chore: move build tools to devDependencies, remove unused ts-node

[ulises-jeremias]

Summary

• Move tsup from dependencies to devDependencies in root package.json — it's a build tool, not a runtime dependency
• Move tsup from dependencies to devDependencies in packages/create-node-app-core/package.json
• Remove unused ts-node from packages/create-node-app-core/package.json devDependencies (tests use tsx instead)
• Regenerate package-lock.json

Why

tsup was incorrectly listed as a production dependency, which causes it to be installed by consumers of the published package. Since it's only used during build, it belongs in devDependencies.

ts-node was a leftover — the project migrated to tsx for running TypeScript but never removed ts-node.

[coderabbitai]

Warning

Rate limit exceeded

@ulises-jeremias has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0239f032-d921-4880-97c6-07d56a0fa9ab

📥 Commits

Reviewing files that changed from the base of the PR and between 30c8446 and 0dc8432.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• packages/create-node-app-core/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependency-cleanup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ EDITORCONFIG	editorconfig-checker	3		0	0	0.01s
✅ JSON	jsonlint	3		0	0	0.35s
✅ JSON	npm-package-json-lint	yes		no	no	0.31s
✅ JSON	prettier	3	0	0	0	0.36s
✅ JSON	v8r	3		0	0	8.26s
✅ REPOSITORY	gitleaks	yes		no	no	3.77s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
❌ REPOSITORY	osv-scanner	yes		22	no	5.12s
✅ REPOSITORY	secretlint	yes		no	no	1.13s
✅ REPOSITORY	syft	yes		no	no	2.93s
✅ REPOSITORY	trufflehog	yes		no	no	3.71s
❌ SPELL	cspell	4		1	0	3.04s

Detailed Issues

❌ SPELL / cspell - 1 error

packages/create-node-app-core/package.json:59:6      - Unknown word (readdirp)   -- "readdirp": "^4.1.2",
	 Suggestions: [readdir, readDir, redip, reader, readers]
CSpell: Files checked: 3, Issues found: 1 in 1 file.


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "readdirp"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

❌ REPOSITORY / osv-scanner - 22 errors

Scanning dir .
Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
Starting filesystem walk for root: /
Scanned tools/danger/package-lock.json file and found 161 packages
Scanned package-lock.json file and found 587 packages
End status: 46 dirs visited, 215 inodes visited, 2 Extract calls, 50.587342ms elapsed, 50.587522ms wall time
Filtered 7 local/unscannable package/s from the scan.

Total 17 packages affected by 22 known vulnerabilities (1 Critical, 6 High, 13 Medium, 2 Low, 0 Unknown) from 1 ecosystem.
21 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+--------------------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                             | VERSION | FIXED VERSION | SOURCE                         |
+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+--------------------------------+
| https://osv.dev/GHSA-3p68-rc4w-qgx5 | 6.3  | npm       | axios                               | 1.13.6  | 1.15.0        | package-lock.json              |
| https://osv.dev/GHSA-fvcv-3m26-pcqx | 4.8  | npm       | axios                               | 1.13.6  | 1.15.0        | package-lock.json              |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion                     | 2.0.2   | 2.0.3         | package-lock.json              |
| https://osv.dev/GHSA-r4q5-vmmm-2653 | 6.9  | npm       | follow-redirects                    | 1.15.11 | 1.16.0        | package-lock.json              |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch                           | 2.3.1   | 2.3.2         | package-lock.json              |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch                           | 2.3.1   | 2.3.2         | package-lock.json              |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)                     | 4.0.3   | 4.0.4         | package-lock.json              |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)                     | 4.0.3   | 4.0.4         | package-lock.json              |
| https://osv.dev/GHSA-48c2-rrv3-qjmp | 4.3  | npm       | yaml (dev)                          | 2.8.1   | 2.8.3         | package-lock.json              |
| https://osv.dev/GHSA-h5c3-5r3r-rr8q | 5.3  | npm       | @octokit/plugin-paginate-rest (dev) | 2.21.3  | 9.2.2         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-rmvr-2pp2-xj38 | 5.3  | npm       | @octokit/request (dev)              | 5.6.3   | 8.4.1         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-xx4v-prfh-6cgc | 5.3  | npm       | @octokit/request-error (dev)        | 2.1.0   | 5.1.1         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-vpq2-c234-7xj6 | 3.3  | npm       | @tootallnate/once (dev)             | 2.0.0   | 3.0.1         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-grv7-fg5c-xmjg | 7.5  | npm       | braces (dev)                        | 3.0.2   | 3.0.3         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-fjxv-7rqg-78g4 | 9.4  | npm       | form-data (dev)                     | 4.0.0   | 4.0.4         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-869p-cjfg-cm3x | 7.5  | npm       | jws (dev)                           | 3.2.2   | 3.2.3         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-952p-6rrq-rcjv | 5.3  | npm       | micromatch (dev)                    | 4.0.5   | 4.0.8         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-8g77-54rh-46hx | 8.9  | npm       | parse-git-config (dev)              | 2.0.3   | --            | tools/danger/package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)                     | 2.3.1   | 2.3.2         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)                     | 2.3.1   | 2.3.2         | tools/danger/package-lock.json |
| https://osv.dev/GHSA-6rw7-vpxm-498p | 6.3  | npm       | qs (dev)                            | 6.12.0  | 6.14.1        | tools/danger/package-lock.json |
| https://osv.dev/GHSA-w7fw-mjwx-w883 | 3.7  | npm       | qs (dev)                            | 6.12.0  | 6.14.2        | tools/danger/package-lock.json |
+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+--------------------------------+

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository