{ matrix.arch }}
         run: pnpm run install:sharp
         env:
           TARGET_OS: linux
           TARGET_ARCH: ${{ matrix.arch }}

-      - name: Install dependencies
-        run: pnpm install

---

151-162: Same duplicate install pattern on macOS

Mirror the Linux adjustment if the second install isn’t required.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 297dd64 and eb2677d.

📒 Files selected for processing (1)

• .github/workflows/build.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-check (x64)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

.github/workflows/deploycdn.yml (3)

58-61: Win ARM64 disabled but still surfaced in structure/summary — align outputs.

You’ve commented out Win ARM64 copies, but we still:

• create upgrade2/winarm (Line 31), and
• advertise a Win ARM64 folder in the summary (Lines 136–137).

This can confuse operators and users. Either drop winarm entirely for now or clearly mark it as disabled.

Apply one of the following diffs.

Option A — remove winarm entirely until it’s re-enabled:

-          mkdir -p cdn_upload/upgrade2/v${{ github.event.inputs.version }}/{linuxx64,macarm,macx64,winx64,winarm}
+          mkdir -p cdn_upload/upgrade2/v${{ github.event.inputs.version }}/{linuxx64,macarm,macx64,winx64}
@@
-          echo "  - winarm/ (所有 Windows ARM64 文件)"
+          :

Option B — keep dir but clarify it’s disabled in the summary:

@@
-          echo "  - winarm/ (所有 Windows ARM64 文件)"
+          echo "  - winarm/ (Windows ARM64 已暂时停用：当前无文件)"

Also applies to: 31-31, 136-137

---

96-99: Consistent handling for download2: clarify or remove Win ARM64 section.

Win ARM64 executables are not copied anymore. If you keep the platform listed elsewhere, consider adding a matching note for download2 or omit it consistently.

---

58-61: Prefer a feature flag over commented blocks.

Instead of commented code, gate these blocks with an input/env (default false) so re-enabling is one click.

Example sketch:

@@
   workflow_dispatch:
     inputs:
       workflow_id:
         description: 'Build workflow run ID to use for artifacts'
         required: true
         type: string
+      include_win_arm64:
+        description: 'Include Windows ARM64 artifacts'
+        required: false
+        type: boolean
+        default: false
@@
-          #if [ -d "artifacts/deepchat-win-arm64" ]; then
-          #  echo "Processing Windows arm64 artifacts..."
-          #  cp -r artifacts/deepchat-win-arm64/* cdn_upload/upgrade2/v${{ github.event.inputs.version }}/winarm/ 2>/dev/null || true
-          #fi
+          if [ "${{ github.event.inputs.include_win_arm64 }}" = "true" ] && [ -d "artifacts/deepchat-win-arm64" ]; then
+            echo "Processing Windows arm64 artifacts..."
+            cp -r artifacts/deepchat-win-arm64/* cdn_upload/upgrade2/v${{ github.event.inputs.version }}/winarm/ 2>/dev/null || true
+          fi
@@
-          #if [ -d "artifacts/deepchat-win-arm64" ]; then
-          #  echo "Processing Windows arm64 executables..."
-          #  cp artifacts/deepchat-win-arm64/*.exe cdn_upload/download2/v${{ github.event.inputs.version }}/ 2>/dev/null || true
-          #fi
+          if [ "${{ github.event.inputs.include_win_arm64 }}" = "true" ] && [ -d "artifacts/deepchat-win-arm64" ]; then
+            echo "Processing Windows arm64 executables..."
+            cp artifacts/deepchat-win-arm64/*.exe cdn_upload/download2/v${{ github.event.inputs.version }}/ 2>/dev/null || true
+          fi

Also applies to: 96-99

.github/workflows/release.yml (2)

55-59: Win ARM64 release assets disabled — good. Consider a toggle for quick re-enable.

Mirrors deploycdn.yml. A small input/env flag keeps the workflow clean and avoids commented code drift.

Example sketch:

@@
   workflow_dispatch:
     inputs:
       workflow_id:
         description: 'Build workflow run ID to use for artifacts'
         required: true
         type: string
       prerelease:
         description: 'Is this a prerelease?'
         required: true
         type: boolean
         default: false
+      include_win_arm64:
+        description: 'Include Windows ARM64 assets'
+        type: boolean
+        default: false
@@
-          #if [ -d "artifacts/deepchat-win-arm64" ]; then
-          #  cp artifacts/deepchat-win-arm64/*.exe release_assets/ 2>/dev/null || true
-          #  cp artifacts/deepchat-win-arm64/*.msi release_assets/ 2>/dev/null || true
-          #  cp artifacts/deepchat-win-arm64/*.zip release_assets/ 2>/dev/null || true
-          #fi
+          if [ "${{ github.event.inputs.include_win_arm64 }}" = "true" ] && [ -d "artifacts/deepchat-win-arm64" ]; then
+            cp artifacts/deepchat-win-arm64/*.exe release_assets/ 2>/dev/null || true
+            cp artifacts/deepchat-win-arm64/*.msi release_assets/ 2>/dev/null || true
+            cp artifacts/deepchat-win-arm64/*.zip release_assets/ 2>/dev/null || true
+          fi

---

33-41: Version extraction hard-depends on Linux x64 tarball.

If a Linux x64 .tar.gz is ever missing but other artifacts exist, the release fails. Consider extracting from any matching artifact to make this more robust.

Example:

-          VERSION_FILE=$(find artifacts/deepchat-linux-x64 -name "DeepChat-*.tar.gz" | head -n 1)
+          VERSION_FILE=$(find artifacts -regex '.*/DeepChat-[0-9]\+\.[0-9]\+\.[0-9]\+.*\.\(tar\.gz\|dmg\|zip\|AppImage\)' | head -n 1)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eb2677d and ce26a1e.

📒 Files selected for processing (2)

• .github/workflows/deploycdn.yml (2 hunks)
• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-check (x64)

🔇 Additional comments (2)

.github/workflows/deploycdn.yml (1)

117-124: Sanity-check: action-qiniu-upload uploads only files, so empty winarm dirs are harmless.

No action needed; just noting that empty dirs won’t create stray objects. If you want zero noise in logs, remove the dir as suggested above.

.github/workflows/release.yml (1)

83-91: Nice: draft release with explicit file glob.

This cleanly avoids leaking old assets across runs.