chore(deps): combine all dependabot dependency updates

[gkorland]

Summary

Combines 10 dependabot PRs into a single update to reduce merge noise.

Changes

Python Dependencies

• uvicorn: 0.41.0 → 0.42.0 (chore(deps): bump uvicorn from 0.41.0 to 0.42.0 #499)
• litellm: 1.82.0 → 1.82.6 (chore(deps): bump litellm from 1.82.0 to 1.82.6 #500)
• authlib: 1.6.8 → 1.6.9 (chore(deps): bump authlib from 1.6.8 to 1.6.9 #484, chore(deps): bump authlib from 1.6.8 to 1.6.9 in the uv group across 1 directory #493)
• fastmcp: 3.0.1 → 3.1.1 (chore(deps): bump fastmcp from 3.0.1 to 3.1.1 #487)
• pytest-asyncio: 1.2.0 → 1.3.0 (chore(deps-dev): bump pytest-asyncio from 1.2.0 to 1.3.0 #486)

GitHub Actions

• astral-sh/setup-uv: v5.4.2 → v7.6.0 (chore(deps): bump astral-sh/setup-uv from 5.4.2 to 7.6.0 #498)
• rojopolis/spellcheck-github-actions: 0.59.0 → 0.60.0 (chore(deps): bump rojopolis/spellcheck-github-actions from 0.59.0 to 0.60.0 #483)

NPM Dependencies (app/)

• typescript-eslint: 8.53.0 → 8.57.0 (chore(deps-dev): bump typescript-eslint from 8.53.0 to 8.57.0 in /app #491)
• flatted: 3.3.3 → 3.4.2 (chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #501)
• picomatch: 2.3.1 → 2.3.2 / 4.0.3 → 4.0.4 (chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #501)

Skipped (major version bumps requiring migration)

• chore(deps-dev): bump vite from 7.3.1 to 8.0.0 in /app #488 — vite 7 → 8
• chore(deps): bump react-dom and @types/react-dom in /app #489 — react-dom 18 → 19 (requires react 19)
• chore(deps): bump tailwind-merge from 2.6.0 to 3.5.0 in /app #490 — tailwind-merge 2 → 3 (designed for Tailwind v4)
• chore(deps-dev): bump tailwindcss from 3.4.18 to 4.2.1 in /app #492 — tailwindcss 3 → 4 (complete config system rewrite)

Testing

CI pipeline validates all changes.

Memory / Performance Impact

N/A — minor/patch dependency bumps only.

Related Issues

Replaces: #483, #484, #486, #487, #491, #493, #498, #499, #500, #501

Summary by CodeRabbit

• Chores
  • Updated multiple GitHub Actions workflows to use newer versions of development and testing tools.
  • Updated development dependencies (TypeScript ESLint) and runtime dependencies (uvicorn, pytest-asyncio) to newer versions.

[overcut-ai]

Completed Working on "Code Review"

✅ Review submitted: COMMENT. Total comments: 1 across 1 files.

✅ Workflow completed successfully.

---

👉 View complete log

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2e8332ec-c6a2-4abb-8a5b-f6c0967988c3

📥 Commits

Reviewing files that changed from the base of the PR and between b6bd6b6 and ab04dd1.

⛔ Files ignored due to path filters (3)

• app/package-lock.json is excluded by !**/package-lock.json
• package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .github/workflows/playwright.yml
• .github/workflows/pylint.yml
• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml
• app/package.json
• pyproject.toml

---

📝 Walkthrough

Walkthrough

This PR updates multiple dependencies and GitHub Action versions across the project. It bumps the astral-sh/setup-uv action to v7.6.0 in three workflows, updates the spellcheck action to v0.60.0, upgrades TypeScript ESLint to ^8.57.0, and bumps Uvicorn and pytest-asyncio in the Python environment.

Changes

Cohort / File(s)	Summary
GitHub Actions: uv installer .github/workflows/playwright.yml, .github/workflows/pylint.yml, .github/workflows/tests.yml	Updated astral-sh/setup-uv action from v5.4.2 to v7.6.0 across three workflows.
GitHub Actions: spellcheck .github/workflows/spellcheck.yml	Updated rojopolis/spellcheck-github-actions action from v0.59.0 to v0.60.0.
Node.js dependencies app/package.json	Bumped typescript-eslint from ^8.38.0 to ^8.57.0.
Python dependencies pyproject.toml	Bumped uvicorn from ~=0.41.0 to ~=0.42.0 and pytest-asyncio from ~=1.2.0 to ~=1.3.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, hop, hooray! The versions ascend,
Each action and package renewed, my friend!
From v5 to v7, the tooling soars high,
Dependencies dance 'neath the CI/CD sky! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): combine all dependabot dependency updates' accurately and clearly summarizes the primary change—consolidating multiple Dependabot PRs into a single update to reduce merge noise.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/combined-dependabot-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[railway-app]

🚅 Deployed to the QueryWeaver-pr-504 environment in queryweaver

Service	Status	Web	Updated (UTC)
QueryWeaver	⏭️ Skipped (View Logs)	Web	Mar 27, 2026 at 3:14 pm

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

View full job summary

[overcut-ai]

Review Summary

• Total findings: 1
• By severity: 1 MAJOR (0 BLOCKER, 0 CRITICAL, 0 MINOR, 0 SUGGESTION, 0 PRAISE)
• Affected files: app/package-lock.json

Key Theme

• Dependency/tooling upgrade introduces a potentially incompatible Node engine requirement in the lint toolchain.

Next Steps

1. Ensure CI and local development Node versions satisfy the new transitive engine constraints, or
2. Pin typescript-eslint (and related transitive deps) to a compatible range before merging.
3. Re-run install/lint in CI after adjustment to confirm deterministic success.

[Copilot]

Pull request overview

Rolls up multiple Dependabot updates into a single dependency-refresh PR across backend (uv/Python), frontend (npm/app), and CI workflows to reduce merge noise while keeping the repo on current patch/minor releases.

Changes:

• Updated Python dependency lockfile (uv.lock) and adjusted pyproject.toml constraints for uvicorn and pytest-asyncio.
• Updated frontend tooling dependency typescript-eslint in app/ and refreshed npm lockfiles.
• Bumped GitHub Actions used in CI (notably astral-sh/setup-uv and the spellcheck action).

Reviewed changes

Copilot reviewed 6 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
uv.lock	Refreshes locked Python dependency versions (including transitive additions).
pyproject.toml	Updates Python dependency constraints (uvicorn, pytest-asyncio).
package-lock.json	Refreshes root lockfile used by workflows that run npm ci at repo root.
app/package.json	Bumps typescript-eslint version range.
app/package-lock.json	Updates app lockfile for the typescript-eslint bump and related tree changes.
.github/workflows/tests.yml	Updates astral-sh/setup-uv action pin.
.github/workflows/pylint.yml	Updates astral-sh/setup-uv action pin.
.github/workflows/playwright.yml	Updates astral-sh/setup-uv action pin (workflow also uses root npm ci).
.github/workflows/spellcheck.yml	Updates spellcheck action pin.

Files not reviewed (1)

• app/package-lock.json: Language not supported