chore(deps): clear remaining 112 Dependabot alerts after #5443

[leaanthony]

Summary

Picks up the remaining 112 alerts (9 high, 79 moderate, 24 low) that survived Dependabot's batch PR #5443, plus an unrelated v2 runtime build-fix incidental to it.

#5443 covered the npm lockfiles. This covers everything else:

• Go modules (29 alerts) — Dependabot's group is npm_and_yarn only
• v2 template package.json files (~80 alerts) — no lockfile, so Dependabot skips them
• 3 stragglers that fell through (v3 runtime serialize-javascript, scripts/sponsors defu)

Commits

1. 0f3ae06 Go deps — bumps go-git/v5, x/crypto, x/net, x/image, cloudflare/circl in v2/go.mod, v3/go.mod, v2/internal/staticanalysis/test/standard/go.mod. Closes ~29 alerts.
2. 1898420 v2 templates — vite ^3.0.7 → ^7.0.0 across the 10 unpatched template scaffolds (vanilla, vanilla-ts, lit, lit-ts, preact, preact-ts, react, react-ts, vue, vue-ts). Framework bumps to current majors (react 19, vue 3.5, lit 3, typescript 5.6, preact 10.24). svelte / svelte-ts were already brought current by chore(deps): bump the npm_and_yarn group across 12 directories with 15 updates #5443 — this just adds the typescript bump there. Closes ~80 alerts.
3. 0deb6b1 v2 runtime fix — two unrelated fixes that the previous (now-closed) PR also carried:
   • desktop/contextmenu.js: wrap the default: clause body in {...} to scope the let declarations, satisfying Biome's noSwitchDeclarations (CodeRabbit flagged the minified bundle).
   • dev/build.js: switch to compilerOptions: {css: "injected"} so esbuild-svelte under svelte 5 inlines the stylesheet. Latent break from chore(deps): bump the npm_and_yarn group across 12 directories with 15 updates #5443's svelte 3 → 5 bump — without this, svelte 5 emits a sibling ipc_websocket.css that //go:embed ipc_websocket.js doesn't pick up, so the reconnect-overlay loses styling. Bundles regenerated.
4. 45831af stragglers — v3 runtime adds npm overrides for serialize-javascript ^7.0.5 and diff ^8.0.2 to break the promises-aplus-tests → mocha chain; also bumps typedoc to ^0.28 with compatible plugin versions (the lockfile on master is out-of-sync: typedoc 0.27 with typedoc-plugin-markdown 4.11, which peer-requires 0.28.x — npm ci fails). Refreshes scripts/sponsors lockfile so sponsorkit pulls patched defu.

Why this PR exists separately from #5443

#5443 (Dependabot's batch) and the older PR #5429 both touched the same package.json files but with different target versions (vite ^7 vs ^8, happy-dom ^20.0 vs ^20.9). Rebasing #5429 onto post-#5443 master produced conflicts on every npm file. Starting from current master is cleaner, so I closed #5429 and only re-applied the parts #5443 didn't cover.

Test plan

• go build ./... in v2/ and v3/
• npm ci && npm run build in v2/internal/frontend/runtime/ (bundles regenerated in commit 0deb6b1)
• npm ci && npm run check in v3/internal/runtime/desktop/@wailsio/runtime/
• Smoke test of one template via wails init -t react (and one of the previously-bumped svelte ones to confirm chore(deps): bump the npm_and_yarn group across 12 directories with 15 updates #5443 + this still build a working scaffold)
• Verify Dependabot alert count after merge — expect 0, or a handful of non-applicable advisories which I'll dismiss with written reasons.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated React to version 19 with corresponding TypeScript type definitions
  • Upgraded Vue, Lit, Preact, and Svelte framework templates to latest versions
  • Updated build tooling including Vite (v7), TypeScript (v5.6), and related development dependencies across all frontend templates
  • Bumped Go module dependencies and toolchain to latest compatible versions
  • Updated documentation tooling and type generation utilities

[Copilot]

Pull request overview

This PR aims to eliminate the remaining Dependabot security alerts after #5443 by updating non-lockfile npm dependencies (notably v2 templates), Go module dependencies, and a few runtime/tooling stragglers; it also includes a small v2 runtime build fix related to Svelte 5/esbuild output.

Changes:

• Bump Go module dependencies across v2/v3 (and a staticanalysis fixture) and normalize the go directive to 1.25.0 where applicable.
• Update v2 template package.json files to current major versions (Vite, TS, and framework ecosystems).
• Update v3 runtime tooling deps and add npm overrides to pin vulnerable transitive packages; refresh sponsor script lockfile deps.

Reviewed changes

Copilot reviewed 18 out of 26 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
v3/internal/runtime/desktop/@wailsio/runtime/package.json	Updates typedoc/rimraf/plugin versions and adds overrides for serialize-javascript and diff.
v3/go.mod	Bumps Go deps and normalizes go directive to patch version format.
v3/go.sum	Records updated checksums for bumped v3 module dependencies.
v2/go.mod	Bumps Go deps for v2 module.
v2/go.sum	Records updated checksums for bumped v2 module dependencies.
v2/internal/staticanalysis/test/standard/go.mod	Updates staticanalysis fixture module go directive and indirect deps.
v2/internal/staticanalysis/test/standard/go.sum	Updates checksums for staticanalysis fixture dependency bumps.
v2/internal/frontend/runtime/dev/build.js	Adjusts esbuild-svelte configuration to inline CSS for Svelte 5 output.
v2/internal/frontend/runtime/desktop/contextmenu.js	Wraps default switch case to satisfy noSwitchDeclarations.
v2/internal/frontend/runtime/runtime_prod_desktop.js	Regenerated/minified runtime bundle reflecting contextmenu scoping change.
v2/pkg/templates/templates/vanilla/frontend/package.json	Bumps Vite for vanilla template scaffold.
v2/pkg/templates/templates/vanilla-ts/frontend/package.json	Bumps TypeScript and Vite for vanilla-ts template scaffold.
v2/pkg/templates/templates/react/frontend/package.json	Bumps React/ReactDOM and related tooling (types + Vite plugin).
v2/pkg/templates/templates/react-ts/frontend/package.json	Bumps React/ReactDOM, TS, and related tooling.
v2/pkg/templates/templates/vue/frontend/package.json	Bumps Vue, Vite, and Vue plugin versions.
v2/pkg/templates/templates/vue-ts/frontend/package.json	Bumps Vue/TS/Vite tooling plus vue-tsc and @babel/types.
v2/pkg/templates/templates/preact/frontend/package.json	Bumps Preact, preset, and Vite versions.
v2/pkg/templates/templates/preact-ts/frontend/package.json	Bumps Preact, TS, preset, and Vite versions.
v2/pkg/templates/templates/lit/frontend/package.json	Bumps Lit and Vite versions.
v2/pkg/templates/templates/lit-ts/frontend/package.json	Bumps Lit, TypeScript, and Vite versions.
v2/pkg/templates/templates/svelte/frontend/package.json	Bumps Svelte Vite plugin major for the Svelte template scaffold.
v2/pkg/templates/templates/svelte-ts/frontend/package.json	Bumps Svelte toolchain versions and removes svelte-preprocess (currently problematic).
scripts/sponsors/package-lock.json	Refreshes lockfile to pull patched transitive dependencies (e.g., defu).

Files not reviewed (2)

• scripts/sponsors/package-lock.json: Language not supported
• v2/internal/frontend/runtime/runtime_prod_desktop.js: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

Dependency upgrade PR clearing 449 Dependabot security alerts. Go modules (v2, v3, test) updated to Go 1.25.0 with bumped go-git and golang.org/x packages. Desktop runtime code scoped for clarity. Esbuild Svelte plugin configuration corrected. Twelve frontend templates modernized to Vite 7, TypeScript 5.6, and current framework majors. v3 runtime documentation tooling and transitive security patches updated.

Changes

Go Module Upgrades

Layer / File(s)	Summary
v2 and v3 main module upgrades v2/go.mod, v3/go.mod	go-git/v5 bumped to v5.19.0, with golang.org/x/{sys,term,tools,crypto,image,mod,net,sync,text} and ecosystem packages (testify, go-billy, circl) upgraded across both modules.
Static analysis test module v2/internal/staticanalysis/test/standard/go.mod	Go version directive updated from 1.18 to 1.25.0; indirect golang.org/x/{crypto,net,sys,text} dependencies advanced to current releases.

Frontend and Runtime Updates

Layer / File(s)	Summary
Desktop runtime code improvements v2/internal/frontend/runtime/desktop/contextmenu.js, v2/internal/frontend/runtime/runtime_prod_desktop.js	contextmenu.js default switch case wrapped in explicit block scope; minified runtime_prod_desktop.js simplified with conditional rewrites in drag-and-drop and context-menu handlers.
Esbuild Svelte plugin configuration v2/internal/frontend/runtime/dev/build.js	Svelte plugin invocation corrected from compileOptions with css: true to compilerOptions with css: "injected".
v2 frontend templates framework and tooling modernization v2/pkg/templates/templates/*/frontend/package.json (React, React-TS, Vue, Vue-TS, Svelte, Svelte-TS, Preact, Preact-TS, Lit, Lit-TS, Vanilla, Vanilla-TS)	Twelve template scaffolds upgraded to Vite 7, TypeScript 5.6, and framework majors: React 18→19, Vue 3.2→3.5, Svelte 3→5, Lit 2→3, Preact and Svelte plugin updates; templates regenerate lockfiles on first build in user projects.
v3 runtime build tools and npm overrides v3/internal/runtime/desktop/@wailsio/runtime/package.json	DevDependencies bumped (rimraf, typedoc, plugins); npm overrides added for serialize-javascript and diff to pin transitive security patches.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• wailsapp/wails#5386: Continues Vite version updates in frontend templates by further bumping to ^8.0.5.

Suggested labels

size:L, lgtm

🐰 A bunny's delight, these deps take flight!
Security alerts cleared, frameworks now bright,
Vite 7, React 19, Svelte 5 in sight—
No more Dependabot fears in the night! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.16% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main objective: clearing remaining Dependabot security alerts after a previous batch PR (#5443).
Description check	✅ Passed	The PR description comprehensively covers changes, rationale, commits, and test plan. However, it does not explicitly fill the required template sections (Type of change, Testing details, Checklist items).
Linked Issues check	✅ Passed	The PR successfully addresses the core objectives from #5429: clearing Dependabot alerts via Go module bumps, v2 template package.json updates, v3 runtime npm overrides, and the incidental v2 runtime build fix for svelte 5 CSS handling.
Out of Scope Changes check	✅ Passed	All changes align with the PR objectives. The v2 runtime fixes (contextmenu.js and dev/build.js) are incidental but directly support the svelte 5 upgrade from #5443, and are justified in the description.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deps/dependabot-cleanup-v2

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

v2/pkg/templates/templates/vue-ts/frontend/package.json (1)

19-19: ⚡ Quick win

Document why @babel/types is explicitly pinned, or remove if unused.

@babel/types ^7.26.0 is listed as a devDependency but is not required by vue-tsc@2.1.0 or its dependencies, nor is it used in the source code. If this was added to resolve a specific build issue or Dependabot alert, add a comment explaining why. Otherwise, consider removing it as an undocumented and potentially unused dependency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/vue-ts/frontend/package.json` at line 19, The
package.json devDependency "@babel/types": "^7.26.0" appears undocumented and
unused; either remove this entry from package.json or add a clear comment in
package.json (near the devDependencies block) explaining why it is pinned (e.g.,
which build bug, Dependabot alert, or tool requires exactly ^7.26.0), and
include the related tool/version that required it (for example reference to
vue-tsc@2.1.0 if relevant); update the package.json to remove the unused
dependency if no justification exists, or add the comment and optionally a brief
test note (how to reproduce the failure without it) so future reviewers
understand why "@babel/types" is pinned.

v2/pkg/templates/templates/lit-ts/frontend/package.json (1)

23-24: ⚡ Quick win

Add an explicit Node engine requirement for Vite 7 templates.

vite@^7 requires Node 20.19+ or 22.12+. Adding engines.node makes this requirement explicit at project creation time, improving clarity for new users.

♻️ Proposed change

 {
   "name": "frontend",
   "private": true,
   "version": "0.0.0",
+  "engines": {
+    "node": ">=20.19.0 || >=22.12.0"
+  },
   "type": "module",
   "main": "dist/my-element.es.js",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/lit-ts/frontend/package.json` around lines 23 -
24, Add an explicit Node engine requirement to the template's package.json so
projects generated from v2/pkg/templates/templates/lit-ts/frontend/package.json
declare the required Node version for vite@^7 (Node 20.19+ or 22.12+); update
the package.json to include an "engines" field (e.g., "engines": { "node":
">=20.19.0 || >=22.12.0" }) alongside the existing "typescript" and "vite"
entries to make the runtime requirement explicit at project creation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@v2/pkg/templates/templates/react/frontend/package.json`:
- Around line 12-19: The devDependency "@vitejs/plugin-react" in package.json
currently pinned to "^5.0.0" does not declare support for Vite 7; update the
"@vitejs/plugin-react" entry in the devDependencies block to a release that
explicitly supports Vite 7 (e.g., "^7.0.0" or the latest compatible v7), then
regenerate the lockfile (npm/yarn/pnpm install) and run a test build to ensure
compatibility; target the "@vitejs/plugin-react" key in package.json when making
this change.

In `@v2/pkg/templates/templates/svelte/frontend/package.json`:
- Around line 12-14: Update the package versions in package.json so the Svelte
Vite plugin is compatible with Vite 8 and Svelte 5: change
"@sveltejs/vite-plugin-svelte" from "^6.0.0" to "^7.0.0" and set "vite" to a
valid 8.x release (e.g. "^8.0.8" or "^8.0.0") to replace the non-existent
"^8.0.13"; locate these entries by the keys "@sveltejs/vite-plugin-svelte" and
"vite" in the dependencies/devDependencies and update their version strings
accordingly.

---

Nitpick comments:
In `@v2/pkg/templates/templates/lit-ts/frontend/package.json`:
- Around line 23-24: Add an explicit Node engine requirement to the template's
package.json so projects generated from
v2/pkg/templates/templates/lit-ts/frontend/package.json declare the required
Node version for vite@^7 (Node 20.19+ or 22.12+); update the package.json to
include an "engines" field (e.g., "engines": { "node": ">=20.19.0 || >=22.12.0"
}) alongside the existing "typescript" and "vite" entries to make the runtime
requirement explicit at project creation.

In `@v2/pkg/templates/templates/vue-ts/frontend/package.json`:
- Line 19: The package.json devDependency "@babel/types": "^7.26.0" appears
undocumented and unused; either remove this entry from package.json or add a
clear comment in package.json (near the devDependencies block) explaining why it
is pinned (e.g., which build bug, Dependabot alert, or tool requires exactly
^7.26.0), and include the related tool/version that required it (for example
reference to vue-tsc@2.1.0 if relevant); update the package.json to remove the
unused dependency if no justification exists, or add the comment and optionally
a brief test note (how to reproduce the failure without it) so future reviewers
understand why "@babel/types" is pinned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5213c47f-e5ee-4eee-beb1-0fd98b65caaa

📥 Commits

Reviewing files that changed from the base of the PR and between 91aebfb and 91bfd0b.

⛔ Files ignored due to path filters (5)

• scripts/sponsors/package-lock.json is excluded by !**/package-lock.json
• v2/go.sum is excluded by !**/*.sum
• v2/internal/staticanalysis/test/standard/go.sum is excluded by !**/*.sum
• v3/go.sum is excluded by !**/*.sum
• v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (21)

• v2/go.mod
• v2/internal/frontend/runtime/desktop/contextmenu.js
• v2/internal/frontend/runtime/dev/build.js
• v2/internal/frontend/runtime/ipc_websocket.js
• v2/internal/frontend/runtime/runtime_debug_desktop.js
• v2/internal/frontend/runtime/runtime_prod_desktop.js
• v2/internal/staticanalysis/test/standard/go.mod
• v2/pkg/templates/templates/lit-ts/frontend/package.json
• v2/pkg/templates/templates/lit/frontend/package.json
• v2/pkg/templates/templates/preact-ts/frontend/package.json
• v2/pkg/templates/templates/preact/frontend/package.json
• v2/pkg/templates/templates/react-ts/frontend/package.json
• v2/pkg/templates/templates/react/frontend/package.json
• v2/pkg/templates/templates/svelte-ts/frontend/package.json
• v2/pkg/templates/templates/svelte/frontend/package.json
• v2/pkg/templates/templates/vanilla-ts/frontend/package.json
• v2/pkg/templates/templates/vanilla/frontend/package.json
• v2/pkg/templates/templates/vue-ts/frontend/package.json
• v2/pkg/templates/templates/vue/frontend/package.json
• v3/go.mod
• v3/internal/runtime/desktop/@wailsio/runtime/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Is @vitejs/plugin-react version 5.0.0 compatible with React 19.1.0 and Vite 7.0.0?

💡 Result:

Not fully compatible / high risk. 1) Vite 7.0.0: plugin-react@5.0.0 does not declare support for Vite 7, so it’s not officially compatible. The plugin’s peer dependency range for Vite at/around 5.0.x is ^4.2.0 || ^5.0.0 || ^6.0.0 (no ^7.0.0) [1]. 2) React 19.1.0: plugin-react@5.0.0 is at least likely to work, but there’s no explicit “React 19” compatibility statement tied specifically to 5.0.0 in the sources I found. The plugin release notes for 5.0.0 discuss React Compiler behavior around React 19, including a “target!== '19'” condition and notes about the compiler-runtime [2]. However, I did not find a source explicitly confirming that plugin-react@5.0.0 supports React 19.1.0 specifically. Conclusion: If you need official compatibility with Vite 7.0.0, don’t use @vitejs/plugin-react@5.0.0. For Vite 7, you should upgrade to a plugin-react version that explicitly includes Vite 7 (or use the plugin version that supports your target Vite major).

Citations:

• 1: vitejs/vite-plugin-react@6d203af
• 2: https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md

---

Upgrade @vitejs/plugin-react to support Vite 7.0.0.

@vitejs/plugin-react ^5.0.0 does not declare support for Vite 7.0.0. The plugin's peer dependency range is ^4.2.0 || ^5.0.0 || ^6.0.0, which excludes Vite 7. Update the plugin version to one that explicitly supports Vite 7.0.0 to avoid build failures.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/react/frontend/package.json` around lines 12 - 19,
The devDependency "@vitejs/plugin-react" in package.json currently pinned to
"^5.0.0" does not declare support for Vite 7; update the "@vitejs/plugin-react"
entry in the devDependencies block to a release that explicitly supports Vite 7
(e.g., "^7.0.0" or the latest compatible v7), then regenerate the lockfile
(npm/yarn/pnpm install) and run a test build to ensure compatibility; target the
"@vitejs/plugin-react" key in package.json when making this change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does Vite 8.0.13 exist and is @sveltejs/vite-plugin-svelte 6.0.0 compatible with Svelte 5 and Vite 8?

💡 Result:

No clear evidence was found that Vite 8.0.13 exists today (2026-05-15). The official Vite 8.x release feed shows v8.0.8 and v8.0.0 as latest tracked 8.0 releases in the surfaced results, but no v8.0.13 tag/version was returned in the research; so I can’t confirm that 8.0.13 exists [1][2][3]. As for compatibility: @sveltejs/vite-plugin-svelte 6.0.0 is NOT confirmed compatible with Vite 8 or Svelte 5 based on authoritative sources found. The sources that explicitly mention Vite 8 and Svelte 5 requirements are for @sveltejs/vite-plugin-svelte 7.0.0 (not 6.0.0): it “require[s] vite 8” and “require[s] svelte 5.46.4 or later” [4]. Therefore: - Vite 8.0.13: unknown/not confirmed from sources found [1][2][3]. - @sveltejs/vite-plugin-svelte 6.0.0 with Svelte 5 + Vite 8: not supported by the cited evidence; the Vite 8 + Svelte 5 requirement is stated for v7.0.0 instead [4].

Citations:

• 1: https://vite.dev/releases
• 2: https://github.com/vitejs/vite/releases/tag/v8.0.8
• 3: https://github.com/vitejs/vite/releases
• 4: https://github.com/sveltejs/vite-plugin-svelte/releases/tag/%40sveltejs%2Fvite-plugin-svelte%407.0.0

---

Update @sveltejs/vite-plugin-svelte to version 7.0.0 for Vite 8 and Svelte 5 compatibility.

Vite 8.0.13 does not appear to exist in the official release registry—only versions up to 8.0.8 are documented. More critically, @sveltejs/vite-plugin-svelte 6.0.0 is incompatible with both Vite 8 and Svelte 5. Version 7.0.0 of the plugin is required to support Vite 8 and Svelte 5.46.4+. Update "@sveltejs/vite-plugin-svelte" to "^7.0.0" and specify a valid Vite 8 version like "^8.0.0" or "^8.0.8" (the highest confirmed 8.x release).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/svelte/frontend/package.json` around lines 12 -
14, Update the package versions in package.json so the Svelte Vite plugin is
compatible with Vite 8 and Svelte 5: change "@sveltejs/vite-plugin-svelte" from
"^6.0.0" to "^7.0.0" and set "vite" to a valid 8.x release (e.g. "^8.0.8" or
"^8.0.0") to replace the non-existent "^8.0.13"; locate these entries by the
keys "@sveltejs/vite-plugin-svelte" and "vite" in the
dependencies/devDependencies and update their version strings accordingly.