Updated all npm + Python deps (except React Router) [March 2026]

[jwngr]

Greptile Summary

This PR performs a routine dependency update sweep across Python (requirements.txt) and the frontend (website/package.json / package-lock.json), intentionally holding react-router-dom back from a major upgrade. Most changes are safe patch or minor bumps, but there are four major version jumps worth calling out before merging:

• gunicorn 23.0.0 → 25.1.0 — skips the entire 24.x line; both 24.x and 25.x introduced breaking changes to config option names and worker defaults.
• protobuf 6.33.2 → 7.34.0 — the Python protobuf 7.x release changed generated-message APIs and C-extension behavior, which can affect Google Cloud client libraries that indirectly depend on it.
• vite 7.3.0 → 8.0.0 — a major release with breaking changes to the config and plugin APIs; a full npm run build after this bump should be verified.
• @vitejs/plugin-react 5.1.2 → 6.0.0 — coordinated with Vite 8, but also changes some Babel option defaults that should be cross-checked against vite.config.ts.

Confidence Score: 3/5

• The PR is safe in intent but contains four major-version jumps that should be verified with a full build and smoke test before merging to production.
• Most changes are minor patches, but the gunicorn (23→25), protobuf (6→7), vite (7→8), and @vitejs/plugin-react (5→6) major bumps all carry real breaking-change risk. Without confirmation that the build, dev server, and backend server-start have been tested against the new versions, a moderate confidence score is appropriate.
• Pay close attention to requirements.txt (gunicorn and protobuf major bumps) and website/package.json (vite and plugin-react major bumps).

Important Files Changed

Filename	Overview
requirements.txt	Updates flask (patch), litecli (patch), and two major-version jumps: gunicorn 23.0.0 → 25.1.0 (skips a full major version) and protobuf 6.33.2 → 7.34.0 — both carry non-trivial breaking-change risk.
website/package.json	Mostly patch/minor bumps; two major bumps stand out: vite 7.x → 8.0.0 and @vitejs/plugin-react 5.x → 6.0.0, which are coordinated but carry potential config/plugin-API breaking changes.
website/package-lock.json	Auto-generated lock file regenerated to reflect the new resolved versions in package.json; no manual edits, consistent with the declared changes.

_{Last reviewed commit: 83f5eed}

Greptile also left 4 inline comments on this PR.

[jwngr]

@greptile - greptile-ignore

[greptile-apps]

👍 Understood, I'll ignore this thread.

[github-actions]

Visit the preview URL for this PR (updated for commit 83f5eed):

https://sdow-prod--pr339-jw-update-deps-mar-2-xqbaseh9.web.app

_{(expires Fri, 20 Mar 2026 06:43:38 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: d829a88f1c5f8068a7f433387f26312c0e637dc1}

[greptile-apps]

Two-major-version jump in gunicorn

gunicorn goes from 23.0.0 all the way to 25.1.0, skipping the entire 24.x line. Gunicorn 24.0.0 introduced several breaking changes (e.g., dropped Python 3.7 support, changed the default worker timeout and some config-key names), and 25.x added further deprecations around config handling. If the production server config (gunicorn.conf.py or CLI flags) uses any options that were renamed or removed in 24.x or 25.x, the server may fail to start. It's worth verifying the gunicorn changelog for 24.x and 25.x breaking changes against the deployment config before merging.

[greptile-apps]

Major version bump in protobuf

protobuf jumps from 6.33.2 to 7.34.0. The Python protobuf library's 7.x release is a major version with notable API changes, particularly around how generated message classes are used and the C-extension / pure-Python fallback behavior. If any application code or Google Cloud library (e.g., google-cloud-logging) relies on protobuf internals that changed between 6.x and 7.x, this could cause runtime errors. Verifying that all indirect consumers of protobuf (especially the Google Cloud client libraries pinned in this file) are compatible with protobuf >= 7 is recommended before deployment.

[greptile-apps]

Major version bump: vite 7 → 8

vite moves from ^7.3.0 to ^8.0.0. Vite 8 is a major release that introduces breaking changes to some config options, the plugin API, and the Node.js version requirements. Concretely, if vite.config.ts uses any options or plugin hooks that were renamed or removed in Vite 8, the build or dev server may break. It's worth consulting the Vite 8 migration guide and running a full npm run build to confirm everything still compiles and bundles correctly.

[greptile-apps]

Major version bump: @vitejs/plugin-react 5 → 6

@vitejs/plugin-react jumps from ^5.1.2 to ^6.0.0. This major bump was released alongside Vite 8 and is required for Vite 8 compatibility — so the coordinated bump makes sense. That said, plugin-react 6 also dropped support for older Babel config patterns and changed some option defaults. If there is a babel option block in the Vite config for this plugin, it should be checked against the plugin-react 6 changelog to ensure continued compatibility.