fix: update storybook to 10.2.17 across all workspaces, patch @esbuild-kit/core-utils

- Update storybook packages to 10.2.17 in root, storybook/, frontends/postgres, frontends/workflowui
- Move @storybook/react-vite from postgres dependencies→devDependencies
- Add storybook version pinned overrides to resolve peer dep conflicts
- Remove storybook from root devDependencies (managed by workspaces)
- Add @esbuild-kit/core-utils@3.3.3-metabuilder.0 patched tarball to deployment/npm-patches/
- Update publish-npm-patches.sh to handle pre-patched local tarballs
- Add @esbuild-kit scoped registry in .npmrc pointing to Nexus
- Publish @esbuild-kit/core-utils@3.3.3-metabuilder.0 to Nexus (esbuild dep widened to >=0.18.20)
- 2 residual moderate vulns remain: esbuild dev-server in drizzle-kit (dev-only, no prod impact)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.npmrc

@@ -42,3 +42,9 @@ workspaces-update=true
 # These are documented in package.json engines field
 # Current: Node 22.22.1, npm 11.11.0
 
+
+# SCOPED NEXUS REGISTRY - @esbuild-kit patched packages
+# Start Nexus: cd deployment && docker compose -f docker-compose.nexus.yml up -d
+# Publish patches: cd deployment && ./publish-npm-patches.sh
+@esbuild-kit:registry=http://localhost:8091/repository/npm-group/
+//localhost:8091/repository/npm-group/:_auth=YWRtaW46bmV4dXM=

deployment/publish-npm-patches.sh

@@ -29,6 +29,12 @@ PATCHES=(
   "tar@7.5.11"
 )
 
+# Pre-patched local packages (tarball already in deployment/npm-patches/)
+# Format: "name@version:filename"
+LOCAL_PATCHES=(
+  "@esbuild-kit/core-utils@3.3.3-metabuilder.0:esbuild-kit-core-utils-3.3.3-metabuilder.0.tgz"
+)
+
 WORK_DIR=$(mktemp -d)
 trap 'rm -rf "$WORK_DIR"' EXIT
 
@@ -54,6 +60,61 @@ EOF
 published=0
 skipped=0
 
+PATCHES_DIR="$SCRIPT_DIR/npm-patches"
+
+# Publish pre-patched local tarballs first
+for entry in "${LOCAL_PATCHES[@]}"; do
+  pkg_spec="${entry%%:*}"
+  tarball_name="${entry##*:}"
+  pkg_name="${pkg_spec%%@*}"
+  # handle scoped packages like @scope/name
+  if [[ "$pkg_spec" == @* ]]; then
+    pkg_name="$(echo "$pkg_spec" | cut -d@ -f1-2 | tr -d '@')"
+    pkg_name="@${pkg_name}"
+    pkg_version="$(echo "$pkg_spec" | cut -d@ -f3)"
+  else
+    pkg_version="${pkg_spec##*@}"
+  fi
+
+  log "Processing local patch $pkg_name@$pkg_version..."
+
+  TARBALL="$PATCHES_DIR/$tarball_name"
+  if [ ! -f "$TARBALL" ]; then
+    fail "  Patched tarball not found: $TARBALL"
+  fi
+
+  # Check if already published
+  ENCODED_NAME=$(echo "$pkg_name" | sed 's|/|%2F|g')
+  CHECK_URL="${NEXUS_URL}/repository/npm-hosted/${ENCODED_NAME}/${pkg_version}"
+  HTTP=$(curl -s -o /dev/null -w "%{http_code}" "$CHECK_URL")
+  if [ "$HTTP" = "200" ]; then
+    warn "  $pkg_name@$pkg_version already in Nexus, skipping"
+    ((skipped++)) || true
+    continue
+  fi
+
+  log "  Publishing $tarball_name to Nexus..."
+  HTTP=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
+    -u "$NEXUS_USER:$NEXUS_PASS" \
+    -H "Content-Type: application/octet-stream" \
+    --data-binary "@$TARBALL" \
+    "${NEXUS_NPM_HOSTED}${pkg_name}/-/${tarball_name}")
+
+  case "$HTTP" in
+    200|201)
+      log "  ${GREEN}Published${NC} $pkg_name@$pkg_version"
+      ((published++)) || true
+      ;;
+    400)
+      warn "  $pkg_name@$pkg_version already exists (HTTP 400)"
+      ((skipped++)) || true
+      ;;
+    *)
+      fail "  Failed to publish $pkg_name@$pkg_version (HTTP $HTTP)"
+      ;;
+  esac
+done
+
 for pkg_spec in "${PATCHES[@]}"; do
   pkg_name="${pkg_spec%%@*}"
   pkg_version="${pkg_spec##*@}"
@@ -108,4 +169,4 @@ log "To use patched packages, add to .npmrc:"
 log "  registry=${NEXUS_URL}/repository/npm-group/"
 echo ""
 log "Or use scoped overrides in package.json:"
-log '  "overrides": { "minimatch": "10.2.4", "tar": "7.5.11" }'
+log '  "overrides": { "minimatch": "10.2.4", "tar": "7.5.11", "@esbuild-kit/core-utils": "3.3.3-metabuilder.0" }'

frontends/postgres/package.json

@@ -48,7 +48,6 @@
     "@metabuilder/hooks": "file:../../hooks",
     "@mui/icons-material": "^7.3.8",
     "@mui/material": "^7.3.8",
-    "@storybook/react-vite": "10.2.13",
     "@t3-oss/env-nextjs": "^0.13.10",
     "bcryptjs": "^3.0.3",
     "drizzle-orm": "^0.45.1",
@@ -87,10 +86,11 @@
     "@playwright/test": "^1.58.2",
     "@sentry/nextjs": "^10.39.0",
     "@spotlightjs/spotlight": "^4.10.0",
-    "@storybook/addon-a11y": "^10.2.10",
-    "@storybook/addon-docs": "^10.2.10",
-    "@storybook/addon-vitest": "^10.2.10",
-    "@storybook/nextjs-vite": "^10.2.10",
+    "@storybook/addon-a11y": "^10.2.17",
+    "@storybook/addon-docs": "^10.2.17",
+    "@storybook/addon-vitest": "^10.2.17",
+    "@storybook/nextjs-vite": "^10.2.17",
+    "@storybook/react-vite": "^10.2.17",
     "@tailwindcss/postcss": "^4.2.0",
     "@types/node": "^25.3.0",
     "@types/pg": "^8.16.0",
@@ -113,7 +113,7 @@
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.0.1",
     "eslint-plugin-react-refresh": "^0.5.0",
-    "eslint-plugin-storybook": "^10.2.10",
+    "eslint-plugin-storybook": "^10.2.17",
     "eslint-plugin-tailwindcss": "^4.0.0-beta.0",
     "get-db": "^0.13.0",
     "jest": "^30.2.0",
@@ -124,7 +124,7 @@
     "postcss-load-config": "^6.0.1",
     "rimraf": "^6.1.3",
     "semantic-release": "^25.0.3",
-    "storybook": "^10.2.10",
+    "storybook": "^10.2.17",
     "tailwindcss": "^4.2.0",
     "tsx": "^4.21.0",
     "typescript": "5.9.3",

frontends/workflowui/package.json

@@ -55,7 +55,7 @@
     "react-dom": "^19.2.4"
   },
   "devDependencies": {
-    "@storybook/react": "^10.2.10",
+    "@storybook/react": "^10.2.17",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",

package.json

@@ -26,8 +26,6 @@
     "@playwright/test": "^1.58.2",
     "@sentry/nextjs": "^10.39.0",
     "@spotlightjs/spotlight": "^4.10.0",
-    "@storybook/react": "^10.2.10",
-    "@storybook/react-vite": "^10.2.13",
     "@tailwindcss/vite": "^4.2.0",
     "checkly": "^7.1.0",
     "eslint": "^10.0.1",
@@ -37,8 +35,7 @@
     "eslint-plugin-react-refresh": "^0.5.0",
     "jest": "^30.2.0",
     "jsdom": "^28.1.0",
-    "npm-run-all2": "8.0.4",
-    "storybook": "^10.2.10"
+    "npm-run-all2": "8.0.4"
   },
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
@@ -68,15 +65,19 @@
       "eslint": "$eslint"
     },
     "hono": "^4.12.0",
-    "@storybook/react-vite": {
-      "vite": "^7.3.1"
-    },
+    "@storybook/react-vite": "10.2.17",
     "@storybook/builder-vite": {
       "vite": "^7.3.1"
     },
     "@joshwooding/vite-plugin-react-docgen-typescript": {
       "vite": "^7.3.1"
     },
+    "storybook": "10.2.17",
+    "@storybook/react": "10.2.17",
+    "@storybook/nextjs-vite": "10.2.17",
+    "@storybook/addon-docs": "10.2.17",
+    "@storybook/addon-a11y": "10.2.17",
+    "@storybook/addon-vitest": "10.2.17",
     "minimatch": "10.2.4",
     "tar": "7.5.11",
     "monaco-editor": "0.53.0",
@@ -93,6 +94,9 @@
     },
     "eslint-plugin-format": {
       "eslint": "$eslint"
+    },
+    "@esbuild-kit/core-utils": {
+      "esbuild": ">=0.25.0"
     }
   }
 }

storybook/package.json

@@ -15,16 +15,16 @@
     "react-dom": "^19.2.4"
   },
   "devDependencies": {
-    "@storybook/addon-docs": "^10.2.10",
-    "@storybook/addon-a11y": "^10.2.10",
-    "@storybook/react": "^10.2.10",
-    "@storybook/react-vite": "^10.2.13",
-    "@storybook/addon-vitest": "^10.2.10",
+    "@storybook/addon-docs": "^10.2.17",
+    "@storybook/addon-a11y": "^10.2.17",
+    "@storybook/react": "^10.2.17",
+    "@storybook/react-vite": "^10.2.17",
+    "@storybook/addon-vitest": "^10.2.17",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.4",
     "sass": "^1.97.3",
-    "storybook": "^10.2.10",
+    "storybook": "^10.2.17",
     "typescript": "^5.9.3",
     "vite": "^7.3.1"
   }