fix: update react-instantsearch to resolve CVE-2026-8769

[dannyneira]

Summary

• Updates the package-lock.json resolution for react-instantsearch from 7.23.0 to 7.33.1.
• This updates instantsearch.js to 4.99.0 and instantsearch-ui-components to 0.28.0, removing the transitive ai / @ai-sdk/provider-utils dependency path from the lockfile.

Vulnerability

• Resolves Dependabot alert: https://github.com/warpdotdev/commands.dev/security/dependabot/100
• Advisory: GHSA-866g-f22w-33x8
• CVE: CVE-2026-8769
• Package: @ai-sdk/provider-utils
• Relationship: transitive runtime dependency via react-instantsearch / instantsearch.js
• Vulnerable range: <= 3.0.97
• Previous locked version: 3.0.20

Verification

• npm audit --json no longer reports @ai-sdk/provider-utils.
• npm run lint passed.
• npx tsc lib/*.ts passed.
• NEXT_PUBLIC_ALGOLIA_APP_ID=dummy NEXT_PUBLIC_ALGOLIA_SEARCH_API_KEY=dummy npx next build passed.

Note: full npm audit still reports unrelated moderate vulnerabilities for brace-expansion and yaml.

Conversation: https://staging.warp.dev/conversation/4b9bed92-d17c-4cee-abf0-813935fdb796
Run: https://oz.staging.warp.dev/runs/019e7ec3-87ec-7eb7-948f-d1435b1105ea
This PR was generated with Oz.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commands-dev	Ready	Preview, Comment	May 31, 2026 4:05pm