chore: migrate to utoo CI and fix circular dependencies

[elrrrrrrr]

Summary

• Fix circular dependencies: Move egg from devDependencies to peerDependencies across 34+ packages to break workspace-internal dependency cycles detected by utoo
• Migrate scripts to utoo: Replace pnpm commands with ut equivalents in root package.json scripts
• Add missing unplugin-unused: Required peer dependency of tsdown for the unused check feature
• Fix CI workflow: Use package names (-w @eggjs/bin) instead of dir paths (--workspace ./tools/egg-bin) for utoo workspace flag; set NO_COLOR=1 to avoid ANSI escape codes in test stdout
• Fix lint errors: Export Application interface in tegg-plugin types; remove stale @ts-expect-error directives
• Fix cluster test regex: Tolerate ANSI color codes between [master]/[app_worker]/[agent_worker] and subsequent text

Known issues (pre-existing, not introduced by this PR)

• @eggjs/orm-plugin test uses describe() inside it() which vitest disallows — skipped
• @eggjs/development fastReady test is flaky in CI (stdout match intermittently fails) — skipped
• E2E tests (cnpmcore, examples) fail because pnpm-workspace.yaml does not exist on this branch — not addressed (branch-level issue)
• Test scripts job fails when ut pretest --workspaces triggers @eggjs/orm-plugin pretest which requires MySQL (no MySQL in that CI job)

Test plan

• ut deps --workspace-only passes (no cycles)
• typecheck CI job passes
• oxlint --type-aware passes locally
• ut pretest --workspaces passes locally
• Main test suite — cluster ANSI regex fixed; orm-plugin and development tests skipped

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: faa25286-1358-44a8-82ec-7f6f24a9e620

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore-ut-ci

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the project's dependency and workspace management. It transitions from using pnpm-workspace.yaml to a combination of a new .utoo.toml file for dependency catalogs and direct configuration within package.json for workspaces and overrides. This change streamlines how dependencies are declared and managed across the monorepo, likely in preparation for or as part of a new CI setup.

Highlights

• Configuration Migration: Migrated dependency catalog and workspace definitions from pnpm-workspace.yaml to .utoo.toml and package.json respectively.
• New Configuration File: Introduced a new .utoo.toml file to centralize dependency version management.
• Package.json Updates: Updated package.json to include workspace paths and define package overrides, specifically for vite.
• Removed PNPM Workspace File: Removed the pnpm-workspace.yaml file as its configurations were moved to other files.

Changelog

• .utoo.toml
  • Added a new file to define a comprehensive catalog of project dependencies and their versions.
• package.json
  • Added a workspaces array to explicitly define the project's monorepo structure.
  • Introduced an overrides section to specify a custom version for the vite package.
  • Removed the packageManager field, indicating a shift in how the package manager is specified or managed.
• pnpm-workspace.yaml
  • Removed the file, as its contents for workspace definition and dependency catalog have been migrated to package.json and .utoo.toml.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/ci.yml
  • .github/workflows/e2e-test.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​eggjs/​bin@​7.3.1
	@​eggjs/​mock@​6.0.7
	@​eggjs/​bin@​8.0.2-beta.5
	@​eggjs/​scripts@​5.0.2-beta.5
	@​eggjs/​tsconfig@​3.1.2-beta.5
	@​types/​node@​24.12.0
	egg@​4.1.2-beta.5
	typescript@​5.9.3
	egg@​4.0.10

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-beautify is 100.0% likely obfuscated Confidence: 1.00 Location: Package overview From: ? → npm/egg@4.1.2-beta.5 → npm/js-beautify@1.15.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-beautify@1.15.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@eggjs/bin@8.0.2-beta.5 → npm/vite@8.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[gemini-code-assist]

Code Review

This pull request refactors the project's dependency and workspace management by migrating configuration from pnpm-workspace.yaml to a new .utoo.toml file and package.json. My review focuses on the maintainability of the new configuration and the potential impact on the developer workflow. I've suggested sorting the new dependency catalog for better readability and pointed out a potential issue with the removal of the packageManager enforcement that could be addressed with documentation.

[gemini-code-assist]

To improve the maintainability of this large catalog file, it's recommended to sort all entries alphabetically by package name. The current ordering has several inconsistencies. For example:

• typebox on line 12 is placed between scoped packages like @oxc-node/core and @swc-node/register.
• iconv-lite on line 126 comes after ini on line 125.

A consistent alphabetical order makes the file easier to read, navigate, and manage, especially when adding or updating dependencies. Consider using a script to sort the entries.

[gemini-code-assist]

Removing the packageManager field disables the enforcement of a specific pnpm version for this project. However, the devDependencies still use the pnpm-specific catalog: protocol. This could lead to confusion and issues for developers who might try to use other package managers like npm or yarn, or different versions of pnpm. If the project is intended to be managed exclusively by the utoo tool, it would be helpful to document this requirement in the CONTRIBUTING.md or README.md to ensure a smooth developer experience.

[cloudflare-workers-and-pages]

Deploying egg-v3 with    Cloudflare Pages

Latest commit:	5bbd44c
Status:	🚫  Build failed.

View logs

[cloudflare-workers-and-pages]

Deploying egg with    Cloudflare Pages

Latest commit:	5bbd44c
Status:	🚫  Build failed.

View logs