chore: update outdated dependencies to latest versions

[staging-devin-ai-integration]

Summary

Updates all outdated dependencies in package.json and Cargo.toml files to their latest versions. All existing tests (Jest 6/6 + Cargo 1/1) continue to pass.

Root package.json

Package	Old	New
@types/glob	^8.1.0	^9.0.0
@types/jest	^29.5.0	^29.5.14
@types/node	^20.17.0	^22.0.0
tailwindcss	^3.4.14	^3.4.19
ts-jest	^29.2.0	^29.4.0
typescript	^5.6.0	^5.8.0
esbuild	^0.24.0	^0.25.0
glob	^11.0.0	^11.0.1

packages/typewind/package.json

Package	Old	New
@babel/core	^7.25.0	^7.29.0
@babel/generator	^7.25.0	^7.29.1
@babel/plugin-syntax-jsx	^7.24.0	^7.28.6
@babel/preset-typescript	^7.24.0	^7.28.5
lightningcss	^1.27.0	^1.32.0
tailwind-merge	^2.5.0	^2.6.1
tsup	^8.3.0	^8.5.1
@types/babel__core	^7.20.0	^7.20.5
release-it	^17.8.0	^17.11.0
tailwindcss	^3.4.14	^3.4.19

packages/typewind/Cargo.toml

Crate	Old	New
serde	1	1.0.228
serde_json	1.0	1.0.149
swc_core	27.0.1	59.0.1
swc_ecma_codegen	14.0.0	26.0.0

Code changes (swc/lib.rs)

Adapted to SWC API changes where Str.value changed from Atom to Wtf8Atom. Used to_atom_lossy() to convert Wtf8Atom back to string representations.

Note: tailwindcss was kept at v3.x (updated to ^3.4.19) since v4 is a complete rewrite with a fundamentally different API that would break the project.

Review & Testing Checklist for Human

• Verify the SWC plugin still works correctly with a real Next.js/Vite build by running one of the examples in examples/*
• Check that the Wtf8Atom → string conversions via to_atom_lossy() handle edge cases (e.g., non-UTF-8 content) — this uses lossy conversion which replaces invalid sequences
• Confirm the package-lock.json resolves cleanly on a fresh npm install (note: --legacy-peer-deps was needed due to pre-existing peer dep conflicts in the examples)

Notes

• All 6 Jest snapshot tests pass unchanged
• The single Cargo test (boo) passes
• The Cargo.lock is updated to reflect the new dependency tree
• The examples have pre-existing peer dependency conflicts (next@14 + react@18) unrelated to this PR

Link to Devin session: https://staging.itsdev.in/sessions/a26fc04a869b496d9ff23a1f292da6b6
Requested by: @Mokshit06

[staging-devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
typewind	Error		Apr 8, 2026 3:41am

[staging-devin-ai-integration]

Code Review: PR #74 — Update Outdated Dependencies

Overall Assessment

This is a large dependency update spanning both JS and Rust sides. The JS updates are straightforward semver-compatible bumps. The Rust/SWC update (swc_core 27 → 59) is a major version jump that required code changes in lib.rs. Several concerns below.

---

🔴 Bugs / High-Risk Issues

1. to_atom_lossy() silently corrupts non-UTF-8 input

The three changes in swc/lib.rs all use to_atom_lossy() to adapt to the Wtf8Atom API change:

Lit::Str(str) => str.value.to_atom_lossy().to_string(),

to_atom_lossy() replaces invalid UTF-8 sequences with the Unicode replacement character (U+FFFD). While JavaScript strings are typically valid UTF-16/WTF-16 (hence WTF-8 in SWC), if a string literal contains lone surrogates, this will silently produce different output than the original. For a tool that transforms class names, this could generate wrong Tailwind classes without any error.

Recommendation: Consider using a non-lossy conversion path or at minimum adding an assertion/warning when data loss occurs. For example:

let atom = str.value.to_atom_lossy();
debug_assert!(atom.as_bytes() == str.value.as_bytes(), "WTF-8 to UTF-8 lossy conversion changed the string");

2. swc_ecma_codegen version mismatch — two versions in Cargo.lock

The Cargo.lock now contains both swc_ecma_codegen v24.0.0 and swc_ecma_codegen v26.0.0. The Cargo.toml specifies swc_ecma_codegen = "26.0.0", but swc_core 59.0.1 pulls in swc_ecma_codegen 24.0.0 transitively. Having two versions of a codegen crate in the same binary increases WASM size and could lead to type incompatibilities if the wrong version's types are used.

Recommendation: Verify that the direct dependency on swc_ecma_codegen = "26.0.0" is actually needed. If it's only used for types that swc_core re-exports, remove the direct dependency and use swc_core's re-export instead.

---

🟡 Edge Cases / Concerns

3. @types/node jumped from v20 → v22 (skipping v21)

This changes Node.js API types significantly. If any code depends on Node 20 APIs that were removed or changed in Node 22 types, this would cause type errors. The PR description doesn't mention checking TypeScript compilation.

4. @types/glob major version bump (v8 → v9)

Major version bumps in type packages often indicate breaking API changes in the underlying package or the types themselves. Verify there are no type incompatibilities.

5. Pinning serde to exact versions (1.0.228) instead of semver range

The Cargo.toml previously had serde = "1" (accepting any 1.x). Now it's pinned to serde = "1.0.228". This is unnecessarily restrictive and will prevent consumers from deduplicating serde versions. The same applies to serde_json = "1.0.149". Use "1" and "1.0" respectively, or at minimum ">=1.0.228, <2".

6. Cargo.lock version bumped from 3 → 4

This requires a newer version of Cargo. Ensure the CI and all developers have Cargo ≥1.78 (which introduced lockfile v4). If the project supports older Rust toolchains, this could break builds.

---

🟢 Minor / Nits

7. tsup is listed as a runtime dependency, not devDependency

tsup is a build tool and should be in devDependencies. This is a pre-existing issue, not introduced by this PR, but worth noting since dependency versions are being reviewed.

8. Missing WASM binary rebuild

The PR updates the Rust dependencies, but doesn't include a rebuilt dist/typewind_swc.wasm. Users consuming the published package would get the old WASM binary unless a rebuild is part of the release process. The PR should document whether the WASM needs to be rebuilt before publishing.

---

Summary

The JS dependency updates look safe. The SWC major version jump is the highest-risk part — the to_atom_lossy() usage works for the common case but has a silent data-loss edge case. The duplicate swc_ecma_codegen versions in the lockfile should be investigated. The serde pinning should be relaxed.