chore(deps): combine compatible Dependabot bumps

[barakb]

Summary

Combines 12 compatible Dependabot PRs into a single, CI-green change. Manifests were edited and lockfiles regenerated once (uv lock, npm install) to avoid the lockfile conflicts that arise from merging the Dependabot branches individually.

Python (uv) — pyproject.toml + uv.lock

• falkordb ~=1.6.1 (chore(deps): bump falkordb from 1.6.0 to 1.6.1 #568)
• pymysql ~=1.2.0 (chore(deps): bump pymysql from 1.1.2 to 1.2.0 #586)
• graphiti-core >=0.29.1 (chore(deps): bump graphiti-core from 0.28.2 to 0.29.1 #589)
• python-multipart ~=0.0.29 (chore(deps): bump python-multipart from 0.0.27 to 0.0.29 #588)
• pytest-playwright ~=0.8.0 (chore(deps-dev): bump pytest-playwright from 0.7.2 to 0.8.0 #585)
• urllib3 2.7.0 — transitive (chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in the uv group across 1 directory #573)

GitHub Actions (SHA pins)

• docker/login-action v4 (chore(deps): bump docker/login-action from 4.1.0 to 4.2.0 #579)
• docker/metadata-action v6 (chore(deps): bump docker/metadata-action from 6.0.0 to 6.1.0 #577)
• docker/build-push-action v7 (chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 #578)
• astral-sh/setup-uv v8.1.0 (chore(deps): bump astral-sh/setup-uv from 5.4.2 to 8.1.0 #565)
• actions/dependency-review-action v4 (chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 #564)

npm (app/)

• @vitejs/plugin-react-swc ^4.3.1 + postcss ^8.5.15 (npm minor/patch group, chore(deps-dev): bump the npm-minor-patch group across 1 directory with 2 updates #587)

Excluded (major bumps — handle separately)

These cannot pass CI without substantial out-of-scope migration and are intentionally left as standalone PRs:

• chore(deps): bump react-dom and @types/react-dom in /app #489 react-dom 19 — forces react 19, cascading into breaking bumps of next-themes and react-day-picker (v8→v9 breaking calendar API).
• chore(deps-dev): bump vite from 7.3.2 to 8.0.10 in /app #555 vite 8 — coupled to the React 19 peer chain; pulls @vitejs/devtools.
• chore(deps-dev): bump tailwindcss from 3.4.18 to 4.2.4 in /app #556 tailwindcss 4 — full CSS-engine/config-format migration (currently conflicting).

Validation (local)

• cd app && npm ci && npm run build passed
• uv sync --locked --all-extras passed
• unit tests: 142 passed, 10 skipped
• make lint (pylint 10.00/10 + eslint) passed

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows for dependency review, Docker publishing, and test tooling to use newer pinned action versions.
  • Bumped JavaScript dev dependencies for the frontend build tooling.
  • Upgraded Python backend dependencies, database drivers, core libraries, and test tooling for compatibility and stability.

[railway-app]

This PR was not deployed automatically as @barakb does not have access to the Railway project.

In order to get automatic PR deploys, please add @barakb to your workspace on Railway.

[overcut-ai]

Completed Working on "Code Review"

✅ Code review complete. No issues found - all changes look good! ✅

✅ Workflow completed successfully.

---

👉 View complete log

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 5 package(s) with unknown licenses.

See the Details below.

License Issues

uv.lock

Package	Version	License	Issue Type
falkordb	1.6.1	Null	Unknown License
graphiti-core	0.29.1	Null	Unknown License
pymysql	1.2.0	Null	Unknown License
pytest-playwright	0.8.0	Null	Unknown License
python-multipart	0.0.29	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/@rolldown/pluginutils	1.0.1	Unknown	Unknown
npm/@vitejs/plugin-react-swc	4.3.1	🟢 7.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 7/22 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 7 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/nanoid	3.3.12	🟢 5.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 4/29 approved changesets -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/postcss	8.5.15	🟢 6.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 2/27 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/falkordb	1.6.1	Unknown	Unknown
pip/graphiti-core	0.29.1	Unknown	Unknown
pip/pymysql	1.2.0	Unknown	Unknown
pip/pytest-playwright	0.8.0	Unknown	Unknown
pip/python-multipart	0.0.29	Unknown	Unknown
pip/urllib3	2.7.0	Unknown	Unknown

Scanned Files

• .github/workflows/tests.yml
• app/package-lock.json
• uv.lock

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90ba4034-6ae7-405e-998e-8ee6bfaf066e

📥 Commits

Reviewing files that changed from the base of the PR and between efd850d and bc3d5c8.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/dependency-review.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions and tooling pins are updated: dependency-review, Docker publish, and test setup actions; Node devDeps (@vitejs/plugin-react-swc, postcss) bumped; Python dependencies (falkordb, pymysql, graphiti-core, python-multipart, pytest-playwright) advanced across pyproject sections.

Changes

Dependency Version Updates

Layer / File(s)	Summary
GitHub Actions workflow pinning .github/workflows/dependency-review.yml, .github/workflows/publish-docker.yml, .github/workflows/tests.yml	Dependency Review, Docker publish, and test setup GitHub Actions are pinned to newer commit SHAs for CI/CD automation.
Node.js development dependencies app/package.json	Vite React SWC plugin and PostCSS development dependencies are bumped to patch versions.
Python project and development dependencies pyproject.toml	Core database packages (falkordb, pymysql), optional graphiti-core, server python-multipart, and dev pytest-playwright are updated across configuration sections.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• FalkorDB/QueryWeaver#504: Updates the astral-sh/setup-uv action pinning in .github/workflows/tests.yml to a different version (v7.6.0), directly modifying the same workflow step.

Poem

🐰 I hopped through pins and bumped each line,
Actions, plugins, packages—now aligned,
A tiny patch, a careful prance,
Dependencies updated—time to dance!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: consolidating compatible Dependabot dependency updates across Python, GitHub Actions, and npm packages into a single pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/combined-dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}