Update ui deps sync (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
openai	5.23.2 -> 6.6.0
openai	5.23.2 -> 6.6.0
svelte-check	^3.8.6 -> ^4.3.3
svelte-preprocess	^5.1.4 -> ^6.0.3
tailwindcss (source)	^3.4.18 -> ^4.1.16

---

Release Notes

openai/openai-node (openai)

v6.6.0

Compare Source

Full Changelog: v6.5.0...v6.6.0

Features

• api: Add responses.input_tokens.count (520c8a9)

Bug Fixes

• api: internal openapi updates (d4aaef9)

v6.5.0

Compare Source

Full Changelog: v6.5.0...v6.6.0

Features

• api: Add responses.input_tokens.count (520c8a9)

Bug Fixes

• api: internal openapi updates (d4aaef9)

v6.4.0

Compare Source

Full Changelog: v6.4.0...v6.5.0

Features

• api: api update (4d21af3)

v6.3.0

Compare Source

Full Changelog: v6.3.0...v6.4.0

Features

• api: Add support for gpt-4o-transcribe-diarize on audio/transcriptions endpoint (2d27392)

v6.2.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

• api: comparison filter in/not in (1a733c6)

Chores

• internal: use npm pack for build uploads (a532410)

v6.1.0

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

• api: dev day 2025 launches (f2816db)

Chores

• internal: codegen related update (b6f64b7)
• jsdoc: fix @​link annotations to refer only to parts of the package‘s public interface (73e465d)

v6.0.1

Compare Source

Full Changelog: v6.0.1...v6.1.0

Features

• api: add support for realtime calls (5de9585)

v6.0.0

Compare Source

Full Changelog: v6.0.0...v6.0.1

Bug Fixes

• api: add status, approval_request_id to MCP tool call (498c6a5)

sveltejs/language-tools (svelte-check)

v4.3.3

Compare Source

Patch Changes

• fix: prevent file watcher issue (#​2859)

• fix: allow undefined and null values for #each in Svelte 5 (#​2863)

• perf: check if file content changed in tsconfig file watch (#​2859)

v4.3.2

Compare Source

Patch Changes

• perf: tweak some snapshot hot paths (#​2852)

• perf: more precise module cache invalidation (#​2853)

• fix: properly handle runes={false} in <svelte:options> (#​2847)

See https://github.com/sveltejs/language-tools/releases

v4.3.1

Compare Source

fix: handle object literal in MustacheTag (#​2805)

v4.3.0

Compare Source

• feat: zero types for params (#​2795)
• feat: add await support (#​2799)
• fix: strip doctype using AST instead of regex (#​2798)
• chore: make human output more concise and readable (#​2748)

v4.2.2

Compare Source

• fix: invalidate project file cache and handle watcher race condition (#​2779)
• fix: prevent error with bind:this={get, set} (#​2781)
• fix: don't treat derived imported from svelte/store as a potential store (#​2780)
• fix: key block can have its own block scope (#​2768)

v4.2.1

Compare Source

• feat: support generics on snippets (#​2761)

v4.2.0

Compare Source

• feat: support attachments (#​2760)
• fix: deduplicate definition for rune-mode components (#​2759)

v4.1.7

Compare Source

• fix: robustify hoisting logic around prop types (#​2740)
• fix: ensure typed exports are marked as used (#​2746)
• chore: bump vscode-html/css-language-service (#​2752)
• fix: ensure eligible snippets can be referenced in module script (#​2753)
• fix: prevent error with unclosed tag followed by LF or end of file (#​2750)

v4.1.6

Compare Source

• fix: prevent unused variable error for bindable
• fix: ensure exports in runes mode are marked as used
• fix: add color CLI options

v4.1.5

Compare Source

• fix: take other snippets into account when checking for hoistability (#​2668)
• fix: disambiguate render in module script (#​2667)
• fix: properly transform $props.id when $props is assigned to props (#​2694)
• fix: handle booleanish popover (#​2702)
• chore: bump vscode-html/css-language-service (#​2677)
• fix: use referenced project's compiler option to get resolution mode (#​2676)

v4.1.4

Compare Source

• fix: don't hoist types/snippets referencing stores or destructured variables (#​2661)

v4.1.3

Compare Source

• fix: move snippets to correct place when only module script present

v4.1.2

Compare Source

• feat: support generics attribute for JSDoc (#​2624)
• fix: better snippet/interface hoistability analysis (#​2655)
• chore: TypeScript 5.7 support (#​2585)

v4.1.1

Compare Source

• fix: support each without as (#​2615)

v4.1.0

Compare Source

• fix: don't move appended content from previous node while hoisting interface (#​2596)
• fix: ensure hoisted interfaces are moved after hoisted imports (#​2597)
• fix: preserve bind:... mapping on elements for better source maps
• feat: prepare for some upcoming features of Svelte 5

v4.0.9

Compare Source

• fix: detect shadowed variables/types during type hoisting (#​2590)

v4.0.8

Compare Source

• fix: fall back to any instead of unknown for untyped $props (#​2582)
• fix: robustify and fix file writing (#​2584)
• fix: hoist types related to $props rune if possible (#​2571)

v4.0.7

Compare Source

• fix: $props: infer types for $bindable, infer function type from arrow function

v4.0.6

Compare Source

• chore: autotype const load = ... declarations (#​2540)
• chore: provide component instance type in Svelte 5 (#​2553)
• chore: support typescript 5.6 (#​2545)
• fix: infer object and array shapes from fallback types (#​2562)

v4.0.5

Compare Source

• fix: include named exports in svelte 5 type (#​2528)

v4.0.4

Compare Source

• fix: relax component constructor type (#​2524)

v4.0.3

Compare Source

• breaking(svelte5): only generate function component shape in runes mode (#​2517). This means you can no longer just do Component in type positions. Instead you need to prepend it with typeof. Here's how you do it:
  • ...when typing a component instance: Before: let x: Component. After: let x: ReturnType<typeof Component>
  • ...when typing a component constructor/function: Before let x: typeof Component. After let x: typeof Component (no change)
• fix: revert additional two-way-binding checks as they were causing bugs (#​2508)
• fix: include files indirectly belonging to a project into correct project (#​2488)
• fix: check project files update more aggressively before assigning service (#​2518)
• chore: upgrade to chokidar 4 (#​2502)

v4.0.2

Compare Source

• fix: ensure components typed through Svelte 5's Component interface get proper intellisense

v4.0.1

Compare Source

• fix: remove ancient process augmentation from internal d.ts file

v4.0.0

Compare Source

• chore: bump magic-string (#​2476)
• chore: switch from fast-glob to fdir (#​2433)
• fix: detect <script module> tag (#​2482)
• feat: better type checking for bindings in Svelte 5 (#​2477)
• feat: replace svelte-preprocess with barebones TS preprocessor (#​2452)
• feat: project reference support (#​2463)

Breaking changes

• require Svelte 4 or later (#​2453)
• make TypeScript a peer dependency, require TS 5 or later (#​2453)
• require node 18 or later (#​2453)
• process augmentation (declaring a process.browser field) was removed
• slight changes to how files are assigned to which tsconfig.json (#​1234, #​2463)
• slight changes to how Svelte module resolution works; .svelte files now take precedence over .svelte.js/ts files (if both exist) (#​2481)
• language-server now forces fewer TypeScript options. Most notably skipLibCheck is no longer forced to true, which may result in d.ts files now being checked in your project, which they were not before, revealing type errors. Either fix those or add "skipLibCheck": true to your tsconfig.json (#​1976, #​2463)

sveltejs/svelte-preprocess (svelte-preprocess)

v6.0.3

Compare Source

Bug Fixes

• add pug mixins to support svelte-5 syntax (#​654) (9d49f3d)
• ignore sass deprecation warning (#​657) (9b54325), closes #​656

v6.0.2

Compare Source

Bug Fixes

• remove customConditions tsconfig option (#​648) (afb80ae), closes #​646

v6.0.1

Compare Source

Bug Fixes

• deprecate default export in favor of named export (#​641) (a43de10), closes #​591

v6.0.0

Compare Source

BREAKING CHANGES

• remove TS mixed imports support, require TS 5.0 or higher
• remove preserve option as it's unnecessary
• require Svelte 4+, Node 18+
• add exports map

Bug Fixes

• adjust globalifySelector to not split selectors with parentheses. (#​632) (c435ebd), closes #​501
• fix: allow TS filename to be undefined, fixes #​488
• fix: adjust Svelte compiler type import
• fix: remove pug types and magic-string from dependencies
• chore: bump peer deps, fixes #​553

5.1.4 (2024-04-16)

Bug Fixes

• remove pnpm version restriction (#​629) (2713b82)

5.1.3 (2023-12-18)

Bug Fixes

• sass dependency list referencing source file in win32 (#​621) (209312f)

5.1.2 (2023-12-12)

• chore: mark postcss-load-config 5 as supported (3b5b1f0)

5.1.1 (2023-11-21)

Bug Fixes

• force module(resolution) (66d3cf9)

tailwindlabs/tailwindcss (tailwindcss)

v4.1.16

Compare Source

Fixed

• Discard candidates with an empty data type (#​19172)
• Fix canonicalization of arbitrary variants with attribute selectors (#​19176)
• Fix invalid colors due to nested & (#​19184)
• Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#​19178)

v4.1.15

Compare Source

Fixed

• Fix Safari devtools rendering issue due to color-mix fallback (#​19069)
• Suppress Lightning CSS warnings about :deep, :slotted, and :global (#​19094)
• Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#​19097)
• Allow named groups in combination with not-*, has-*, and in-* (#​19100)
• Prevent important utilities from affecting other utilities (#​19110)
• Don’t index into strings with the theme(…) function (#​19111)
• Fix parsing issue when \t is used in at-rules (#​19130)
• Upgrade: Canonicalize utilities containing 0 values (#​19095)
• Upgrade: Migrate deprecated break-words to wrap-break-word (#​19157)

Changed

• Remove the postinstall script from oxide ([#​19149])(#​19149)

v4.1.14

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes (#​19031)

v4.1.13

Compare Source

Changed

• Drop warning from browser build (#​18731)
• Drop exact duplicate declarations when emitting CSS (#​18809)

Fixed

• Don't transition visibility when using transition (#​18795)
• Discard matched variants with unknown named values (#​18799)
• Discard matched variants with non-string values (#​18799)
• Show suggestions for known matchVariant values (#​18798)
• Replace deprecated clip with clip-path in sr-only (#​18769)
• Hide internal fields from completions in matchUtilities (#​18820)
• Ignore .vercel folders by default (can be overridden by @source … rules) (#​18855)
• Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#​18869)
• Do not allow custom variants to start or end with a - or _ (#​18867, #​18872)
• Upgrade: Migrate aria theme keys to @custom-variant (#​18815)
• Upgrade: Migrate data theme keys to @custom-variant (#​18816)
• Upgrade: Migrate supports theme keys to @custom-variant (#​18817)

v4.1.12

Compare Source

Fixed

• Don't consider the global important state in @apply (#​18404)
• Add missing suggestions for flex-<number> utilities (#​18642)
• Fix trailing ) from interfering with extraction in Clojure keywords (#​18345)
• Detect classes inside Elixir charlist, word list, and string sigils (#​18432)
• Track source locations through @plugin and @config (#​18345)
• Allow boolean values of process.env.DEBUG in @tailwindcss/node (#​18485)
• Ignore consecutive semicolons in the CSS parser (#​18532)
• Center the dropdown icon added to an input with a paired datalist by default (#​18511)
• Extract candidates in Slang templates (#​18565)
• Improve error messages when encountering invalid functional utility names (#​18568)
• Discard CSS AST objects with false or undefined properties (#​18571)
• Allow users to disable URL rebasing in @tailwindcss/postcss via transformAssetUrls: false (#​18321)
• Fix false-positive migrations in addEventListener and JavaScript variable names (#​18718)
• Fix Standalone CLI showing default Bun help when run via symlink on Windows (#​18723)
• Read from --border-color-* theme keys in divide-* utilities for backwards compatibility (#​18704)
• Don't scan .hdr and .exr files for classes by default (#​18734)

v4.1.11

Compare Source

Fixed

• Add heuristic to skip candidate migrations inside emit(…) (#​18330)
• Extract candidates with variants in Clojure/ClojureScript keywords (#​18338)
• Document --watch=always in the CLI's usage (#​18337)
• Add support for Vite 7 to @tailwindcss/vite (#​18384)

v4.1.10

Compare Source

Fixed

• Fix incorrectly generated CSS when using percentages in arbitrary values with calc (e.g. w-[calc(100%-var(--offset))]) (#​18289)

v4.1.9

Compare Source

Fixed

• Correctly parse custom properties with strings containing semicolons (#​18251)
• Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#​18184)
• Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#​18184)
• Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#​18212)
• Upgrade: Do not migrate blur in wire:model.blur (#​18216)
• Don't add spaces around CSS dashed idents when formatting math expressions (#​18220)

v4.1.8

Compare Source

Added

• Improve error messages when @apply fails (#​18059)

Fixed

• Upgrade: Do not migrate declarations that look like candidates in <style> blocks (#​18057, 18068)
• Upgrade: Don't error when looking for tailwindcss in pnpm monorepos (#​18065)
• Upgrade: Don't error when updating dependencies in pnpm monorepos (#​18065)
• Upgrade: Migrate deprecated order-none to order-0 (#​18126)
• Support Leptos class: attributes when extracting classes (#​18093)
• Fix "Cannot read properties of undefined" crash on malformed arbitrary value (#​18133)
• Upgrade: Migrate -mt-[0px] to mt-[0px] instead of the other way around (#​18154)
• Fix Haml pre-processing crash when there is no \n at the end of the file (#​18155)
• Ignore .pnpm-store folders by default (can be overridden by @source … rules) (#​18163)
• Fix PostCSS crash when calling toJSON() (#​18083)

v4.1.7

Compare Source

Added

• Upgrade: Migrate bare values to named values (#​18000)
• Upgrade: Added cache to improve template migration performance (#​18025)

Fixed

• Allow _ before numbers during candidate extraction (#​17961)
• Prevent duplicate suggestions when using @theme and @utility together (#​17675)
• Ensure that media queries within ::before and ::after pseudo selectors create valid CSS rules in production builds (#​17979)
• Ensure that the standalone CLI does not leave temporary files behind (#​17981)
• Ensure -rotate-* utilities properly negate arbitrary values (#​18014)
• Ignore custom variants using :merge(…) selectors in legacy JS plugins (#​18020)
• Ensure classes containing . are properly extracted from Clojure files (#​18038)
• Upgrade: Fix error when using @import … source(…) (#​17963)
• Upgrade: Change casing of utilities with named values to kebab-case to match updated theme variables (#​18017)
• Upgrade: Don't migrate strings that match utility names in Vue attribute bindings other than class (#​18025)

v4.1.6

Compare Source

Added

• Upgrade: Automatically convert arbitrary values to named values when possible (e.g. h-[1lh] to h-lh) (#​17831, #​17854)
• Upgrade: Update dependencies in parallel for improved performance (#​17898)
• Add detailed logging about @source directives, discovered files and scanned files when using DEBUG=* (#​17906, #​17952)
• Add support for generating source maps in development (#​17775)

Fixed

• Ensure negative arbitrary scale values generate negative values (#​17831)
• Fix HAML extraction with embedded Ruby (#​17846)
• Don't scan files for utilities when using @reference (#​17836)
• Fix incorrectly replacing _ with in arbitrary modifier shorthand bg-red-500/(--my_opacity) (#​17889)
• Don't scan .log files for classes by default (#​17906)
• Ensure that custom utilities applying other custom utilities don't swallow nested @apply rules (#​17925)
• Download platform specific package if optionalDependencies are skipped (#​17929)

v4.1.5

Compare Source

Added

• Support using @tailwindcss/upgrade to upgrade between versions of v4.* (#​17717)
• Add h-lh / min-h-lh / max-h-lh utilities (#​17790)
• Transition display, visibility, content-visibility, overlay, and pointer-events when using transition to simplify @starting-style usage (#​17812)

Fixed

• Don't scan .geojson or .db files for classes by default (#​17700, #​17711)
• Hide default shadow suggestions when missing default shadow theme keys (#​17743)
• Replace _ with . in theme suggestions for @utility if surrounded by digits (#​17733)
• Skip color-mix(…) when opacity is 100% (#​17815)
• PostCSS: Ensure that errors in imported stylesheets are recoverable (#​17754)
• Upgrade: Bump all Tailwind CSS related dependencies during upgrade (#​17763)
• Upgrade: Don't add - to variants starting with @ (#​17814)
• Upgrade: Don't format stylesheets that didn't change when upgrading (#​17824)

Changed

• Ignore .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders by default (can be overridden by @source … rules) (#​17892)
• @source rules that point inside .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders no longer consider your .gitignore rules (#​17892)

v4.1.4

Compare Source

Added

• Add experimental @tailwindcss/oxide-wasm32-wasi target for running Tailwind in browser environments like StackBlitz (#​17558)

Fixed

• Ensure color-mix(…) polyfills do not cause used CSS variables to be removed (#​17555)
• Ensure color-mix(…) polyfills create fallbacks for theme variables that reference other theme variables (#​17562)
• Fix brace expansion in declining ranges like {10..0..5} and {0..10..-5} (#​17591)
• Work around a Chrome rendering bug when using the skew-* utilities (#​17627)
• Ensure container query variant names can contain hyphens (#​17628)
• Ensure shadow-inherit, inset-shadow-inherit, drop-shadow-inherit, and text-shadow-inherit inherit the shadow color (#​17647)
• Ensure compatibility with array tuples used in fontSize JS theme keys (#​17630)
• Ensure folders with binary file extensions in their names are scanned for utilities (#​17595)
• Upgrade: Convert fontSize array tuple syntax to CSS theme variables (#​17630)

v4.1.3

Compare Source

Fixed

• Show warning when using unsupported bare value data type in --value(…) (#​17464)
• PostCSS: Ensure changes to the input CSS file don't generate stale output when using Turbopack (#​17554)
• Ensure classes are detected in Ruby's %w syntax in Slim templates (#​17557)

v4.1.2

Compare Source

Fixed

• Don't rely on the presence of @layer base to polyfill @property (#​17506)
• Support setting multiple inset shadows as arbitrary values (#​17523)
• Fix drop-shadow-* utilities that are defined with multiple shadows (#​17515)
• PostCSS: Fix race condition when two changes are queued concurrently (#​17514)
• PostCSS: Ensure files containing @tailwind utilities are processed (#​17514)
• Ensure the color-mix(…) polyfill creates fallbacks even when using colors that cannot be statically analyzed (#​17513)
• Fix slow incremental builds with @tailwindcss/vite and @tailwindcss/postscss (especially on Windows) (#​17511)
• Vite: Fix missing CSS file in Qwik setups (#​17533)

v4.1.1

Compare Source

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#​18888)
• Handle @variant inside @custom-variant (#​18885)
• Merge suggestions when using @utility (#​18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#​18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#​18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#​18907)
• Prevent duplicate CSS when overwriting a static utility with a theme key (#​18056)
• Show Lightning CSS warnings (if any) when optimizing/minifying (#​18918)
• Use default export condition for @tailwindcss/vite (#​18948)
• Re-throw errors from PostCSS nodes (#​18373)
• Detect classes in markdown inline directives (#​18967)
• Ensure files with only @theme produce no output when built (#​18979)
• Support Maud templates when extracting classes (#​18988)
• Upgrade: Do not migrate variant = 'outline' during upgrades (#​18922)
• Upgrade: Show version mismatch (if any) when running upgrade tool (#​19028)
• Upgrade: Ensure first class inside className is migrated (#​19031)
• Upgrade: Migrate classes inside *ClassName and *Class attributes ([#​19031](https://redirect.github.com/tailwindlabs/tailwindc

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Walkthrough

This PR upgrades dependencies in the UI package. The OpenAI dependency is bumped from 5.23.2 to 6.5.0 in both the import map and package.json. Additional devDependencies are also updated: svelte-check, svelte-preprocess, and tailwindcss to newer minor and patch versions.

Changes

Cohort / File(s)	Summary
UI package dependency updates packages/ui/import_map.json, packages/ui/package.json	Upgraded openai from 5.23.2 to 6.5.0; upgraded svelte-check from ^3.8.6 to ^4.3.3; upgraded svelte-preprocess from ^5.1.4 to ^6.0.3; upgraded tailwindcss from ^3.4.18 to ^4.1.14

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Renovate update import and package #674: Adds Renovate rules to ensure coordinated updates between import_map.json and packages/ui/package.json for dependency consistency.

Suggested reviewers

• ericglau
• collins-w

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update ui deps sync (major)" is directly related to the changeset, which consists of major version updates to four UI package dependencies (openai, svelte-check, svelte-preprocess, and tailwindcss). The title clearly conveys the primary change—updating UI dependencies to major versions—and would allow a teammate scanning the commit history to quickly understand the PR's purpose. While the term "sync" is somewhat informal compared to "update," the "(major)" notation effectively emphasizes the significant nature of these version bumps.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The PR description is clearly related to the changeset. It provides a detailed table of package updates with specific version changes for openai, svelte-check, svelte-preprocess, and tailwindcss, along with comprehensive release notes from each upstream project. While there is a minor discrepancy between the version numbers shown in the description table (6.6.0 for openai) and the actual implementation (6.5.0 based on the raw summary), the description accurately describes the nature of the changes as dependency updates and provides meaningful information about what was modified.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/major-ui-deps-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		axios@1.11.0 has a High CVE. CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		amdefine@1.0.1 is a AI-detected potential code anomaly. Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/amdefine@1.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/amdefine@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		asynckit@0.4.0 is a AI-detected potential code anomaly. Notes: The analyzed code is a standard wrapper/adapter for long-signature iterators in a streaming context. It includes proper handling to avoid duplicate callbacks, emits errors correctly, and finalizes the stream appropriately. There is no indication of malicious behavior, data exfiltration, or backdoor-like mechanisms. The risk is minimal and primarily relates to correct usage by downstream code (e.g., ensuring stream object has the expected properties). Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/asynckit@0.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/asynckit@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		axios@1.11.0 is a AI-detected potential code anomaly. Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		axios@1.11.0 is a AI-detected potential code anomaly. Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		chalk@2.4.2 is a AI-detected potential code anomaly. Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/chalk@2.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		fs-extra@9.1.0 is a AI-detected potential code anomaly. Notes: The copy.js module appears to be a legitimate and secure filesystem copy utility with appropriate safeguards and options. No malicious activity detected, and typical supply-chain risk is limited to the general risk of filesystem operations. The code is suitable for inclusion in a package like fs-extra with normal risk expectations. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/fs-extra@9.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@9.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		glob@7.2.3 is a AI-detected potential code anomaly. Notes: The code is a conventional, non-malicious implementation of a globbing helper with ignore pattern support. It reads inputs from configuration and filesystem state, and writes results to an internal cache/result set. There are no indicators of malware or exfiltration within this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/glob@7.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@7.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		sc-istanbul@0.4.6 is a AI-detected potential code anomaly. Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/sc-istanbul@0.4.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sc-istanbul@0.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		undici@6.21.3 is a AI-detected potential code anomaly. Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/undici@6.21.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		viem@2.33.3 is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/viem@2.33.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.33.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		ws@8.17.1 is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.17.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.17.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		ws@8.18.2 is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.18.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		buffer@4.9.2 has Obfuscated code. Confidence: 0.96 Location: Package overview From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0
	@​openzeppelin/​hardhat-upgrades@​3.9.1

View full report

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ui/package.json (1)

15-45: Critical: Tailwind v4 migration incomplete—build will fail due to missing configuration updates.

The upgrade to Tailwind v4 requires configuration and CSS syntax changes that are not present in this PR:

1. Missing required dependency: @tailwindcss/postcss not in package.json. Tailwind v4 moved the PostCSS plugin to a separate package; your postcss.config.js requires 'tailwindcss' which no longer exists as a plugin.

2. Outdated CSS directives:

   • packages/ui/src/common/styles/global.css: Change @tailwind utilities; to @import "tailwindcss";
   • packages/ui/src/common/styles/standalone.css: Likely needs same update

3. Incompatible preprocessor config: packages/ui/svelte.config.js has postcss: true which will fail when PostCSS can't load the tailwindcss plugin.

Required changes before merge:

• Add "@tailwindcss/postcss": "next" to devDependencies (or use CSS-first approach by removing postcss config entirely)
• Update all CSS files from @tailwind directives to @import "tailwindcss"
• Run npm run build and npm run validate to verify the build succeeds
• Confirm svelte-check passes with Svelte v3.55.0 + svelte-check v4.3.3

The OpenAI SDK upgrade (v5.23.2→6.5.0) appears compatible with your usage patterns.

🧹 Nitpick comments (1)

packages/ui/package.json (1)

29-29: Consider using a caret range for OpenAI to allow patch/minor updates.

The version is pinned to an exact semver (6.5.0) rather than using a caret range (^6.5.0). While pinning prevents accidental upgrades, it also blocks security patches and minor updates. Most projects use caret ranges for npm dependencies to balance safety and flexibility. If exact pinning is intentional, please document the rationale.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8073313 and 9c27729.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• packages/ui/import_map.json (1 hunks)
• packages/ui/package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: check
• GitHub Check: build (cairo, default)
• GitHub Check: build (solidity, default)
• GitHub Check: build (stellar, default)
• GitHub Check: build (stellar, compile)
• GitHub Check: build (stylus, default)
• GitHub Check: format-lint
• GitHub Check: mcp
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/ui/import_map.json (1)

4-4: Verify OpenAI SDK v6 compatibility—significant API migration required.

The OpenAI SDK v6 migrated from node-fetch to builtin fetch, which represents a breaking change. Before merging, you must verify that:

1. All application code consuming the OpenAI SDK has been updated to work with v6's API (e.g., method signatures, response shapes)
2. The application builds successfully with the new version
3. Existing tests pass with v6

Since the PR context shows no code changes related to OpenAI usage, there's a risk that dependent code is incompatible with v6.

packages/ui/package.json (1)

39-40: Verify Svelte ecosystem upgrade—ensure build tools meet minimum requirements.

Svelte 4 is mainly a maintenance release that increases the minimum version requirements, with Node.js 16 now the minimum version and TypeScript 5+ recommended. The package.json shows TypeScript ^5.9.3 (line 44), which satisfies requirements.

However, verify that:

1. The application builds successfully with svelte-check ^4.3.3
2. If using SvelteKit, it's version 1.20.4 or newer (check if applicable)
3. The validate script at line 12 (svelte-check) runs without errors

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

⚠️ Tailwind CSS v4 requires significant configuration and CSS file updates—verify migration is complete.

Tailwind CSS v4.0 is a major version with necessary updates required from v3 to v4. This update introduces breaking changes that are NOT evident in this PR:

1. CSS imports: In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives
2. Preprocessor incompatibility: Tailwind CSS v4.0 is not designed to be used with CSS preprocessors like Sass, Less, or Stylus, and it is not possible to use Sass for <style> blocks in Svelte
3. Browser support: Tailwind CSS v4.0 is designed for Safari 16.4+, Chrome 111+, and Firefox 128+. If you need to support older browsers, stick with v3.4
4. Configuration: CSS-first config replaces JavaScript-based tailwind.config.js

The PR shows no corresponding updates to CSS files, Tailwind config, or SCSS/Sass removal. The upgrade tool will handle most of these changes automatically, but there's no evidence it was used. Without these changes, the build will likely fail or styles will break.

Verify the following before merging:

• All CSS files have been updated to use @import "tailwindcss" instead of @tailwind directives
• tailwind.config.js has been updated to CSS-first format (or removed if no custom config needed)
• Any SCSS/Sass files have been converted to plain CSS or removed
• The build completes successfully and styles render correctly

Run the following verification script:

---

🏁 Script executed:

#!/bin/bash
# Find and list Tailwind-related config and CSS files

echo "=== Tailwind Config Files ==="
find . -name "tailwind.config.*" -o -name "tailwind.css" -o -name "global.css" | grep -v node_modules

echo ""
echo "=== SCSS/Sass Files (may be incompatible with Tailwind v4) ==="
find . -name "*.scss" -o -name "*.sass" | grep -v node_modules | head -20

echo ""
echo "=== CSS Files Mentioning @tailwind ==="
rg -t css "@tailwind" --no-heading

echo ""
echo "=== SVG/Vue/Svelte Files with Style Blocks Using @tailwind ==="
rg -t svelte -A2 "<style" | grep -A2 "@tailwind"

Length of output: 418

---

CSS files must be updated to use Tailwind v4 syntax—@tailwind directives are no longer supported.

In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives you used in v3. The PR updates tailwindcss to v4.1.14 but contains two CSS files that still use the deprecated v3 syntax:

• packages/ui/src/standalone.css:@tailwind utilities;
• packages/ui/src/common/styles/global.css:@tailwind utilities;

These files must be updated before this PR can be merged. Change @tailwind utilities; to @import "tailwindcss"; in both files.

Additional items to verify:

• If tailwind.config.js contains custom configuration, it must be explicitly loaded with @config "../../tailwind.config.js"; at the top of your CSS file (or migrated to CSS-first format using @theme)
• Ensure tailwind.config.js is no longer auto-detected in v4 and add the @config directive if needed
• If any .svelte, .vue, or other component files use <style> blocks with Tailwind, verify they reference the updated CSS or use the new v4 syntax