fix: update and reorganize the dependencies

[mdeliatf]

Description

• Move build/release tooling to devDependencies. Tools only used at build or release time were incorrectly listed as runtime dependencies.
• Update Node.js to v24.14.1.
• Update Yarn to the latest stable version.
• Update runtime dependencies: Radix UI, floating-ui, vanilla-extract, datepicker, and tinycolor2.
• Update dev tooling: Babel, Jest, ESLint, Vite, TypeScript, Husky, and other dev dependencies. Some notable decisions:
  • TypeScript stays on 5.8.3 — TS6 forces moduleResolution: bundler and deprecates target: es5, both of which break Stitches compatibility.
  • ESLint stays on 9.x — ESLint 10 was not evaluated for this PR. @eslint/js is capped at 9.39.4 accordingly.
  • eslint-plugin-react-hooks updated to v7 but React Compiler rules disabled — v7's recommended preset enables 15 compiler rules that cause false positives on valid floating-ui patterns.
  • Vite updated to v8 (now uses Rolldown instead of Rollup internally). Build output and filenames are unaffected thanks to the explicit fileName function.
  • Removed @eslint/compat, babel-loader, webpack, @babel/plugin-transform-react-pure-annotations, and @mdx-js/react — all either unused or already provided transitively.
• Replace lodash.merge with a native deep merge utility, removing the dependency entirely in favor of a lightweight custom implementation with full test coverage.
• Fix AriaTable types.
• Reduce and clean up resolutions. Removed entries where the pinned version equals the npm latest, since Yarn would resolve identically without them. Kept only resolutions that actively block too-new transitive dependencies.
• Update the Aikido Safe Chain minimum package age from 15 days to 3 days across all CI workflows, and document the 3-day pinning policy in CLAUDE.md. Pin Safe Chain itself to version 1.4.7 with SHA512 verification instead of always pulling latest.

Fix https://github.com/traefik/hub-issues/issues/2782

Preview

No visual changes.

Dependency changes

Click me

Dependencies

Dependency	Version	State
@floating-ui/react	^0.26.25 -> 0.27.19	Updated
@radix-ui/colors	^2.1.0 -> 2.1.0	Pinned
@radix-ui/react-accessible-icon	^1.1.2 -> 1.1.8	Updated
@radix-ui/react-accordion	^1.2.0 -> 1.2.12	Updated
@radix-ui/react-alert-dialog	^1.0.2 -> 1.1.15	Updated
@radix-ui/react-aspect-ratio	^1.0.1 -> 1.1.8	Updated
@radix-ui/react-avatar	^1.0.1 -> 1.1.11	Updated
@radix-ui/react-checkbox	^1.0.1 -> 1.3.3	Updated
@radix-ui/react-context-menu	^2.0.1 -> 2.2.16	Updated
@radix-ui/react-dialog	^1.0.2 -> 1.1.15	Updated
@radix-ui/react-dropdown-menu	^2.0.1 -> 2.1.16	Updated
@radix-ui/react-icons	^1.3.2 -> 1.3.2	Pinned
@radix-ui/react-id	^1.0.0 -> 1.1.1	Updated
@radix-ui/react-label	^2.0.0 -> 2.1.8	Updated
@radix-ui/react-navigation-menu	^1.2.0 -> 1.2.14	Updated
@radix-ui/react-popover	^1.1.2 -> 1.1.15	Updated
@radix-ui/react-portal	^1.0.1 -> 1.1.10	Updated
@radix-ui/react-progress	^1.0.1 -> 1.1.8	Updated
@radix-ui/react-radio-group	^1.1.0 -> 1.3.8	Updated
@radix-ui/react-separator	^1.0.1 -> 1.1.8	Updated
@radix-ui/react-slider	^1.1.0 -> 1.3.6	Updated
@radix-ui/react-slot	^1.0.1 -> 1.2.4	Updated
@radix-ui/react-switch	^1.0.1 -> 1.2.6	Updated
@radix-ui/react-tabs	^1.0.1 -> 1.1.13	Updated
@radix-ui/react-toggle	^1.0.1 -> 1.1.10	Updated
@radix-ui/react-toggle-group	^1.0.1 -> 1.1.11	Updated
@radix-ui/react-tooltip	^1.1.6 -> 1.2.8	Updated
@radix-ui/react-use-layout-effect	^1.0.0 -> 1.1.1	Updated
@radix-ui/react-visually-hidden	^1.0.1 -> 1.2.4	Updated
@rehookify/datepicker	^6.6.7 -> 6.6.8	Updated
lodash.merge	^4.6.2	Removed
@semantic-release/commit-analyzer	^13.0.1	Moved to devDependencies
@semantic-release/github	^12.0.6	Moved to devDependencies
@semantic-release/npm	^13.1.5	Moved to devDependencies
@semantic-release/release-notes-generator	^14.1.0	Moved to devDependencies
semantic-release	^25.0.3	Moved to devDependencies

devDependencies

Dependency	Version	State
@babel/core	^7.15.4 -> 7.29.0	Updated
@babel/plugin-transform-react-pure-annotations	^7.16.7	Removed
@babel/preset-env	^7.16.11 -> 7.29.2	Updated
@babel/preset-react	^7.16.7 -> 7.28.5	Updated
@babel/preset-typescript	^7.16.7 -> 7.28.5	Updated
@semantic-release/commit-analyzer	13.0.1	Moved from dependencies
@semantic-release/github	12.0.6	Moved from dependencies
@semantic-release/npm	13.1.5	Moved from dependencies
@semantic-release/release-notes-generator	14.1.0	Moved from dependencies
@types/jest	^27.4.1 -> 30.0.0	Updated
@types/lodash.merge	^4.6.6	Removed
babel-jest	^27.5.1 -> 30.3.0	Updated
babel-loader	^8.2.2	Removed
conventional-changelog-conventionalcommits	^9.2.0 -> 9.3.1	Updated
jest	^27.5.1 -> 30.3.0	Updated
jest-environment-jsdom	30.3.0	Added
semantic-release	25.0.3	Moved from dependencies

Breaking changes

N/A

How to test?

• yarn install completes without safe-chain suppression warnings for installed packages
• yarn build succeeds
• yarn test:ci passes
• yarn storybook starts without errors

Good PR checkboxes

• Change has been tested
• Added/Updated tests
• Added/Updated stories
• PR follows conventions
• Labels are set
• Project is linked

Good Review checkboxes

ℹ️ Copy the snippet and paste in the review field to fill it

- [ ] I've tested the changes
- [ ] I've agreed on the unit tests (soon to come)
- [ ] I've checked the stories
- [ ] I've read the code and understood it
- [ ] I don't have any more questions
- [ ] I've described any optional improvements
- [ ] I checked PR follows [conventions](https://github.com/traefik/faency#how-to-contribute)

[darkweaver87]

Could you separate CI changes from faency ones ? Also I'm unsure why --production has been removed ?

[mdeliatf]

Could you separate CI changes from faency ones ? Also I'm unsure why --production has been removed ?

Sure, I will open another PR!

--production was removed because it's coupled to the dependency move in d30a75a: build and release tools (vite, semantic-release, etc.) were moved from dependencies to devDependencies. With --production, Yarn skips devDependencies, so the build/release steps would fail since those tools would no longer be installed.

The reason they were moved to devDependencies in the first place is exactly to avoid bundling them with Faency when it's installed in a consumer project. Having build/release tools in dependencies meant they were being shipped to consumers, which caused unnecessary security warnings in those projects whenever one of those tools was outdated, tools that had no business being there in the first place.

So consumers still only get dependencies, not devDependencies, --production just isn't needed in CI anymore, in my opinion, to enforce that.

EDIT: It's worth mentioning that this is a specific scenario caused by Faency being a library rather than a standard frontend project. When publishing to npm, the package.json is included in the published package, and package managers in the host project will automatically install everything listed under dependencies, but not devDependencies. So whatever ends up in dependencies gets pulled into every project that installs Faency, which is why keeping build and release tools out of it matters.

[gndz07]

LGTM