chore: update deps and agent docs

[pi0]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nitro.build	Ready	Preview, Comment	Jun 21, 2026 9:33am

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Removes the hardcoded "31 presets" count from .agents/architecture.md, .agents/presets.md, and AGENTS.md, expands the preset list with new cloud providers and internal entries, updates developer workflow commands and directory references in AGENTS.md, and bumps five dependency versions in package.json.

Changes

Agent Documentation Updates

Layer / File(s)	Summary
Preset count removal and provider list expansion .agents/architecture.md, .agents/presets.md	Removes the explicit "31 presets" count from the architecture overview and presets header, adds _static/ to the Core section alongside _nitro/, and expands/reorders the Cloud Providers list to include DigitalOcean, EdgeOne, Genezio, Koyeb, Render.com, Stormkit, WinterJS, Zeabur, Zephyr, and Zerops.
AGENTS.md workflow and structure updates AGENTS.md	Expands Key Scripts with explicit stub/build/lint/test/typecheck command descriptions, adds src/dev and removes src/runner from Code Structure, rewrites Making Changes steps to use pnpm stub and pnpm test, changes the virtual module registration path to src/build/virtual/_all.ts, and removes the "All 31 presets" count from Detailed References.

Dependency Version Bumps

Layer / File(s)	Summary
package.json dependency bumps package.json	Bumps @cloudflare/workers-utils to ^0.24.0, @types/node to ^26.0.0, obuild to ^0.4.37, oxfmt to ^0.55.0, and zephyr-agent from ^0.2.0 to ^1.1.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Possibly related PRs

• nitrojs/nitro#3896: Initially adds AGENTS.md as the AI agent guide, directly overlapping with this PR's updates to the same file's scripts, structure, and gotchas sections.
• nitrojs/nitro#4038: Adds the zephyr-agent dependency and Zephyr preset, which this PR updates to ^1.1.2 in package.json.
• nitrojs/nitro#3943: Bumps overlapping package.json dependencies including @types/node and related tooling packages, the same category of change made here.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided, making it impossible to assess whether any description relates to the changeset.	Add a pull request description that explains the purpose of the changes, such as motivation for dependency upgrades and documentation updates.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: update deps and agent docs' follows conventional commits format and accurately describes the main changes: dependency updates and documentation updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​tanstack/​react-router@​1.170.16
	@​cloudflare/​workers-types@​4.20260620.1
	@​cloudflare/​workers-utils@​0.24.0
	vitest@​4.1.9
	@​vitest/​coverage-v8@​4.1.9
	obuild@​0.4.37
	elysia@​1.4.29
	zephyr-agent@​0.2.0 ⏵ 1.1.2	+2		+1
	@​types/​node@​26.0.0
	@​tanstack/​react-start@​1.168.26
	tailwindcss@​4.3.1
	@​trpc/​client@​11.18.0
	oxfmt@​0.55.0
	@​tailwindcss/​vite@​4.3.1
	@​scalar/​api-reference@​1.60.0
	vue@​3.5.38
	wrangler@​4.103.0
	oxlint@​1.70.0
	srvx@​0.11.17
	semver@​7.8.5
	hono@​4.12.26
	miniflare@​4.20260617.1
	rollup@​4.62.2
	@​trpc/​server@​11.18.0
	@​azure/​functions@​3.5.2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @scalar/code-highlight is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/@scalar/api-reference@1.60.0 → npm/@scalar/code-highlight@0.3.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@scalar/code-highlight@0.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm yargs is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@azure/static-web-apps-cli@2.0.9 → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report