chore: update dependencies

[mfts]

Summary by CodeRabbit

Release Notes

• Chores
  • Updated multiple project dependencies to their latest versions for improved stability and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
papermark	Ready	Preview, Comment	Dec 21, 2025 2:52pm

[coderabbitai]

Walkthrough

Dependency versions updated across multiple packages in package.json. Updated packages include ai-sdk, AWS SDK v3 components, @next/third-parties, ai, autoprefixer, notion-client, openai, posthog-js, react-email, react-notion-x, and swr. No new dependencies or public API changes introduced.

Changes

Cohort / File(s)	Change Summary
Dependency Version Updates package.json	Incremented versions for 13 dependencies: ai-sdk (openai ^2.0.86→^2.0.88, react ^2.0.115→^2.0.118), AWS SDK v3 packages to ^3.956.0, @next/third-parties ^16.0.10→^16.1.0, ai ^5.0.113→^5.0.116, autoprefixer ^10.4.22→^10.4.23, notion-client/utils ^7.7.1→^7.7.3, openai ^6.10.0→^6.15.0, posthog-js ^1.306.1→^1.309.1, react-email ^5.0.8→^5.1.0, react-notion-x ^7.7.1→^7.7.3, swr ^2.3.7→^2.3.8

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a routine dependency version update across multiple packages with no new dependencies or public API changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​ai-sdk/​react@​2.0.115 ⏵ 2.0.118
	@​next/​third-parties@​16.0.10 ⏵ 16.1.0	+1
	@​aws-sdk/​lib-storage@​3.948.0 ⏵ 3.956.0				+1
	@​ai-sdk/​openai@​2.0.86 ⏵ 2.0.88	+1		+1
	autoprefixer@​10.4.22 ⏵ 10.4.23	+1
	@​aws-sdk/​cloudfront-signer@​3.946.0 ⏵ 3.956.0				+2
	@​aws-sdk/​client-lambda@​3.950.0 ⏵ 3.956.0	+1			+1
	@​aws-sdk/​client-s3@​3.948.0 ⏵ 3.956.0	+1			+1
	@​aws-sdk/​s3-request-presigner@​3.948.0 ⏵ 3.956.0				+1
	ai@​5.0.113 ⏵ 5.0.116	+1

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d23ee84 and a4552cc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (5 hunks)

🔇 Additional comments (3)

package.json (3)

25-29: Good practice: AWS SDK packages updated consistently.

All AWS SDK packages are updated to the same version (3.956.0), which helps avoid compatibility issues between different AWS SDK components.

---

39-39: No breaking changes or migration steps required. The @next/third-parties team tries very best not to introduce any breaking changes whatsoever. @next/third-parties is still experimental and under active development, and this is a standard minor version bump that maintains backward compatibility.

---

121-121: OpenAI SDK update from 6.10.0 to 6.15.0 is safe to proceed. No breaking changes or required migrations are documented between these versions—changes consist of API updates and new feature additions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Address React Server Components (CVE-2025-55182) and Shai-Hulud 2.0 supply chain attack impacts before merging.

CVE-2025-55182 is a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks, with CVSS 10.0 rating. Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes. Exploitation has been observed in the wild. The @next/third-parties@16.1.0 update is affected by this vulnerability.

Additionally, posthog-js was compromised on November 24, 2025 in the Shai-Hulud 2.0 supply chain attack, with malicious self-replicating worm releases published to npm. The malware can steal npm or GitHub tokens, cloud credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other sensitive data from developer machines or build systems. Verify that posthog-js@1.309.1 is not a compromised version and that no credentials were exposed if installed pre-November 25, 2025.

AWS SDK packages were part of the Shai-Hulud 2.0 attack, which targeted AWS, Azure, and Google Cloud Platform by bundling official SDKs. Confirm the AWS SDK versions (3.956.0) are clean and audit for any unauthorized activity in your AWS environments.

🤖 Prompt for AI Agents

package.json lines 23-24: the dependency block includes packages that may be
impacted by recent critical supply-chain and RCE vulnerabilities (React Server
Components CVE-2025-55182 and Shai-Hulud 2.0 compromise); update or pin affected
packages to patched versions (upgrade React/Next-related packages and
@next/third-parties to a non-vulnerable release), remove or replace posthog-js
or confirm it is not v1.309.1 (if it was installed before 2025-11-25 assume
compromise and remove), verify AWS SDK packages are updated to known-good
releases, regenerate package-lock (or yarn.lock) and run npm/yarn audit and SCA
(e.g., Snyk, OSS Index, GitHub Dependabot) to confirm no other vulnerable
transitive deps, and if any compromised packages were present in build or dev
environments rotate all tokens/credentials and audit cloud account activity.