📦 Dependencies/fix critical and high

[adriangohjw]

Problem

Fix most high and all critical dependencies

before

33 vulnerabilities (1 critical, 17 high, 10 moderate, 5 low)

After (WIP)

9 vulnerabilities (3 high, 4 moderate, 2 low)

• Yes - this PR contains breaking changes
  • Details ...
• No - this PR is backwards compatible

---

Note

Medium Risk
Large set of dependency upgrades (including next, @trpc/*, TipTap, and observability libs) may introduce subtle runtime/build behavior changes despite no application code changes.

Overview
Updates apps/studio/package.json to pull in newer dependency versions to address reported critical/high vulnerabilities.

This is primarily a broad dependency refresh across core runtime libraries (e.g. next, @trpc/*, TipTap, dd-trace, isomorphic-dompurify) and tooling/test stack (e.g. eslint, prettier, playwright, msw, vitest).

^{Written by Cursor Bugbot for commit 7419048. This will update automatically on new commits. Configure here.}

[cursor]

Automated risk assessment for this update:

• Risk level: Medium-High
• Why: The diff is dependency-manifest/lockfile only, but it updates a large set of runtime and build dependencies across apps/studio, packages/components, root workspace config, and multiple tooling packages. This creates broad behavioral surface area and non-trivial regression risk despite no direct source-code edits.
• Code review required: Yes
• Approval action: Not approved by automation (per policy: Medium-High risk requires human review; also avoid self-approval when CODEOWNERS review applies).
• Reviewer action: Requested @dcshzj and @gautammmanek based on recent/historical edits on the touched package-manifest paths.

Existing approval state was detected on the PR; no new automation approval was added.

---

  

[cursor]

Security Review Result

PASS - No high-confidence vulnerabilities found in this PR diff.

I reviewed the changes with focus on injection, auth/authz boundaries, secret handling, SSRF/XSS/CSRF, unsafe deserialization, and supply-chain risk. The diff is limited to dependency manifests and bun.lock; no application/runtime logic changes were introduced.

Confirmed Findings

• None.

Lower-Confidence Supply-Chain Concern (Validation Needed)

1. Some dependencies changed from exact pins to caret ranges (for example @aws-sdk/client-s3, @aws-sdk/s3-request-presigner, @tiptap/extension-link in apps/studio/package.json).
   If any environment performs non-frozen installs, future upstream releases could be pulled unexpectedly.

Recommended validation/remediation:

• Ensure CI/CD and production builds use frozen lockfile installs (for Bun, enforce bun install --frozen-lockfile).
• Consider exact pinning for security-sensitive runtime dependencies if strict reproducibility is required.

Overall, this PR appears to reduce known dependency exposure and does not introduce a concrete exploitable issue based on the current diff.

---