chore: Reduce npm vulnerability and attack surface across workspace

[mattinannt]

Summary

This PR reduces the npm vulnerability and attack surface of the workspace by simplifying the tooling stack, removing avoidable dependencies and overrides, tightening the SDK runtime surface, and aligning the repo with current well-maintained package versions.

What changed

• upgrade the workspace to current package versions, including Expo 55, React Native 0.84.1, Vite 8, Vitest 4.1, Turbo 2.8.21, and TypeScript 6
• replace the repo ESLint/Prettier stack with a single Biome setup
• replace the SDK declaration build path with plain tsc + tsc-alias
• remove explicit Terser usage from the SDK build and rely on Vite 8 defaults
• add real check-types tasks for both the SDK package and the playground app
• align the repo Node engine with the actual Vite 8 minimum
• switch GitHub Actions workflows to Node 24.x, the current LTS line
• remove the entire pnpm.overrides block after verifying a fresh install still audits clean
• tighten the embedded WebView permissions and navigation behavior in the React Native SDK
• remove unused iOS privacy permission strings from the playground app config
• split CI responsibilities more clearly by adding dedicated lint and type-check workflow coverage

Attack surface reduction

• removed the old ESLint, Prettier, Vercel style-guide, and plugin chain in favor of one maintained formatter/linter dependency
• removed vite-plugin-dts and its declaration-bundling dependency chain from the SDK build
• removed explicit Terser from the SDK build path
• removed all security overrides that had accumulated as dependency patches after confirming they are no longer required on current package versions
• tightened the SDK WebView configuration by removing broad file and mixed-content access paths
• reduced the number of packages in the resolved dependency graph while also moving the workspace onto current maintained releases

Estimated magnitude

• local pnpm audit --json is now clean with 0 vulnerabilities
• local total dependency count dropped from 1054 to 695, a reduction of 359 packages in the resolved graph
• direct manifest entries across the workspace dropped from 31 to 28
• the repo no longer needs a pnpm.overrides block to stay audit-clean on a fresh lockfile
• in security terms, this is a large reduction in attack surface because the biggest gains come from deleting entire tooling chains rather than only pinning around advisories

Enterprise readiness impact

This makes the repository materially more enterprise ready by reducing the amount of transitive code that needs to be trusted, removing fragile audit-only override maintenance, tightening runtime permissions in the SDK, and standardizing the repo on current maintained toolchain versions and CI baselines.

Validation

• pnpm install
• pnpm audit --json
• pnpm lint
• pnpm check-types
• pnpm build
• pnpm test
• cd packages/react-native && npm pack --dry-run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 11fe6fa1d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mattinannt]

@coderabbitai please review

[coderabbitai]

@mattinannt Sure, I'll review the changes in this PR right away!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Warning

Rate limit exceeded

@mattinannt has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b06962b6-3595-4801-a5ff-bb751179e521

📥 Commits

Reviewing files that changed from the base of the PR and between 11fe6fa and 281b3dc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• AGENTS.md
• packages/react-native/package.json
• packages/react-native/tsconfig.json
• turbo.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Walkthrough

This pull request upgrades Node.js from 22.x to 24.x across build workflows, replaces Prettier and ESLint with Biome for linting and formatting, and bumps TypeScript to 6.0.2. It adds GitHub Actions workflow improvements including a new lint-and-type-check workflow and quality gates (linting and type-checking) to the release pipeline. The React Native package receives substantial updates: new TypeScript build configuration, enhanced WebView security controls, improved type safety (replacing any with unknown), refactored command-queue generics, and removal of obsolete ESLint/Prettier configurations. Pnpm is updated to 10.33.0 and Node.js engine constraint is modified to support ^20.19.0 || >=22.12.0. Various imports are converted to type-only syntax and code formatting is standardized with trailing commas and multi-line parameter lists throughout.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective: reducing npm vulnerability and attack surface across the workspace through tooling simplification and dependency management.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing what changed, why it matters, impact metrics, and validation steps performed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/react-native/tsconfig.json (1)

17-19: ⚠️ Potential issue | 🔴 Critical

Fix pipeline failure: baseUrl is deprecated in TypeScript 6+.

The pipeline is failing with TS5101 because baseUrl is deprecated and will stop functioning in TypeScript 7.0. Since the project uses TypeScript 6.0.2, you need to either suppress the warning or migrate the configuration.

🔧 Option 1 (quick fix): Suppress the deprecation warning

   "compilerOptions": {
+    "ignoreDeprecations": "6.0",
     "composite": false,

🔧 Option 2 (recommended): Use paths without baseUrl

In TypeScript 5.x+, paths no longer requires baseUrl. Since you're already using "moduleResolution": "bundler", you can specify paths relative to the tsconfig location:

-    "baseUrl": ".",
     "paths": {
-      "@/*": ["./src/*"]
+      "@/*": ["./src/*"]
     },

Simply removing baseUrl should work since paths are resolved relative to the tsconfig file when baseUrl is absent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/react-native/tsconfig.json` around lines 17 - 19, Remove the
deprecated "baseUrl" compilerOption instead of using it: delete the "baseUrl"
entry from the tsconfig compilerOptions and keep your "paths" mapping (e.g.,
"@/*": ["./src/*"]) since paths are resolved relative to the tsconfig when
baseUrl is absent; ensure "moduleResolution": "bundler" remains set.
Alternatively, if you need a temporary quick fix, suppress the deprecation
warning by adding a compiler flag that silences deprecation diagnostics (instead
of using "baseUrl") until you fully migrate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/react-native/src/components/survey-web-view.tsx`:
- Around line 324-327: getSurveyScriptUrl currently falls back to localhost,
throws on sync protocol validation, and strips pathname which causes renderHtml
to crash; change getSurveyScriptUrl to treat options.appUrl as required: if
appUrl is missing or invalid return null (do not default to localhost or throw),
validate with a safe URL parse (catching errors) and construct the script URL by
resolving against the full origin + pathname (preserve appUrl.pathname instead
of using a root-relative path), and update renderHtml to check surveyScriptUrl
=== null and skip injecting/loading the script gracefully. Ensure you reference
getSurveyScriptUrl, renderHtml, and options.appUrl when making the fixes.

In `@packages/react-native/src/lib/common/command-queue.ts`:
- Around line 8-10: The command type allows Promise<void> but the queue
implementation (when invoking command and assigning to result, and later reading
result.data.ok) assumes a Result shape; update the invocation logic that awaits
the command output (the variable currently named result) to perform a runtime
shape check: if the awaited value is undefined or does not have the expected
Result structure (no .data or no .data.ok), wrap it into a successful
Result<void, unknown> before continuing so the subsequent dereference of
result.data.ok is safe; locate the command invocation and result handling in the
queue processing function (where the code currently casts the command output to
Result<void, unknown> and reads result.data.ok) and add this guard and wrapping
logic there.

In `@packages/react-native/src/types/response.ts`:
- Around line 3-6: TResponseData currently allows nested Record<string, string>,
which diverges from ZResponseData and can cause runtime validation failures;
update TResponseData to mirror ZResponseData by replacing the nested
Record<string, string> with the same recursive union shape used by ZResponseData
(i.e., nested records must allow the same union of string | number | string[] |
nested record), so modify the type declaration for TResponseData to use
Record<string, string | number | string[] | Record<string, string | number |
string[]>> (or the equivalent recursive union) to keep the compile-time type
contract aligned with ZResponseData.

---

Outside diff comments:
In `@packages/react-native/tsconfig.json`:
- Around line 17-19: Remove the deprecated "baseUrl" compilerOption instead of
using it: delete the "baseUrl" entry from the tsconfig compilerOptions and keep
your "paths" mapping (e.g., "@/*": ["./src/*"]) since paths are resolved
relative to the tsconfig when baseUrl is absent; ensure "moduleResolution":
"bundler" remains set. Alternatively, if you need a temporary quick fix,
suppress the deprecation warning by adding a compiler flag that silences
deprecation diagnostics (instead of using "baseUrl") until you fully migrate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5b603334-723d-483a-897b-c9e57361beee

📥 Commits

Reviewing files that changed from the base of the PR and between 2e3fee9 and 11fe6fa.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (51)

• .github/workflows/build.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• apps/playground/.eslintrc.js
• apps/playground/app.json
• apps/playground/package.json
• apps/playground/src/app.tsx
• biome.json
• package.json
• packages/react-native/.eslintrc.cjs
• packages/react-native/package.json
• packages/react-native/src/components/formbricks.tsx
• packages/react-native/src/components/survey-web-view.tsx
• packages/react-native/src/index.ts
• packages/react-native/src/lib/common/api.ts
• packages/react-native/src/lib/common/command-queue.ts
• packages/react-native/src/lib/common/config.ts
• packages/react-native/src/lib/common/event-listeners.ts
• packages/react-native/src/lib/common/setup.ts
• packages/react-native/src/lib/common/tests/api.test.ts
• packages/react-native/src/lib/common/tests/command-queue.test.ts
• packages/react-native/src/lib/common/tests/config.test.ts
• packages/react-native/src/lib/common/tests/logger.test.ts
• packages/react-native/src/lib/common/tests/setup.test.ts
• packages/react-native/src/lib/common/tests/utils.test.ts
• packages/react-native/src/lib/common/utils.ts
• packages/react-native/src/lib/environment/state.ts
• packages/react-native/src/lib/environment/tests/state.test.ts
• packages/react-native/src/lib/survey/action.ts
• packages/react-native/src/lib/survey/tests/action.test.ts
• packages/react-native/src/lib/survey/tests/store.test.ts
• packages/react-native/src/lib/user/attribute.ts
• packages/react-native/src/lib/user/state.ts
• packages/react-native/src/lib/user/tests/attribute.test.ts
• packages/react-native/src/lib/user/tests/state.test.ts
• packages/react-native/src/lib/user/tests/update-queue.test.ts
• packages/react-native/src/lib/user/tests/update.test.ts
• packages/react-native/src/lib/user/tests/user.test.ts
• packages/react-native/src/lib/user/update.ts
• packages/react-native/src/lib/user/user.ts
• packages/react-native/src/types/api.ts
• packages/react-native/src/types/config.ts
• packages/react-native/src/types/error.ts
• packages/react-native/src/types/response.ts
• packages/react-native/src/types/survey.ts
• packages/react-native/tsconfig.build.json
• packages/react-native/tsconfig.json
• packages/react-native/vite.config.ts
• scripts/check-exact-deps.mjs
• turbo.json

💤 Files with no reviewable changes (3)

• apps/playground/.eslintrc.js
• apps/playground/app.json
• packages/react-native/.eslintrc.cjs

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
86.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud