chore: Reduce npm vulnerability and attack surface across workspace

[mattinannt]

Summary

This PR reduces the npm vulnerability and attack surface of the workspace by simplifying the frontend/tooling stack and removing avoidable dependencies from both the app and the SDK package.

What changed

• migrate apps/playground from Next.js to Vite + React
• replace the repo ESLint/Prettier stack with a single Biome setup
• replace vite-plugin-dts with plain tsc declaration emit in @formbricks/js
• remove explicit Terser usage from @formbricks/js and use Vite's default minifier
• align the repo's Node engine with the actual Vite 8 minimum
• split CI into separate build, lint, and test workflows, and enforce lint/typecheck in CI and release

Attack surface reduction

• removed the Next.js runtime and its Next-specific lint/config chain from apps/playground
• removed the ESLint, Prettier, and plugin stack in favor of one maintained formatter/linter dependency
• removed vite-plugin-dts and its API Extractor / Vue language-core dependency chain from the SDK build
• removed direct Terser usage from the SDK build configuration
• removed obsolete security overrides and upgraded the workspace to current package versions

Estimated magnitude

• net reduction of 12 direct packages across the workspace manifests
• local pnpm audit --json is now clean with 0 vulnerabilities
• the biggest reductions come from deleting the Next.js app-router stack and the old ESLint/Prettier plus declaration-bundling toolchain

Validation

• pnpm lint
• pnpm check-types
• pnpm build
• pnpm test
• pnpm audit --json
• cd packages/js && npm pack --dry-run

[coderabbitai]

Walkthrough

This pull request refactors the project's tooling infrastructure and the playground application. The playground is migrated from Next.js to Vite with React, including updated build configuration, environment variable prefixes (Next.js to Vite), and removal of Next.js-specific files. The linting and formatting tools are replaced from ESLint and Prettier to Biome across the project. GitHub Actions workflows are updated to include linting and type-checking steps prior to build and test execution. Configuration files for the JavaScript package are updated to remove ESLint and Terser dependencies while adding a dedicated build TypeScript configuration. Build outputs are adjusted to reflect the new tooling (from .next to dist).

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides comprehensive detail about the changes, validation steps, and rationale for the refactoring.
Title check	✅ Passed	The title clearly and concisely describes the main objective: reducing npm vulnerability and attack surface across the workspace, which aligns with the extensive changes including tooling consolidation, dependency removal, and migration from Next.js to Vite.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/playground/package.json`:
- Line 14: The playground's check-types task fails because it depends only on
upstream check-types and not upstream builds, so `@formbricks/js` .d.ts files are
not produced; update turbo.json so the check-types task (the "check-types" entry
for playground) adds a dependency on upstream builds (e.g., add "^build" to
dependsOn or replace "^check-types" with ["^build","^check-types"]) so that
`@formbricks/js` is built (tsc --project tsconfig.build.json) before running type
checks and the dist/index.d.ts exists.

In `@apps/playground/README.md`:
- Line 13: The ordered list item currently starts with "2. Create a `.env` file
with your Formbricks credentials:" which triggers markdownlint MD029; change the
numbering to start at "1." (or make the whole list use incremental 1., 2., ...
starting from 1) so the list uses correct 1/1/1 style; update the line
containing "2. Create a `.env` file with your Formbricks credentials:"
accordingly (search for that exact string in the README and replace the leading
"2." with "1.").

In `@apps/playground/src/app.tsx`:
- Around line 26-34: The formbricks.setup() conditional silently skips
initialization when import.meta.env.VITE_FORMBRICKS_ENVIRONMENT_ID or
import.meta.env.VITE_FORMBRICKS_API_HOST are missing; update the conditional
around formbricks.setup to log a clear console.warn including the missing
variable names (referencing import.meta.env.VITE_FORMBRICKS_ENVIRONMENT_ID and
import.meta.env.VITE_FORMBRICKS_API_HOST) so developers see a warning when
formbricks.setup is not called and know which env var(s) are unset.

In `@apps/playground/src/index.css`:
- Line 3: Update the inline Sonar suppression comment for the Tailwind custom
variant declaration by adding whitespace inside the comment markers: locate the
`@custom-variant` rule (the token "@custom-variant dark (&:is(.dark *));" in the
file) and change the trailing comment from /*NOSONAR*/ to the spaced form /*
NOSONAR */ so Stylelint stops flagging the missing whitespace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f0df178a-f2de-4bca-9446-346a79097e3b

📥 Commits

Reviewing files that changed from the base of the PR and between 331563e and c80b5f2.

⛔ Files ignored due to path filters (2)

• apps/playground/src/assets/fb-setup.png is excluded by !**/*.png
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (37)

• .github/workflows/build.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/sonarqube.yml
• .github/workflows/test.yml
• apps/playground/.env.example
• apps/playground/.gitignore
• apps/playground/README.md
• apps/playground/app/dashboard/page.tsx
• apps/playground/app/layout.tsx
• apps/playground/components/layout-app.tsx
• apps/playground/components/sidebar.tsx
• apps/playground/eslint.config.mjs
• apps/playground/globals.css
• apps/playground/index.html
• apps/playground/lib/utils.ts
• apps/playground/next.config.ts
• apps/playground/package.json
• apps/playground/postcss.config.mjs
• apps/playground/src/app.tsx
• apps/playground/src/index.css
• apps/playground/src/main.tsx
• apps/playground/tsconfig.json
• apps/playground/vite.config.ts
• biome.json
• package.json
• packages/js/eslint.config.mjs
• packages/js/package.json
• packages/js/src/index.test.ts
• packages/js/src/index.ts
• packages/js/src/lib/load-formbricks.test.ts
• packages/js/src/lib/load-formbricks.ts
• packages/js/src/types/formbricks.ts
• packages/js/tsconfig.build.json
• packages/js/tsconfig.json
• packages/js/vite.config.ts
• turbo.json

💤 Files with no reviewable changes (10)

• apps/playground/lib/utils.ts
• apps/playground/eslint.config.mjs
• apps/playground/postcss.config.mjs
• apps/playground/components/layout-app.tsx
• apps/playground/next.config.ts
• apps/playground/app/layout.tsx
• apps/playground/components/sidebar.tsx
• apps/playground/globals.css
• apps/playground/app/dashboard/page.tsx
• packages/js/eslint.config.mjs

[coderabbitai]

Walkthrough

The pull request migrates the playground application from Next.js to Vite + React, updates GitHub Actions workflows to include linting and type-checking steps, and transitions the entire project from ESLint/Prettier to Biome for code quality tooling. Configuration files are updated across the workspace, including TypeScript, Vite, and Biome setup. Environment variable naming conventions change from NEXT_PUBLIC_ prefixes to VITE_ prefixes in the playground. Multiple Next.js-specific files are removed, and the CI/CD pipelines are refined to validate code quality earlier in the build process. Node.js version constraints are updated to require >=20.19.0 <21 || >=22.12.0.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main objective: reducing npm vulnerability and attack surface. It directly relates to the primary changes throughout the changeset (dependency reduction, tooling simplification, and security improvements).
Description check	✅ Passed	The PR description is comprehensive and directly related to the changeset. It outlines the main changes (Next.js to Vite migration, ESLint/Prettier to Biome, vite-plugin-dts removal, etc.) and explains the attack surface reduction rationale and validation steps performed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/lint.yml:
- Around line 34-38: Add a pnpm cache restore/save step so CI doesn't reinstall
deps every run: before the "Install dependencies" step (and after "Install
pnpm") add a cache action that restores the pnpm store and node_modules (or use
actions/setup-node with cache: 'pnpm'), keyed by OS and pnpm-lock.yaml integrity
hash, and update the "Install dependencies" step to run only after cache
restore; reference the existing step names "Install pnpm" and "Install
dependencies" so the new cache restore/save steps integrate in that location.

In `@AGENTS.md`:
- Line 3: Add a single blank line after every Markdown section heading in
AGENTS.md (e.g., after "Project Structure & Module Organization" and the other
top-level section headings) so each heading is followed by one empty line;
update each heading occurrence to ensure exactly one blank line separates the
heading from the following paragraph or list and remove any extra or missing
newlines to conform to standard Markdown rendering.
- Line 4: The AGENTS.md contains several very dense paragraphs (e.g., the one
starting "This repository is a `pnpm` workspace..." and the long paragraphs
later) that should be split into concise bullet lists or shorter paragraphs for
scannability; update AGENTS.md by replacing each long paragraph with 3–6 bullet
points that surface key facts (workspace layout, where SDK source and helpers
live, demo app purpose, and which generated outputs should not be edited), do
the same for the other dense paragraphs called out in the review, and ensure
each bullet is one concise sentence and uses consistent punctuation and parallel
phrasing for easier scanning.

In `@apps/playground/README.md`:
- Line 13: Update the ordered-list numbering to use the "1." prefix style
required by markdownlint (MD029); specifically change the list item text that
currently starts with "2. Create a `.env` file with your Formbricks
credentials:" to start with "1. Create a `.env` file with your Formbricks
credentials:" so the entire ordered list uses the repeated "1." style expected
by the linter.

In `@apps/playground/src/app.tsx`:
- Around line 74-77: The displayed environment ID
(import.meta.env.VITE_FORMBRICKS_ENVIRONMENT_ID) can be empty/undefined; update
the UI where the <strong> renders that value to use a clear fallback (e.g., "Not
configured" or "—") or hide the element when the value is falsy so users aren't
shown an empty/undefined string; change the rendering logic around the element
that currently uses import.meta.env.VITE_FORMBRICKS_ENVIRONMENT_ID to
conditionally render the fallback text or omit the node when the env value is
falsy.

In `@apps/playground/tsconfig.json`:
- Around line 14-16: TypeScript path alias "@formbricks/js" in tsconfig.json is
only used at compile-time and won't resolve in Vite; update the Vite config to
mirror that mapping by adding a resolve.alias entry for "@formbricks/js"
pointing to the same target (the package's src index) or install and enable the
vite-tsconfig-paths plugin in vite.config.ts so Vite's module resolver uses the
tsconfig paths; modify the file that exports defineConfig (vite.config.ts) to
include either a resolve.alias with "@formbricks/js" -> the
"../../packages/js/src/index.ts" absolute path (using node:path.resolve) or add
the vite-tsconfig-paths plugin to plugins.

In `@packages/js/tsconfig.build.json`:
- Around line 24-25: The tsconfig currently sets both "strict": true and
"strictNullChecks": true which is redundant; remove the explicit
"strictNullChecks" property so only "strict": true remains (keep the "strict"
key in the same object) to avoid duplicate/unused config entries and rely on
"strict" to enable null-checking and other strict flags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b9d9b00f-4695-4522-aabb-e836012dbbba

📥 Commits

Reviewing files that changed from the base of the PR and between 331563e and 549c7b4.

⛔ Files ignored due to path filters (2)

• apps/playground/src/assets/fb-setup.png is excluded by !**/*.png
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (38)

• .github/workflows/build.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/sonarqube.yml
• .github/workflows/test.yml
• AGENTS.md
• apps/playground/.env.example
• apps/playground/.gitignore
• apps/playground/README.md
• apps/playground/app/dashboard/page.tsx
• apps/playground/app/layout.tsx
• apps/playground/components/layout-app.tsx
• apps/playground/components/sidebar.tsx
• apps/playground/eslint.config.mjs
• apps/playground/globals.css
• apps/playground/index.html
• apps/playground/lib/utils.ts
• apps/playground/next.config.ts
• apps/playground/package.json
• apps/playground/postcss.config.mjs
• apps/playground/src/app.tsx
• apps/playground/src/index.css
• apps/playground/src/main.tsx
• apps/playground/tsconfig.json
• apps/playground/vite.config.ts
• biome.json
• package.json
• packages/js/eslint.config.mjs
• packages/js/package.json
• packages/js/src/index.test.ts
• packages/js/src/index.ts
• packages/js/src/lib/load-formbricks.test.ts
• packages/js/src/lib/load-formbricks.ts
• packages/js/src/types/formbricks.ts
• packages/js/tsconfig.build.json
• packages/js/tsconfig.json
• packages/js/vite.config.ts
• turbo.json

💤 Files with no reviewable changes (10)

• apps/playground/lib/utils.ts
• apps/playground/globals.css
• apps/playground/next.config.ts
• apps/playground/postcss.config.mjs
• apps/playground/components/layout-app.tsx
• apps/playground/eslint.config.mjs
• apps/playground/app/layout.tsx
• packages/js/eslint.config.mjs
• apps/playground/app/dashboard/page.tsx
• apps/playground/components/sidebar.tsx

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud