fix: bump react-router and vitest to resolve Dependabot advisories

[sriramveeraghanta]

Description

Resolves all 6 open Dependabot alerts (all npm, manifest pnpm-lock.yaml) by bumping the affected catalog entries in pnpm-workspace.yaml and regenerating the lockfile.

Severity	Package	Advisory	Before	After
🔴 critical	vitest	GHSA-5xrq-8626-4rwp	4.0.15	4.1.8
🟠 high	react-router	GHSA-8x6r-g9mw-2r78	7.12.0	7.15.0
🟠 high	react-router	GHSA-49rj-9fvp-4h2h	7.12.0	7.15.0
🟠 high	react-router	GHSA-8646-j5j9-6r62	7.12.0	7.15.0
🟡 medium	react-router	GHSA-2j2x-hqr9-3h42	7.12.0	7.15.0
🟡 medium	react-router	GHSA-f22v-gfqf-p8f3	7.12.0	7.15.0

react-router → 7.15.0 is the lowest version that clears all five react-router advisories. To avoid peer-dependency mismatches, the lockstep sibling packages were aligned in the same change:

• @react-router/dev / @react-router/node / @react-router/serve → 7.15.0
• @vitest/coverage-v8 → ^4.1.0 (resolves to 4.1.8 alongside vitest)

All bumps are within-major (minor) version changes — no breaking API changes expected.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

• pnpm install --frozen-lockfile succeeds (lockfile consistent with manifests) ✅ verified
• Lockfile resolves a single react-router@7.15.0 copy and vitest@4.1.8; no react-router@7.1x (<7.15) or vitest@4.0.x copies remain ✅ verified
• CI: type-check, lint, and the web/app builds pass on the bumped versions
• Smoke-test the React Router driven app (routing/navigation) and the Vitest test suite run cleanly

References

• Dependabot alerts: https://github.com/makeplane/plane/security/dependabot
• Follows prior dep-bump PR fix: bump npm deps to resolve Dependabot advisories #9191

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated core dependencies: bumped React Router packages and related dev/serve tools, plus testing/coverage tooling to newer minor versions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b8aa844-0acd-4a2a-85f7-6eea4f595263

📥 Commits

Reviewing files that changed from the base of the PR and between d58c85a and bd08a2e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• pnpm-workspace.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

This PR updates four dependency pins in the pnpm workspace catalog: bumps for React Router packages to 7.15.0 and Vitest (+coverage plugin) to ^4.1.8.

Changes

Dependency Version Updates

Layer / File(s)	Summary
React Router ecosystem version updates pnpm-workspace.yaml	@react-router/dev, @react-router/node, and @react-router/serve bumped from 7.13.1 to 7.15.0; react-router bumped from 7.12.0 to 7.15.0.
Vitest ecosystem version updates pnpm-workspace.yaml	@vitest/coverage-v8 and vitest bumped from ^4.0.8 to ^4.1.8.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• makeplane/plane#9153: Both PRs modify pnpm-workspace.yaml's catalog entries—chore: move all dependencies into pnpm catalog #9153 expands/standardizes the catalog while this PR bumps specific pinned versions inside that catalog.

Suggested reviewers

• Palanikannan1437
• vamsikrishnamathala

Poem

🐰 Hop, hop, pins ascend,

Router and Vitest get new threads,
Catalog sings with tidy ends,
Dependencies snug in their beds,
A rabbit cheers for tiny trends.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: bumping vulnerable dependencies (react-router and vitest) to resolve Dependabot security advisories.
Description check	✅ Passed	The description comprehensively covers all required template sections: detailed description with advisory table, type of change marked, test scenarios verified, and references provided.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-vulnerable-npm-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the workspace dependency catalog and lockfile to remediate Dependabot advisories by bumping React Router and Vitest (and aligned companion packages) to non-vulnerable versions, keeping installs consistent via a regenerated pnpm-lock.yaml.

Changes:

• Bump react-router to 7.15.0 and align @react-router/* siblings to 7.15.0 in the workspace catalog.
• Bump vitest to the 4.1.x line and align @vitest/coverage-v8 accordingly in the workspace catalog.
• Regenerate pnpm-lock.yaml to reflect the updated catalog resolutions and dedupe to the intended versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pnpm-workspace.yaml	Updates catalog entries for react-router, @react-router/*, vitest, and @vitest/coverage-v8.
pnpm-lock.yaml	Regenerated lockfile capturing the new resolved versions and transitive dependency updates.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.