chore: bump dependency resolutions

[pedroccastro]

What does this PR do?

Refreshes yarn resolutions and direct dependency pins to keep the transitive dependency tree current. Updates existing resolutions to newer patch/minor versions and adds resolutions for packages that have drifted across multiple version ranges in the tree.

Changes

Direct dependency bumps:

File	Package	From	To
apps/web/package.json	next	16.1.5	16.2.3
apps/web/package.json	dompurify	3.3.1	3.3.2
apps/api/v1/package.json	next	16.1.5	16.2.3
packages/platform/examples/base/package.json	next	16.1.5	16.2.3
example-apps/credential-sync/package.json	next	14.2.35	15.5.15
packages/platform/atoms/package.json	dompurify / vite	3.3.1 / 6.4.1	3.3.2 / 6.4.2
packages/platform/libraries/package.json	vite	6.4.1	6.4.2
packages/embeds/{embed-core,embed-react,embed-snippet}/package.json	vite	6.4.1	6.4.2
packages/kysely/package.json	kysely	0.28.2	0.28.14

Root package.json resolutions — updates to existing entries: rollup, qs, node-forge, serialize-javascript, tar, lodash, lodash-es, fast-xml-parser, @lingo.dev/_compiler/fast-xml-parser.

Root package.json resolutions — new entries: webpack, systeminformation, path-to-regexp (two ranges), picomatch (seven ranges), hono, express-rate-limit, svgo, bn.js, minimatch (range-specific entries for 3.x/5.x/8.x/9.x/10.x), multer, flatted, socket.io-parser, vite, defu, immutable, @hono/node-server, @xmldom/xmldom (split by 0.8.x and 0.9.x), yaml (multiple 2.x ranges), ajv (6.x and 8.x ranges), brace-expansion.

Context

Yarn 4 resolutions match specific declared descriptors, so packages with the same major line pinned via different ranges (exact / tilde / caret) each need their own resolution entry. This is why minimatch, yaml, ajv, picomatch, and @xmldom/xmldom appear multiple times — each entry covers a distinct descriptor actually declared in the tree.

How should this be tested?

1. yarn install completes without errors
2. CI/CD pipeline validates build

Mandatory Tasks

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• N/A I have updated the developer docs in /docs if this PR makes changes that would require a documentation change.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d186580-9db1-4598-bb54-936d4cf67012

📥 Commits

Reviewing files that changed from the base of the PR and between c8374d6 and bd97c97.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

This pull request updates dependency versions across the monorepo: Next.js is bumped in several packages (multiple from 16.1.5 → 16.2.3; one example from 14.2.35 → 15.5.15). Vite is updated from 6.4.1 → 6.4.2 in several packages. DOMPurify, Kysely, and other package dependencies are version-bumped. The root package.json gains extensive Yarn resolution pins and updates to many transitive dependency versions (including rollup, serialize-javascript, node-forge, lodash, and others). No source exports or public API declarations were changed.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: bump dependency resolutions' accurately summarizes the main change—updating yarn resolutions and dependency pins across the codebase.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing context about the dependency updates, listing specific changes with a detailed table, and explaining the rationale for Yarn 4 descriptor-specific resolutions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-resolutions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@example-apps/credential-sync/package.json`:
- Line 13: The page is using App Router hooks (useRouter, useSearchParams,
usePathname from next/navigation) inside a Pages Router component which can
yield null values; replace these with the Pages Router API from next/router,
read query params from router.query and guard your redirect logic with
router.isReady inside useEffect so you only compute and act on appSlug and
userId after the router is initialized; update any top-level reads of
searchParams?.get(...) to instead derive const { appSlug, userId } =
router.query (or parse them inside the isReady useEffect) and perform
push/replace redirects there.

In `@package.json`:
- Around line 162-168: The package.json root-level overrides for "svgo" and
"serialize-javascript" are unscoped and thus apply broadly; change them to
descriptor-scoped resolutions that match the exact yarn.lock descriptors (e.g.,
"svgo@<exact-version-or-descriptor>" and
"serialize-javascript@<exact-version-or-descriptor>") following the same scoping
pattern used for "picomatch", "minimatch", "yaml", and "ajv" in this block so
only the intended transitive packages are pinned and you preserve correct
dependency resolution/auditing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 252d5ac7-fb91-46fa-9e4f-ed48c74bcbc1

📥 Commits

Reviewing files that changed from the base of the PR and between c0d105e and c8374d6.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (11)

• apps/api/v1/package.json
• apps/web/package.json
• example-apps/credential-sync/package.json
• package.json
• packages/embeds/embed-core/package.json
• packages/embeds/embed-react/package.json
• packages/embeds/embed-snippet/package.json
• packages/kysely/package.json
• packages/platform/atoms/package.json
• packages/platform/examples/base/package.json
• packages/platform/libraries/package.json

[github-actions]

E2E results are ready!

• Workflow #107463.1 latest results