chore(deps): bump bcryptjs, vite, @hono/node-server, zod for security

[yokoszn]

Summary

Security-relevant dependency upgrades:

Package	From	To	Notes
bcryptjs	^2.4.3	^3.0.3	constant-time comparison improvements; ships own types (drops @types/bcryptjs)
vite	^5.0.11	^8.0.10	CVE-2025-31125 (SSRF), CVE-2025-46565 (path traversal)
@hono/node-server	^1.12.1	^2.0.0	drops Node 18 (repo already requires Node ≥22)
zod	^3.23.8	^4.3.6	improved type-narrowing, new error API

Cascading bumps required for compatibility

• figue 2 → 3 (zod 4 / standard-schema spec)
• unocss 0.64 → 66, @unocss/reset 0.64 → 66, vite-plugin-solid 2.11.6 → 2.11.12 (vite 8 peer)
• vitest 3 → 4 and @vitest/coverage-v8 3 → 4 (vite 8 peer)
• catalog @types/node 22.5 → 22.12 (vite 8 peer)
• app-client tsconfig.json moduleResolution: node → bundler (vite 8 ships ESM-only types)

Code adjustments

• validation.ts: error.errors → error.issues (zod 4 rename).
• Tests: schema option required_error: '…' → error: '…'; updated expected default messages (Unrecognized key: "foo", Invalid string: must start with …, Invalid input: expected "<literal>").
• notes.routes.ts: removed two @ts-expect-error directives — zod 4 now accepts z.enum(readonly array).
• vite.config.ts: defineConfig imported from vitest/config so the test field still typechecks under vite 8.

Verification

All workspace tests pass (62 app-server + 29 app-client + 27 lib + 26 crypto + 7 cli). Typecheck and production builds (app-client, app-server, docs) all succeed. Smoke-tested the built node server: serve() from @hono/node-server v2 starts and serves API requests correctly with the same options shape used in v1.

Test plan

• pnpm install succeeds without unexpected peer-dep failures
• pnpm -r test passes
• pnpm -F @enclosed/app-client run build produces a working bundle
• pnpm -F @enclosed/app-server run build:node produces a working CJS bundle
• Manual: log in with an existing bcrypt password hash to confirm bcryptjs v3 compare still verifies v2-generated hashes
• Manual: docs users-authentication-key-generator page still hashes passwords client-side

https://claude.ai/code/session_012SsqAq1heXEWfPgS1BukkN

---

Generated by Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee56fb84-d35e-46f8-aabe-000d8d6eed27

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/update-security-deps-e7WL0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying enclosed-twn with    Cloudflare Pages

Latest commit:	45a15dc
Status:	✅  Deploy successful!
Preview URL:	https://99417282.enclosed-twn.pages.dev
Branch Preview URL:	https://claude-update-security-deps.enclosed-twn.pages.dev

View logs

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
enclosed-docs	❌ Failed (View Log)		45a15dc

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
enclosed	❌ Failed (View Log)		45a15dc