chore: fix and upgrade vulnerable deps

[rezk2ll]

Issue

When running yarn audit, we get 342 vulnerabilities (44 Low, 95 Moderate, 144 High, 59 Critical)

Upgrades completed

@cozy Packages Upgraded (12 packages):

• cozy-bar: 29.0.0 → 29.1.0
• cozy-devtools: 1.2.1 → 1.4.3
• cozy-doctypes: 1.85.4 → 1.98.2
• cozy-flags: 4.6.1 → 4.8.1
• cozy-harvest-lib: 36.0.4 → 36.0.20
• cozy-interapp: 0.15.1 → 0.16.1
• cozy-keys-lib: 7.0.0 → 7.1.0
• cozy-minilog: 3.9.1 → 3.10.0
• cozy-realtime: 5.8.0 → 5.8.1
• cozy-search: 0.14.1 → 0.14.4
• cozy-sharing: 28.1.1 → 28.2.1
• cozy-ui: 135.0.0 → 135.3.0
• cozy-ui-plus: 4.0.0 → 4.4.0
• cozy-viewer: 26.3.0 → 26.5.1

@cozy DevDependencies Upgraded (5 packages):

• babel-preset-cozy-app: 2.1.0 → 2.8.2
• cozy-app-publish: 0.40.1 → 0.42.1
• cozy-jobs-cli: 2.4.3 → 2.6.0
• eslint-config-cozy-app: 6.1.0 → 6.7.1
• rsbuild-config-cozy-app: 0.6.0 → 0.7.0

Other DevDependencies Upgraded (5 packages):

• @babel/eslint-parser: 7.23.3 → 7.28.6
• @rsbuild/core: 1.5.16 → 1.7.2
• @swc/core: 1.10.7 → 1.15.10
• @swc/jest: 0.2.37 → 0.2.39
• npm-run-all2: 5.0.0 → 8.0.4

Runtime Dependencies Upgraded (5 packages):

• classnames: 2.3.1 → 2.5.1
• filesize: 10.1.6 → 11.0.13
• node-polyglot: 2.4.2 → 2.6.0
• redux-mock-store: 1.5.4 → 1.5.5
• whatwg-fetch: 3.0.0 → 3.6.20

Security Improvements

Vulnerabilities Reduced: 342 → 74 (78% reduction)

• Critical: 59 → 4 (93% reduction)
• High: 144 → 19 (87% reduction)
• Moderate: 95 → 43
• Low: 44 → 8

Summary by CodeRabbit

• Chores
  • Updated numerous dependencies and build tooling across the project, switching fixed pins to ranged versions and refreshing package versions.
  • No user-facing features or behavioral changes; public/exported interfaces remain unchanged.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

package.json dependency entries were updated: multiple packages had their versions changed from fixed pins to caret ranges and several package names/keys were adjusted (examples: @babel/eslint-parser, @swc/core, babel-preset-cozy-app, cozy-app-publish, cozy-jobs-cli, cozy-viewer). No file structure, top-level fields, exported declarations, or public interfaces were modified. Changes are limited to dependency version/range adjustments.

Possibly related PRs

• chore: Upgrade cozy-viewer to 26.2.0 ⬆️ #3669 — also updates the cozy-viewer dependency version in package.json.
• chore: Upgrade cozy-viewer to 26.3.0 ⬆️ #3677 — likewise modifies the cozy-viewer dependency entry/version in package.json.

Suggested reviewers

• JF-Cozy
• lethemanh
• zatteo
• doubleface

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: fix and upgrade vulnerable deps' directly and clearly describes the main change: addressing and upgrading vulnerable dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 110: Update the dependency to filesize v11 and verify runtime
compatibility by running the full test suite and manually checking the four
usages of filesize() (search for the symbol filesize() in the codebase) to
ensure they pass and still pass the explicit option { base: 10 } and expect
string output; also confirm ESM import style remains correct for v11 and no code
changes are required, but if any test fails, adjust the specific call sites of
filesize() to explicitly pass { base: 10 } or coerce to string as needed.

[bundlemon]

BundleMon

Files updated (9)

Status	Path	Size	Limits
✅	services/qualificationMigration.js	284.1KB (+1.9KB +0.67%)	-
✅	services/dacc.js	263.83KB (+1.77KB +0.68%)	-
✅	public/static/js/public.(hash).js	136.19KB (+484B +0.35%)	-
✅	static/js/main.(hash).js	163.07KB (+375B +0.23%)	-
✅	index.html	702B (+16B +2.33%)	-
✅	public/static/js/(chunkId).(hash).js	1010.61KB (-3.27KB -0.32%)	-
✅	static/js/(chunkId).(hash).js	1.05MB (-3.81KB -0.35%)	-
✅	public/static/js/cozy.(hash).js	649.77KB (-10.54KB -1.6%)	-
✅	static/js/cozy.(hash).js	761.77KB (-33.31KB -4.19%)	-

Unchanged files (12)

Status	Path	Size	Limits
✅	(hash).js	336.11KB	-
✅	public/(hash).js	336.11KB	-
✅	public/static/js/lib-react.(hash).js	39.24KB	-
✅	static/js/lib-react.(hash).js	39.24KB	-
✅	public/static/css/cozy.(hash).css	33.84KB	-
✅	static/css/cozy.(hash).css	33.84KB	-
✅	public/static/js/lib-router.(hash).js	21.85KB	-
✅	static/js/lib-router.(hash).js	21.85KB	-
✅	static/css/main.(hash).css	16.94KB	-
✅	public/static/css/public.(hash).css	6.66KB	-
✅	manifest.webapp	3.04KB	-
✅	assets/manifest.json	185B	-

Total files change -46.43KB -0.88%

Groups updated (2)

Status	Path	Size	Limits
✅	**/*.{png,svg,ico}	2.28MB (+84.66KB +3.77%)	-
✅	**/*.js	6.95MB (+9.07KB +0.13%)	-

Unchanged groups (1)

Status	Path	Size	Limits
✅	**/*.css	128.39KB	-

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 74: The dependency "npm-run-all2"@^8.0.4 requires Node.js >=20; update
project config to reflect that and ensure all environments use Node 20+.
Specifically, add or update the package.json "engines" field to ">=20", update
CI workflow files (e.g., GitHub Actions node-version settings) to use node:20 or
later, and update any Dockerfiles or development container images to a Node 20
base image; also run CI locally or in a staging branch to validate scripts that
use npm-run-all2 (e.g., scripts invoking --parallel / run-p) still work.

♻️ Duplicate comments (1)

package.json (1)

110-110: filesize v11 migration already reviewed.

The previous review comment adequately covers the breaking changes for this major version bump. Ensure the test suite validates file size formatting as recommended.

[zatteo]

rsbuild >= 1.5 has not been tested on our side so we need to watch if something changes with the build (for example, when updating to 1.3 we lost auto reload when node_modules cozy packages were updated with rlink).

[rezk2ll]

rsbuild >= 1.5 has not been tested on our side so we need to watch if something changes with the build (for example, when updating to 1.3 we lost auto reload when node_modules cozy packages were updated with rlink).

i checked we have auto reload with extra warnings:

● main ━━━━━━━━━━━━━━━━━━━━━━━━━ (100%) emitting after emit                                                                                                                                                                                      
● public ━━━━━━━━━━━━━━━━━━━━━━━━━ (100%) emitting after emit                                                                                                                                                                                    
● intents ━━━━━━━━━━━━━━━━━━━━━━━━━ (100%) emitting after emit                                                                                                                                                                                   
● services ━━━━━━━━━━━━━━━━━━━━━━━━━ (100%) emitting after emit                                                                                                                                                                                  warn    Build warnings: 
File: ./node_modules/flexsearch/dist/flexsearch.bundle.module.min.js:1:1
  ⚠ Module parse warning:
  ╰─▶   ⚠ "__dirname" is used and has been mocked. Remove it from your code, or set `node.__dirname` to disable this warning.

File: ./node_modules/flexsearch/dist/flexsearch.bundle.module.min.js:1:1
  ⚠ Module parse warning:
  ╰─▶   ⚠ "__dirname" is used and has been mocked. Remove it from your code, or set `node.__dirname` to disable this warning.

File: ./node_modules/flexsearch/dist/flexsearch.bundle.module.min.js:1:1
  ⚠ Module parse warning:
  ╰─▶   ⚠ "__dirname" is used and has been mocked. Remove it from your code, or set `node.__dirname` to disable this warning.

ready   built in 0.24 s (main)