chore(deps): batch upgrade safe dependabot bumps

[Djauron]

Bundles the four green dependabot bumps that pass type-check and dev server boot, plus the biome 2.4.13 lint auto-fix it requires:

• lefthook 1.13.6 -> 2.1.6 (PR build(deps-dev): bump lefthook from 1.13.6 to 2.1.6 #1514, dev-only)
• decode-formdata 0.8.0 -> 0.9.0 (PR build(deps): bump decode-formdata from 0.8.0 to 0.9.0 #1527; type-only diff)
• @faker-js/faker 9.9.0 -> 10.4.0 (PR build(deps-dev): bump @faker-js/faker from 9.9.0 to 10.4.0 #1525; test/storybook only)
• @biomejs/biome 2.4.12 -> 2.4.13 + @tanstack/react-start & router-plugin patches (PR build(deps): bump the patch group across 2 directories with 3 updates #1524)

Biome 2.4.13 strengthened lint/complexity/noExtraBooleanCast so the auto-fix removes two redundant !! casts:

• TriggerObjectDetail.tsx:79
• ReviewScreeningMatch.tsx:103

Excluded from this branch:

• react-i18next 15 -> 17 (PR build(deps): bump react-i18next from 15.7.4 to 17.0.6 #1526): blocked, needs i18next core bumped from 23 to >= 26 (peer dep).

Summary by CodeRabbit

• Chores

  • Updated development tool dependencies including lefthook, router plugins, and testing utilities to latest compatible versions.
  • Bumped core framework dependencies to latest patch versions.

• Refactor

  • Simplified conditional logic in component rendering checks.

[coderabbitai]

Warning

Rate limit exceeded

@Djauron has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 14 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b909f84-b5aa-49ca-8fde-a73ab298ab33

📥 Commits

Reviewing files that changed from the base of the PR and between 01b3475 and 2197fe3.

📒 Files selected for processing (2)

• README.md
• package.json

📝 Walkthrough

Walkthrough

This pull request updates dependencies across the monorepo and simplifies redundant boolean coercions in two component render conditions. Lefthook and workspace package dependencies are bumped to newer patch/minor versions, and boolean checks in React component conditionals are streamlined from explicit !! coercion to direct truthiness evaluation.

Changes

Maintenance Updates

Layer / File(s)	Summary
Dependency version bumps package.json, packages/app-builder/package.json, packages/ui-design-system/package.json	Lefthook upgraded from ^1.13.0 to ^2.1.6; TanStack Router Plugin and React Start bumped in app-builder; decode-formdata range updated to ^0.9.0; @faker-js/faker updated to ^10.4.0 in ui-design-system.
Code simplifications packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx, packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx	Removed redundant double-negation boolean coercions; render conditionals now rely directly on value truthiness rather than explicit !! checks.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested Labels

M

Suggested Reviewers

• Pascal-Delange
• william-schlegel

Poem

🎭 A patch here, a bump there,
Boolean knots we did pare,
The code flows more clear,
As dependencies veer,
To versions more fresh in the air. 📦

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a batch upgrade of dependencies managed by Dependabot that have passed validation checks.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps-upgrade-batch

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ui-design-system/package.json`:
- Line 18: Add a root package.json "engines" entry to enforce a minimum Node.js
version compatible with `@faker-js/faker` v10 (e.g., "node": ">=20.19.0") so CI
and developer machines use a supported runtime; update any CI config to use that
Node version if needed. Confirm the project remains ESM-compatible (no CommonJS
entry points) and that the dependency "@faker-js/faker" in package.json is
intentionally ESM-only. Ensure the engines policy is documented in
CONTRIBUTING/README if present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5763bd04-c598-4666-b900-b8c9230d3d0a

📥 Commits

Reviewing files that changed from the base of the PR and between 251ded5 and 01b3475.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• package.json
• packages/app-builder/package.json
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx
• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/ui-design-system/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check / main
• GitHub Check: e2e

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx,json,css}

📄 CodeRabbit inference engine (CLAUDE.md)

Run bun run format:write to format all files according to Biome standards

Files:

• package.json
• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/ui-design-system/package.json
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx
• packages/app-builder/package.json

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Import internal app-builder models using the path alias @app-builder/models/*
Import UI components from ui-design-system using direct imports like import { Button, Modal, Select, cn } from 'ui-design-system'
Use TanStack Query hooks for server state management, importing from @app-builder/queries/*
Use TanStack Form for form handling
Use Zod for schema validation

Files:

• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx

packages/app-builder/src/components/**/*.tsx

📄 CodeRabbit inference engine (CLAUDE.md)

Organize app-builder source code into feature-specific component folders (Cases/, Decisions/, etc.) within the components directory

Files:

• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx

packages/app-builder/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Run bun run type-check in app-builder and ui-design-system packages to verify TypeScript types

Files:

• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx

🧠 Learnings (1)

📚 Learning: 2026-05-11T13:00:53.337Z

Learnt from: william-schlegel
Repo: checkmarble/marble-frontend PR: 1503
File: packages/app-builder/src/components/ContinuousScreening/context/ListAndTopicDatasetConfigurationBridge.tsx:13-20
Timestamp: 2026-05-11T13:00:53.337Z
Learning: In checkmarble/marble-frontend, calls to `createSharp` from the `sharpstate` library should be treated as if they were a React hook. In React `.tsx` components, call `createSharp` unconditionally at the top level of the component function body (not inside conditionals or nested functions). Do not place `createSharp` inside `useMemo`, `useCallback`, `useEffect`, or any other hook, and do not suggest wrapping it in `useMemo`—that is incorrect and should be flagged during review.

Applied to files:

• packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx
• packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx

🔇 Additional comments (4)

packages/app-builder/src/components/Decisions/TriggerObjectDetail.tsx (1)

79-79: LGTM!

packages/app-builder/src/components/Screenings/ReviewScreeningMatch.tsx (1)

103-103: LGTM!

Fair prince, this change doth please me well indeed,
For what was once made doubly boolean cast
Now stands in simple truth, as nature planned.
The whitelist form shall render just the same—
When status speaks of 'no_hit' and identifier
Doth hold a truthy value in its keep.

package.json (1)

9-9: ⚡ Quick win

Lefthook v2 does have breaking changes—but this project's config should be fine.

The leap from v1.13.0 to v2.1.6 does introduce breaking changes: the exclude option no longer supports regex (only globs), skip_output was dropped in favor of output, CLI arguments were renamed, and the command executor changed to Bourne Shell on Windows. However, your lefthook.yml uses straightforward features (glob for patterns, simple run commands, stage_fixed for staging) that aren't affected by these changes. No action needed unless you customize the config later.

packages/app-builder/package.json (1)

98-98: ⚡ Quick win

Verify the decode-formdata upgrade doesn't alter form data parsing behavior.

The library is used across critical server functions (cases.ts, data.ts) for parsing FormData with array configurations. Though Zod schemas provide validation, no public changelog documents the 0.8.0 → 0.9.0 changes, and no tests specifically verify decode-formdata behavior. Consider adding tests that compare parsing results across versions or confirming the upgrade in a staging environment before deployment. In the words of the Bard: "To trust or not to trust the unseen change—that is the question."

[william-schlegel]

lgtm