chore(deps): update glob dependency

[ymc9]

Bumps next from 16.0.1 to 16.0.7.

• Release notes
• Changelog
• Commits

---

updated-dependencies:

• dependency-name: next
  dependency-version: 16.0.7
  dependency-type: direct:production
  ...

Signed-off-by: dependabot[bot] [email protected]

Summary by CodeRabbit

• Chores
  • Updated internal dependency versions.

This release contains maintenance updates with no user-facing changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Next.js 16.0.1 → 16.0.7 Update

I've completed my review of this dependency update PR. Here's my comprehensive analysis:

Todo List:

• Read changed files to understand scope of updates
• Check Next.js usage across the codebase
• Research Next.js API usage patterns in the codebase
• Assess potential breaking changes and security improvements
• Provide comprehensive review feedback

---

📋 Review Summary

Overall Assessment: ✅ APPROVE with minor recommendation

This is a straightforward patch-level dependency update that appears safe to merge.

🔍 Changes Analysis

Scope of Changes

• Catalog Update: pnpm-workspace.yaml - Next.js version updated from 16.0.1 → 16.0.7
• Direct Dependencies:
  • samples/next.js/package.json - Next.js 16.0.7
  • packages/server/package.json - Next.js in devDependencies (catalog reference)
• Lock File: pnpm-lock.yaml with corresponding hash updates

ZenStack Next.js Integration

• Server Package: Provides Next.js adapters for both Pages Router and App Router
• API Usage: Uses standard Next.js types (NextApiRequest, NextRequest, NextResponse)
• Integration Points:
  • NextRequestHandler for API routes
  • Support for both legacy Pages API and modern App Router
  • Uses next/server for request handling

🎯 Code Quality Assessment

✅ Positive Aspects

1. Conservative Update: Patch-level version bump (16.0.1 → 16.0.7) minimizes breaking change risk
2. Proper Integration: ZenStack's Next.js adapter uses stable Next.js APIs that are unlikely to change in patch releases
3. Type Safety: Code properly uses TypeScript types from Next.js (NextRequest, NextApiRequest, etc.)
4. Test Coverage: Tests exist for the Next.js adapter functionality

⚠️ Issues Identified

Version Mismatch Issue

• File: samples/next.js/package.json:33
• Problem: eslint-config-next: "16.0.1" doesn't match the updated Next.js version 16.0.7
• Impact: Potential ESLint rule inconsistencies
• Recommendation: Update eslint-config-next to 16.0.7

🔒 Security Assessment

✅ No security concerns identified

• Patch-level updates typically contain bug fixes and minor improvements
• No changes to critical authentication or data handling code
• Standard dependency update from official Vercel/Next.js releases

🚀 Performance Considerations

✅ Likely positive impact

• Patch releases often include performance improvements and bug fixes
• No API changes that would impact ZenStack's usage patterns
• Bundle size impact should be minimal for patch updates

🧪 Test Coverage

✅ Adequate coverage exists

• Next.js adapter has dedicated test suite in packages/server/test/adapter/next.test.ts
• Tests cover both RPC and REST API handlers
• Sample app in samples/next.js/ provides integration testing

📝 Recommendations

Immediate Action Required

// samples/next.js/package.json
- "eslint-config-next": "16.0.1",
+ "eslint-config-next": "16.0.7",

Pre-merge Verification

1. ✅ Run the test suite: pnpm test
2. ✅ Verify the Next.js sample builds: cd samples/next.js && pnpm build
3. ✅ Check for any linting issues with updated eslint-config-next

🏁 Conclusion

This is a safe dependency update that should be merged after addressing the eslint-config-next version mismatch. The changes are minimal and follow semver patch-level guidelines, making breaking changes highly unlikely.

---

[coderabbitai]

Walkthrough

The pull request updates the "glob" dependency from ^11.0.2 to ^11.1.0 across three package.json files: the root package.json, packages/language/package.json, and packages/testtools/package.json. No other changes are present.

Changes

Cohort / File(s)	Summary
Dependency version bump package.json, packages/language/package.json, packages/testtools/package.json	Updated "glob" from ^11.0.2 to ^11.1.0 (devDependency in root and packages/language; dependency in packages/testtools)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Verify the updated version is semantically compatible and consistent across all three files
• Confirm no other dependency or lock file changes are required

Possibly related PRs

• merge dev to main (v3.0.0-beta.6) #267: Removed glob usage and plugin model discovery in packages/testtools/src/schema.ts; related as it affects the same package where the glob dependency is being updated.

Poem

🐰 A version hop across the land,
Three files updated, hand in hand,
Glob from 11.0.2 takes flight,
To 11.1.0, snug and tight,
Minor bumps make deps just right! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references updating 'glob dependency', but the PR objectives indicate the main change is bumping 'next' from 16.0.1 to 16.0.7, creating a mismatch between the stated title and primary objective.	Update the PR title to accurately reflect the main change: 'chore(deps): bump next from 16.0.1 to 16.0.7' to match the PR's primary objective.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/update-deps

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af39798 and e0c0c75.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• package.json (1 hunks)
• packages/language/package.json (1 hunks)
• packages/testtools/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Use `pnpm` with workspaces for package management, pinned to version `pnpm10.12.1`

Applied to files:

• packages/language/package.json
• packages/testtools/package.json

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to packages/zenstackhq/orm/**/*.{ts,tsx} : Implement plugin hooks at ORM, Kysely, and entity mutation levels for query interception and customization

Applied to files:

• packages/testtools/package.json

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Applies to packages/zenstackhq/orm/**/*.{ts,tsx} : Use Kysely as the query builder interface for low-level database queries, avoiding raw SQL when possible

Applied to files:

• packages/testtools/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Agent
• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: claude-review

🔇 Additional comments (4)

packages/language/package.json (1)

70-70: Consistent glob update across monorepo.

The glob dependency is updated to ^11.1.0, aligned with parallel updates in the root package.json and packages/testtools/package.json. This coordinated update maintains consistency.

packages/testtools/package.json (1)

40-40: glob placement in dependencies is correct and intentional.

The testtools package uses glob at runtime in packages/testtools/src/client.ts (imports glob and calls glob.sync() to match file patterns during test execution). Since this functionality is distributed as part of the package, glob must remain in the runtime dependencies section, not devDependencies. No change needed.

package.json (2)

1-43: PR is correctly updating glob dependency, not "next".

The git commit message confirms this is "chore: update glob dependency", and verification shows glob is updated to ^11.1.0 in three package.json files. The "next" package exists in the codebase but shows no version changes. The claim about a critical discrepancy between PR objectives and code cannot be verified—the actual changes match the stated purpose.

Likely an incorrect or invalid review comment.

---

27-27: glob ^11.1.0 is a safe security patch with no breaking changes.

The glob 11.1.0 update is a security fix addressing a CLI command-injection vulnerability (CVE-2025-64756 / GHSA-5j98-mcp5-4vw2) in the -c/--cmd option. No breaking changes are documented, and the library API (glob(), globSync(), iterators) remains unaffected. This update is safe to proceed with.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates Next.js from version 16.0.1 to 16.0.7 as part of a Dependabot-initiated dependency update. While the PR title mentions Next.js, the visible changes in the diffs are primarily related to transitive dependency updates, particularly the glob package and its dependencies, which are updated as a consequence of the Next.js version bump.

Key changes:

• Next.js version updated to 16.0.7 (via pnpm workspace catalog, file not shown in diffs)
• glob package updated from ^11.0.2 to ^11.1.0 across multiple packages
• Transitive dependencies updated including minimatch, jackspeak, lru-cache, and new @isaacs/balanced-match and @isaacs/brace-expansion packages

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
pnpm-lock.yaml	Updates lockfile with Next.js 16.0.7 resolution, glob 11.1.0, and various transitive dependency version changes including minimatch, jackspeak, and lru-cache
packages/testtools/package.json	Updates glob specifier from ^11.0.2 to ^11.1.0
packages/language/package.json	Updates glob specifier from ^11.0.2 to ^11.1.0
package.json	Updates glob specifier from ^11.0.2 to ^11.1.0 in root package

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.