⬆️(dependencies) upgrade Next.js 15 to 16, upgrade python dependencies

[providenz]

Purpose

Fix depencies security issues

cf #339

Proposal

Upgrade Next.js from 15 to 16 (thanks to @next/codemod@canary) and update Python dependencies.

Frontend

• Next.js 15.3.9 → 16.2.0
• React / React DOM 19.2.1 → 19.2.4
• @types/react pinned to 19.2.14, @types/react-dom to 19.2.3
• eslint-config-next 16.2.0 added
• @playwright/test 1.52.0 → 1.56.0

next.config.js migrated from webpack to turbopack

• Removed custom webpack config for SVG handling and micromark-extension-math alias
• Replaced with turbopack.rules (SVG via @svgr/webpack) and turbopack.resolveAlias
• Removed workbox-webpack-plugin and webpack dev dependencies

tsconfig.json

• jsx changed from "preserve" to "react-jsx" (expected by turbopack)

Cleanup

• Removed unused e2e dependencies (convert-stream, pdf-parse, @types/pdf-parse)
• Deleted src/frontend/apps/e2e/type/convert-stream.d.ts
• Removed cross-env, node-fetch, sass dev dependencies

cf. #339

Notes about turbopack (according to turbopack)

• Turbopack is now the default bundler in Next.js 16

• faster dev server startup (written in rust)

• Faster HMR

• Lower memory usage

• Simpler config

• Removed dev dependencies

• Production builds still use the same ouput format

• Existing loaders still work (Turbopack has a webpack compatibility layer)

• No impact on runtime behavior or app performance - the gains are purely in build speed and DX

  Backend (Python)

  • django-lasuite[all] 0.0.18 → 0.0.25
  • PyJWT 2.10.1 → 2.12.0
  • pypdf 6.8.0 → 6.9.1
  • joserfc>=1.6.3 (transient)

Summary by CodeRabbit

• Changed

  • Upgraded Next.js to v16 and React/React DOM to v19.2.4; switched TypeScript JSX to the modern React JSX transform.
  • Updated backend Python package pins and enabled a new malware detection integration.

• Chores

  • Pinned React type versions, added ESLint config, removed obsolete build/dev dependencies, and consolidated resolutions.

• Tests

  • Updated Playwright test runner and removed obsolete PDF-related test dependencies.

[coderabbitai]

Walkthrough

Upgrade frontend stack (Next.js 15 → 16, React → 19.2.4), move SVG and micromark aliasing from custom Webpack to Turbopack, adjust TypeScript JSX mode, remove obsolete deps and types, and bump several backend Python dependency pins.

Changes

Cohort / File(s)	Summary
Changelog CHANGELOG.md	Added an Unreleased "Changed" entry noting Next.js and Python dependency upgrades.
Conversations app: build config & types src/frontend/apps/conversations/next.config.js, src/frontend/apps/conversations/next-env.d.ts, src/frontend/apps/conversations/tsconfig.json	Replaced custom Webpack SVG handling and micromark alias with Turbopack config; imported ./.next/dev/types/routes.d.ts; changed TS JSX from preserve → react-jsx.
Conversations app: deps & tooling src/frontend/apps/conversations/package.json	Bumped next → 16.2.0, react/react-dom → 19.2.4; pinned @types/react/@types/react-dom; added eslint/eslint-config-next; removed legacy dev/runtime deps (e.g., webpack, node-fetch, sass, workbox-webpack-plugin).
E2E tests: deps & types src/frontend/apps/e2e/package.json, src/frontend/apps/e2e/type/convert-stream.d.ts	Upgraded @playwright/test 1.52.0 → 1.56.0; removed convert-stream and pdf-parse from runtime deps and deleted ambient convert-stream type; removed @types/pdf-parse.
Frontend root resolutions src/frontend/package.json	Updated resolutions to align react, react-dom, @types/react, and @types/react-dom with bumped versions.
Backend deps src/backend/pyproject.toml, src/backend/conversations/settings.py	Bumped Python pins: django-lasuite[all] 0.0.18 → 0.0.25, PyJWT 2.10.1 → 2.12.0, pypdf 6.8.0 → 6.9.1; added lasuite.malware_detection to INSTALLED_APPS.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 📦️(front) update react #207 — overlaps frontend dependency and changelog updates (React/Next/resolutions).
• Backend deps udate : django-pydantic-field, pydantic-ai-slim and pypdf #309 — modifies pypdf backend dependency pin (same file touched).
• ⬆️(next) bump version to 5.3.9 #254 — addresses Next.js version bump in the conversations app package.

Suggested labels

frontend, dependencies

Suggested reviewers

• qbey

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading Next.js from 15 to 16 and upgrading Python dependencies, which aligns with the comprehensive dependency updates across the entire changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch providenz/deps-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

src/frontend/apps/conversations/package.json (2)

81-81: Consider pinning TypeScript version explicitly.

Using "typescript": "*" relies entirely on the workspace resolution (5.8.3 from root package.json). While this works due to Yarn workspaces, it's less explicit and could cause confusion if someone installs dependencies in this package directly.

♻️ Suggested change

-    "typescript": "*"
+    "typescript": "5.8.3"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/frontend/apps/conversations/package.json` at line 81, The dependency
entry '"typescript": "*"' is too loose—replace it with an explicit version or a
workspace-aware spec to avoid ambiguity; update the package.json dependency for
TypeScript (the line with "typescript": "*") to either the concrete version used
in the workspace (e.g., "5.8.3") or a workspace protocol like "workspace:^5.8.3"
so this package resolves deterministically when installed directly.

---

83-86: Redundant resolutions block.

These resolutions duplicate what's already defined in the root src/frontend/package.json (lines 30-31). Yarn workspaces will use the root resolutions, making this block unnecessary.

♻️ Consider removing duplicate resolutions

-  },
-  "resolutions": {
-    "@types/react": "19.2.14",
-    "@types/react-dom": "19.2.3"
   }
 }

If kept for explicitness, ensure versions stay synchronized with the root package.json.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/frontend/apps/conversations/package.json` around lines 83 - 86, The
package's redundant "resolutions" block duplicates versions already set in the
monorepo root and should be removed from
src/frontend/apps/conversations/package.json; locate the "resolutions" object
(containing "@types/react" and "@types/react-dom") and delete it, or if you must
keep it for clarity, update its entries to exactly match the root package.json
versions and add a comment explaining why it's duplicated to avoid drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/frontend/apps/conversations/package.json`:
- Line 81: The dependency entry '"typescript": "*"' is too loose—replace it with
an explicit version or a workspace-aware spec to avoid ambiguity; update the
package.json dependency for TypeScript (the line with "typescript": "*") to
either the concrete version used in the workspace (e.g., "5.8.3") or a workspace
protocol like "workspace:^5.8.3" so this package resolves deterministically when
installed directly.
- Around line 83-86: The package's redundant "resolutions" block duplicates
versions already set in the monorepo root and should be removed from
src/frontend/apps/conversations/package.json; locate the "resolutions" object
(containing "@types/react" and "@types/react-dom") and delete it, or if you must
keep it for clarity, update its entries to exactly match the root package.json
versions and add a comment explaining why it's duplicated to avoid drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 733dd27c-458a-4679-bb9d-14d40a77281b

📥 Commits

Reviewing files that changed from the base of the PR and between 6dd41e8 and 80df2dc.

⛔ Files ignored due to path filters (1)

• src/frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• CHANGELOG.md
• src/frontend/apps/conversations/next-env.d.ts
• src/frontend/apps/conversations/next.config.js
• src/frontend/apps/conversations/package.json
• src/frontend/apps/conversations/tsconfig.json
• src/frontend/apps/e2e/package.json
• src/frontend/apps/e2e/type/convert-stream.d.ts
• src/frontend/package.json

💤 Files with no reviewable changes (1)

• src/frontend/apps/e2e/type/convert-stream.d.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud