fix(deps): upgrade langium to 4.2 to drop vulnerable lodash-es (#2704)

[ymc9]

Problem

Installing @zenstackhq/cli immediately brings in vulnerable lodash-es (#2704), pulled in transitively through chevrotain@11 ← langium@3.5.0:

• GHSA-r5fr-rjxr-66jc — code injection via _.template
• GHSA-f23m-r3pf-42rh — prototype pollution in _.unset/_.omit
• GHSA-xxjr-mmjv-4gpg — prototype pollution

The pre-existing root override only covered the oldest advisory and, being a workspace override, never reached consumers anyway.

Fix

Upgrade langium 3.5.0 → 4.2.4 (langium-cli 4.2.1). chevrotain@12 (used by langium 4) dropped the lodash-es dependency entirely, and chevrotain-allstar@0.4.x uses the patched lodash-es@^4.18.1. This eliminates all three advisories at the source for consumers — no override needed.

Verified the whole tree now resolves only lodash-es@4.18.1 and lodash@4.18.1 (both patched).

Langium 4 porting

• Generated AST type consts are now objects → use .$type (factories, switch cases, match().with(), comparisons, includes)
• ScopeComputation: computeExports → collectExportedSymbols; processNode/PrecomputedScopes → addLocalSymbol/MultiMap
• CstNode .parent/.element → .container/.astNode
• Reference.ref is now required → synthetic refs add ref: undefined
• ServiceRegistry lost its singleton fallback → fixed the in-memory format URI to memory:///schema.zmodel so the .zmodel extension resolves (this was the root cause of a large cascade of CLI test failures)
• Added @types/node + "types": ["node"] to @zenstackhq/language — node globals previously arrived transitively via a chevrotain-11 dependency that chevrotain 12 removed

Override cleanup

• Dropped the now-redundant lodash-es override (resolves to 4.18.1 on its own)
• Kept the lodash override — still bumps a dev-only vulnerable pin (chevrotain@10.5.0 via @better-auth/cli), no effect on published consumers

Validation

• Build: 27/27 packages pass
• Tests: language 83/83, cli 120/120, better-auth 6/6 (2 cli migrate reset tests fail only due to Prisma's "invoked by AI agent" guardrail in this environment — unrelated)

Closes #2704

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated Langium dependency from version 3.5.0 to 4.2.4 for improved language server support.
  • Updated lodash dependency override to version 4.18.0 and later for security enhancements.

• Refactor

  • Internal AST node type handling improvements for consistency and maintainability.
  • Updated TypeScript configuration to include Node.js type definitions.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Langium 4.2 Upgrade

I've completed my review of this Langium upgrade PR. Here's my comprehensive analysis:

Todo List:

• Analyze dependency changes and security fixes
• Review Langium 4 API migration in language package
• Check code quality of breaking change adaptations
• Assess potential bugs or regressions
• Evaluate test coverage implications
• Provide comprehensive feedback

Overall Assessment ✅

This is a well-executed upgrade that addresses critical security vulnerabilities while maintaining functionality. The migration from Langium 3.5.0 → 4.2.4 is comprehensive and properly handled.

Security Analysis ✅

Excellent security improvement:

• ✅ Eliminates 3 lodash-es vulnerabilities (GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh, GHSA-xxjr-mmjv-4gpg)
• ✅ chevrotain@12 dropped lodash-es dependency entirely
• ✅ Removes the now-redundant workspace override for lodash-es
• ✅ Tree now resolves only to patched lodash-es@4.18.1

Code Quality Assessment ✅

Breaking Changes Handled Correctly:

1. AST Type Constants Migration (packages/language/src/factory/):

   • ✅ Properly migrated from string constants to objects using .$type
   • ✅ All factory files updated consistently (expression.ts:82, declaration.ts:72, etc.)
   • ✅ Pattern matching with ts-pattern correctly updated

2. ScopeComputation API Changes (packages/language/src/zmodel-scope.ts):

   • ✅ computeExports → collectExportedSymbols (line 55)
   • ✅ processNode/PrecomputedScopes → addLocalSymbol/MultiMap (line 79)
   • ✅ Maintains backward compatibility in functionality

3. CstNode Properties (packages/language/src/zmodel-linker.ts):

   • ✅ Would need .parent/.element → .container/.astNode if CST nodes were used
   • ✅ No direct CST usage found, so minimal impact

4. Reference Handling (multiple files):

   • ✅ Langium 4's required Reference.ref properly handled
   • ✅ Synthetic references correctly add ref: undefined where needed

Critical Fix Identified ✅

ServiceRegistry URI Resolution (packages/language/src/document.ts:254):

• ✅ Fixed hardcoded URI to memory:///schema.zmodel to ensure .zmodel extension resolves
• ✅ This was the root cause of CLI test cascade failures - excellent debugging

Infrastructure Updates ✅

TypeScript Configuration (packages/language/tsconfig.json):

• ✅ Added "types": ["node"] for Node.js globals previously provided by chevrotain-11
• ✅ Compensates for chevrotain-12 removing transitive Node.js type dependencies

Performance Considerations ✅

• ✅ No significant performance regressions expected
• ✅ chevrotain@12 performance improvements may benefit parsing
• ✅ MultiMap usage in scope computation should be more efficient

Potential Issues & Recommendations 🔍

Low Risk Items:

1. Generated AST Changes: The generated packages/language/src/generated/ast.ts has significant changes (+1096/-698). While this is expected for a major version upgrade, ensure all type guards and AST node checks still work correctly.

2. Test Coverage: The PR mentions some CLI migrate reset tests fail due to Prisma's "AI agent" guardrail. This should be verified in a non-AI environment.

Recommendations:

1. Consider adding a brief migration guide for any external consumers of the @zenstackhq/language package
2. Monitor for any runtime issues with the new AST structure in production

Validation Results ✅

• ✅ Build: 27/27 packages pass
• ✅ Tests: language 83/83, cli 120/120, better-auth 6/6
• ✅ Dependencies: Clean resolution to patched versions only

Final Verdict: APPROVE ✅

This is a high-quality security-focused upgrade that:

• ✅ Addresses critical vulnerabilities at the source
• ✅ Maintains API compatibility where possible
• ✅ Handles breaking changes systematically
• ✅ Includes proper testing and validation
• ✅ Demonstrates excellent problem-solving (URI resolution fix)

The code quality is consistent with the existing codebase, and the security benefits significantly outweigh the migration complexity.

---

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades Langium from 3.5.0 to 4.2.4, migrates language service APIs to newer patterns, systematically converts AST factory and code generation to use $type discriminants for node type matching, updates AST node path traversal across the codebase, and fixes a lodash security vulnerability by constraining the override to versions >=4.18.0.

Changes

Langium 4.x upgrade and AST pattern refactoring

Layer / File(s)	Summary
Dependency upgrade and configuration pnpm-workspace.yaml, package.json, packages/language/package.json, packages/language/tsconfig.json, packages/language/src/document.ts	Langium and langium-cli bumped to 4.2.4 and 4.2.1; lodash override updated to require >=4.18.0 to fix security vulnerability; @types/node added to language devDependencies; TypeScript config adds explicit Node.js type definitions; document formatting URI changed from memory:// to memory:/// format.
Language service scope computation API migration packages/language/src/zmodel-scope.ts	Replaces computeExports with collectExportedSymbols and processNode with protected addLocalSymbol to align with Langium 4.x scope computation extension points; updates imports from PrecomputedScopes to MultiMap.
AST factory pattern migration to $type discriminants packages/language/src/factory/attribute.ts, packages/language/src/factory/declaration.ts, packages/language/src/factory/expression.ts, packages/language/src/factory/primitives.ts	All factory constructors across attribute, declaration, expression, and primitive types convert from passing type constructors to passing static $type properties for AST node type discrimination.
Code generation and type resolution updates packages/language/src/zmodel-code-generator.ts, packages/language/src/zmodel-linker.ts	Gen decorator refactored to accept { $type: string } parameter; binary expression parenthesis logic and resolve method type-switch cases updated to compare against $type discriminants; reference linking passes cast defaultRef for scope resolution.
CLI and action handler AST path resolution packages/cli/src/actions/check.ts, packages/cli/src/actions/generate.ts, packages/cli/src/actions/db.ts	AST node path traversal refactored to use container.astNode.$document.uri.fsPath pattern instead of parent.element.$document.uri.fsPath for plugin and root model file path resolution.
Schema and Prisma generation AST consistency packages/auth-adapters/better-auth/src/schema-generator.ts, packages/sdk/src/prisma/prisma-schema-generator.ts	Better-auth schema generator adds explicit ref: undefined to all ReferenceExpr and decl AST nodes; Prisma schema generator updates declaration dispatch and attribute argument matching to use $type discriminants.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Langium hops to version four,
Factories now use $type core,
Scopes are gathered, AST paths refined,
Lodash security left far behind,
Code generation's pattern redesigned!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: upgrading langium to fix vulnerable lodash-es dependencies.
Linked Issues check	✅ Passed	The PR addresses the core objective of issue #2704 by upgrading langium from 3.5.0 to 4.2.4, eliminating the vulnerable lodash-es dependency chain and replacing it with a patched version.
Out of Scope Changes check	✅ Passed	All code changes directly relate to upgrading langium 4.2 and applying required AST API migrations (.$type refs, ScopeComputation renames, CstNode path updates, Reference.ref handling).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-2704-langium-4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

17-17: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Pin packageManager to the mandated pnpm version.

Line 17 sets pnpm@10.33.0, but the repo rule requires pnpm@10.12.1. Please pin it to avoid workspace/CI toolchain drift.

Suggested fix

-    "packageManager": "pnpm@10.33.0",
+    "packageManager": "pnpm@10.12.1",

As per coding guidelines, {package.json,.npmrc}: Use pnpm for package management with workspaces, pinned to version pnpm@10.12.1.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 17, Update the packageManager field in package.json to
the mandated pinned version by replacing the current "packageManager":
"pnpm@10.33.0" entry with "packageManager": "pnpm@10.12.1" so the repo uses the
required pnpm toolchain; ensure the packageManager key remains present and
correctly quoted.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@package.json`:
- Line 17: Update the packageManager field in package.json to the mandated
pinned version by replacing the current "packageManager": "pnpm@10.33.0" entry
with "packageManager": "pnpm@10.12.1" so the repo uses the required pnpm
toolchain; ensure the packageManager key remains present and correctly quoted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a60dc91d-aa72-480c-b137-15803951681d

📥 Commits

Reviewing files that changed from the base of the PR and between 666f841 and c388c4d.

⛔ Files ignored due to path filters (4)

• packages/language/src/generated/ast.ts is excluded by !**/generated/**
• packages/language/src/generated/grammar.ts is excluded by !**/generated/**
• packages/language/src/generated/module.ts is excluded by !**/generated/**
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (17)

• package.json
• packages/auth-adapters/better-auth/src/schema-generator.ts
• packages/cli/src/actions/check.ts
• packages/cli/src/actions/db.ts
• packages/cli/src/actions/generate.ts
• packages/language/package.json
• packages/language/src/document.ts
• packages/language/src/factory/attribute.ts
• packages/language/src/factory/declaration.ts
• packages/language/src/factory/expression.ts
• packages/language/src/factory/primitives.ts
• packages/language/src/zmodel-code-generator.ts
• packages/language/src/zmodel-linker.ts
• packages/language/src/zmodel-scope.ts
• packages/language/tsconfig.json
• packages/sdk/src/prisma/prisma-schema-generator.ts
• pnpm-workspace.yaml