chore: Upgrade dependencies

[kingston]

Upgrade dependencies:

• Storybook 9.0.18 → 10.1.10
• TRPC 11.7.2 → 11.8.0
• MCP SDK 1.23.0 → 1.25.1
• eslint-plugin-storybook 9.0.18 → 10.1.10

Summary by CodeRabbit

Release Notes

• Chores
  • Upgraded Storybook framework and related development tools from version 9.0.18 to 10.1.10 across all packages.
  • Upgraded TRPC client and server libraries from version 11.7.2 to 11.8.0.
  • Upgraded MCP SDK from version 1.23.0 to 1.25.1 for improved reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
baseplate-project-builder-web	Ready	Preview, Comment	Dec 19, 2025 1:56pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 6032f07

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages

Name	Type
@baseplate-dev/project-builder-server	Patch
@baseplate-dev/project-builder-web	Patch
@baseplate-dev/ui-components	Patch
@baseplate-dev/tools	Patch
@baseplate-dev/project-builder-cli	Patch
@baseplate-dev/project-builder-common	Patch
@baseplate-dev/project-builder-test	Patch
@baseplate-dev/project-builder-lib	Patch
@baseplate-dev/plugin-auth	Patch
@baseplate-dev/plugin-queue	Patch
@baseplate-dev/plugin-storage	Patch
@baseplate-dev/code-morph	Patch
@baseplate-dev/core-generators	Patch
@baseplate-dev/create-project	Patch
@baseplate-dev/fastify-generators	Patch
@baseplate-dev/react-generators	Patch
@baseplate-dev/sync	Patch
@baseplate-dev/utils	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR upgrades dependencies across multiple packages including Storybook (9.0.18 to 10.1.10), TRPC (11.7.2 to 11.8.0), MCP SDK (1.23.0 to 1.25.1), and eslint-plugin-storybook. It also refactors the Storybook configuration to replace dynamic path resolution with literal strings.

Changes

Cohort / File(s)	Summary
Changelog Entry \.changeset/upgrade-dependencies\.md	Documents the version upgrades for all affected packages
TRPC & MCP SDK Updates packages/project-builder-server/package\.json	Updates @trpc/server from ^11.7.2 to ^11.8.0 and @modelcontextprotocol/sdk from ^1.23.0 to ^1.25.1
TRPC Client Update packages/project-builder-web/package\.json	Updates @trpc/client and @trpc/server from ^11.7.2 to ^11.8.0
ESLint Plugin Update packages/tools/package\.json	Updates eslint-plugin-storybook from 9.0.18 to 10.1.10
Storybook Configuration Refactoring packages/ui-components/\.storybook/main\.ts	Removes the getAbsolutePath() helper function and replaces dynamic path resolutions with literal strings for addons and framework configuration
Storybook Dependencies packages/ui-components/package\.json	Updates Storybook and related devDependencies from 9.0.18 to 10.1.10

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Storybook major version upgrade (9 → 10) requires verification for breaking changes and compatibility with the refactored configuration
• TRPC and MCP SDK minor/patch updates are lower risk but should be checked for any behavioral changes
• Storybook config refactoring from dynamic to literal strings is straightforward but needs testing to ensure all addons load correctly

Possibly related PRs

• chore: Upgrade storybook to 8.6.4 #442: Directly related through modifications to packages/ui-components/.storybook/main.ts and the getAbsolutePath helper function, which this PR removes
• feat: Upgrade ESLint to 9.17 and Prettier to 3.4 (and associated plugins) #406: Related through Storybook tooling updates in packages/tools/package.json, specifically the eslint-plugin-storybook dependency

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: Upgrade dependencies' accurately and concisely summarizes the main change in the pull request, which consists entirely of upgrading multiple dependencies across packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kingston/eng-934-upgrade-internal-vulnerable-dependencies

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 18c7cf1 and 6032f07.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• .changeset/upgrade-dependencies.md (1 hunks)
• packages/project-builder-server/package.json (1 hunks)
• packages/project-builder-web/package.json (1 hunks)
• packages/tools/package.json (1 hunks)
• packages/ui-components/.storybook/main.ts (1 hunks)
• packages/ui-components/package.json (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

packages/ui-components/**

📄 CodeRabbit inference engine (AGENTS.md)

The @baseplate-dev/ui-components package provides 52+ production-ready components including Basic, Form, Layout, Interactive, and Display components with Storybook documentation

Files:

• packages/ui-components/package.json

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a new Changeset in the .changeset/ directory for new features or changes, with format 'package-name': patch and description of the feature or change

Files:

• .changeset/upgrade-dependencies.md

🧠 Learnings (14)

📚 Learning: 2025-11-24T19:44:33.994Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/package.json : Enforce pnpm 10+ as the package manager

Applied to files:

• packages/ui-components/package.json
• packages/tools/package.json

📚 Learning: 2025-11-25T22:46:20.505Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T22:46:20.505Z
Learning: Applies to packages/ui-components/** : The baseplate-dev/ui-components package provides 52+ production-ready components including Basic, Form, Layout, Interactive, and Display components with Storybook documentation

Applied to files:

• packages/ui-components/package.json
• .changeset/upgrade-dependencies.md

📚 Learning: 2025-11-25T22:46:20.505Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T22:46:20.505Z
Learning: Applies to **/*.{ts,tsx} : Import components from 'baseplate-dev/ui-components' package for UI development (e.g., Button, Input, Card, Dialog, etc.)

Applied to files:

• packages/ui-components/package.json

📚 Learning: 2025-11-24T19:45:27.654Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/ui-rules.mdc:0-0
Timestamp: 2025-11-24T19:45:27.654Z
Learning: Applies to +(*.tsx|packages/project-builder-web/**/*.tsx|packages/ui-components/**/*.tsx) : Use ShadCN-based components from `baseplate-dev/ui-components` instead of creating custom components

Applied to files:

• packages/ui-components/package.json
• .changeset/upgrade-dependencies.md
• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:44:46.506Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/todo-with-auth0/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:46.506Z
Learning: Use pnpm 10+ as the package manager (enforced)

Applied to files:

• packages/ui-components/package.json

📚 Learning: 2025-08-17T01:32:58.983Z

Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 633
File: packages/project-builder-web/src/routes/admin-sections.$appKey/-components/columns/column-configs.ts:1-2
Timestamp: 2025-08-17T01:32:58.983Z
Learning: The project-builder-web package doesn't use ESM (ECMAScript modules), so .js extensions are not required in import statements, unlike other packages in the codebase that do use Node 16 ESM resolution.

Applied to files:

• packages/project-builder-web/package.json

📚 Learning: 2025-04-21T06:32:22.476Z

Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 505
File: packages/create-project/tsconfig.json:6-6
Timestamp: 2025-04-21T06:32:22.476Z
Learning: Since TypeScript 4.1, baseUrl is not required for paths mapping in tsconfig.json. Removing baseUrl and using explicit relative paths with "./" prefix (e.g., changing "src/*": ["src/*"] to "src/*": ["./src/*"]) prevents bare path imports from node_modules while maintaining path alias functionality.

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-04-21T06:32:22.476Z

Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 505
File: packages/create-project/tsconfig.json:6-6
Timestamp: 2025-04-21T06:32:22.476Z
Learning: Since TypeScript 4.1, baseUrl is not required for paths mapping when using explicit relative paths (with "./"). Removing baseUrl from tsconfig.json while updating paths to use relative paths (e.g., changing "src/*": ["src/*"] to "src/*": ["./src/*"]) prevents bare path imports from node_modules while maintaining path alias functionality.

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:45:01.582Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/code-style.mdc:0-0
Timestamp: 2025-11-24T19:45:01.582Z
Learning: Applies to **/*.{ts,tsx} : Include absolute paths in import statements via tsconfig paths (`src/` is the alias for `src/`)

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-07-14T12:02:36.595Z

Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 609
File: packages/ui-components/src/components/badge/badge-with-icon.stories.tsx:3-3
Timestamp: 2025-07-14T12:02:36.595Z
Learning: For TypeScript/TSX files: `#src/` is the new path alias standard for `src/` directory imports, replacing the previous `src/` convention.

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:44:33.994Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/*.{ts,tsx,js,jsx} : Follow ESM module resolution with TypeScript's `NodeNext` setting

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:44:33.994Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/tsconfig.json : Use `NodeNext` module resolution in TypeScript configuration

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:44:33.994Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/*.test.ts : Import test functions explicitly from 'vitest' instead of relying on globals (e.g., `import { describe, expect, it } from 'vitest';`)

Applied to files:

• packages/ui-components/.storybook/main.ts

📚 Learning: 2025-11-24T19:44:46.506Z

Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/todo-with-auth0/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:46.506Z
Learning: Applies to examples/todo-with-auth0/**/*.{unit,int}.test.ts : Import test functions explicitly from 'vitest' instead of using globals. Example: `import { describe, expect, it } from 'vitest';`

Applied to files:

• packages/ui-components/.storybook/main.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Verify Sync (blog-with-auth)
• GitHub Check: Verify Sync (todo-with-auth0)
• GitHub Check: test
• GitHub Check: Test E2E
• GitHub Check: Lint

🔇 Additional comments (6)

.changeset/upgrade-dependencies.md (1)

1-12: LGTM!

The changeset format is correct and comprehensively lists all affected packages and dependency upgrades. The patch-level classification is appropriate for dependency updates.

packages/project-builder-server/package.json (1)

62-63: MCP SDK 1.25.1 and TRPC 11.8.0 upgrades are safe.

MCP SDK 1.25.1 is the latest version, representing minor updates from 1.23.0. TRPC is very strict with semantic versioning and will never introduce breaking changes in a minor version bump, so the upgrade from 11.7.2 to 11.8.0 is a safe patch release. Both upgrades are reasonable and ready to approve.

packages/project-builder-web/package.json (1)

68-69: TRPC 11.8.0 is a recent stable release with no breaking changes.

Both @trpc/client and @trpc/server are at version 11.8.0, recently published. tRPC strictly adheres to semantic versioning and never introduces breaking changes in minor version bumps, so the upgrade from 11.7.2 to 11.8.0 is safe. The matching versions between client and server ensure consistency.

packages/tools/package.json (1)

70-70: The eslint-plugin-storybook upgrade to 10.1.10 is compatible with Storybook 10.

eslint-plugin-storybook 10.1.10 is the latest version, and the package is now part of the Storybook monorepo since version 9. Version ^0.10.0 of the plugin is compatible with ESLint ^9.0.0 and ESLint ^8.57.0, which aligns with Storybook 10's requirements. No breaking changes have been identified between version 9.0.18 and 10.1.10 that would impact Storybook compatibility.

packages/ui-components/package.json (1)

91-94: Storybook 10.1.10 upgrade is properly implemented with ESM configuration.

The main breaking change in Storybook 10 is the ESM-only requirement. Configuration files must be valid ESM, using import instead of require, with __dirname and __filename unavailable. All configuration files in packages/ui-components (.storybook/main.ts, .storybook/preview.tsx, .storybook/manager.ts) properly use ESM syntax with import/export statements. All Storybook packages are consistently upgraded to 10.1.10, and there are no breaking changes in 10.1.x beyond the main 10.0 breaking changes.

packages/ui-components/.storybook/main.ts (1)

6-8: Direct addon and framework paths are the current best practice for Storybook 10.x.

The configuration in the file correctly uses simple string literals for both addons and the framework. This aligns with Storybook's official "Configure Storybook" documentation, which shows simple string literals like '@storybook/addon-docs' and '@storybook/your-framework' as the standard pattern. While the FAQ documentation recommends getAbsolutePath for resolving packages in specific scenarios like Yarn PnP or monorepos, the simpler approach used here is appropriate for standard setups and avoids known compatibility issues. The change is correct and represents a clean, modern configuration approach.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​storybook/​react-vite@​9.0.18 ⏵ 10.1.10	+1		+3	+1
	storybook@​9.0.18 ⏵ 10.1.10		+16	-3
	@​storybook/​addon-themes@​9.0.18 ⏵ 10.1.10			+2
	@​trpc/​client@​11.7.2 ⏵ 11.8.0				+1
	@​trpc/​server@​11.7.2 ⏵ 11.8.0		+16	+1	+1
	@​modelcontextprotocol/​sdk@​1.23.0 ⏵ 1.25.1		+16
	eslint-plugin-storybook@​9.0.18 ⏵ 10.1.10			+33	+1
	@​storybook/​addon-docs@​9.0.18 ⏵ 10.1.10	+1		+2	+1
	@​storybook/​addon-links@​9.0.18 ⏵ 10.1.10			+2	+1

View full report