chore(deps)!: bump dep floors, widen plus-plugin majors, migrate file_picker 11

[xsahil03x]

Summary

Three commits cleaning up the dep tree against the v10 floor (Flutter 3.38.1 / Dart 3.10):

• Runtime dep floors + plus-plugin major widening + file_picker 11 migration (180f03e86) — closes Unable to use latest Flutter packages alongside stream_chat_flutter #2599 and addresses CVE-2026-34240 in jose.
• Dev dependency floors (f5383197d) — raises floors of build/test tooling (build_runner, drift_dev, json_serializable, test, mocktail, etc.) to their current resolved versions.
• Codegen regeneration (f10051914) — .g.dart / .freezed.dart files regenerated with the new tool versions.

Breaking change

file_picker is bumped from ^10.1.2 to ^11.0.0. Consumers depending on file_picker directly must also upgrade past 11.0.0, which replaces the instance-based FilePicker.platform.* API with static FilePicker.* methods. Internal callers in stream_chat_flutter have been migrated.

Security

jose floor raised from ^0.3.4 to ^0.3.5+1 to address CVE-2026-34240 (untrusted JWK header accepted during signature verification). The SDK only uses JsonWebToken.unverified so it isn't directly exploitable, but the floor bump ensures consumers resolve to a patched version and SCA scanners stop flagging.

Plus-plugin widenings (issue #2599 family)

Dep	Before	After
device_info_plus	>=11.0.0 <13.0.0	>=12.4.0 <14.0.0
package_info_plus	>=8.3.0 <10.0.0	>=9.0.1 <11.0.0
share_plus	>=11.0.0 <13.0.0	>=12.0.2 <14.0.0

The "breaking" 13.x / 10.x / 13.x releases of these plus_plugins packages were environment-only (win32 6.x + min Flutter/Dart bumps). The 13.1 / 10.1 / 13.1 patches lowered the SDK requirements back down to Flutter 3.38.1 / Dart 3.10 — fully compatible with our floor.

Floor bumps to current resolved versions

Set the minimum constraint of every direct dep in our published packages to the version currently being resolved on our min Flutter (3.38.1). This prevents consumers from being pinned to ancient transitive versions and tightens our guarantees.

freezed_annotation floor intentionally kept at >=2.4.1 <4.0.0 to avoid forcing consumers off freezed 2.x.

Codegen regeneration

The bumped codegen tools (freezed 3.x, json_serializable 6.13.x, drift_dev 2.33) produce different output:

• json_serializable switched to Dart's null-aware map entry syntax ('key': ?nullableExpr) — same JSON wire format, verified empirically.
• freezed — cosmetic formatting differences only.
• drift_dev 2.33 — heavy line-wrapping reformat of the database file (no schema/column/constraint changes), plus an additive per-DAO Manager API (e.g. channelDao.managers.channels.filter(...).get()). The existing builder API call sites are unchanged.

No source .dart files were modified — only generated outputs.

Test plan

• CI green
• Verify flutter pub get resolves cleanly in a consumer app that depends on:
  • device_info_plus ^13.0.0
  • package_info_plus ^10.0.0
  • share_plus ^13.0.0
  • file_picker ^11.0.0
• Smoke test file attachment picking on iOS, Android, and Web (file_picker API migrated)
• Smoke test gallery share button on iOS/Android (share_plus floor raised)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f2a40bf-d995-445a-9026-97ddcbc5bca6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/v10-dep-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 66.88%. Comparing base (4a22a44) to head (f100519).

Files with missing lines	Patch %	Lines
...tachment/handler/stream_attachment_handler_io.dart	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           v10.0.0    #2644   +/-   ##
========================================
  Coverage    66.88%   66.88%           
========================================
  Files          410      410           
  Lines        24887    24887           
========================================
  Hits         16646    16646           
  Misses        8241     8241           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renefloor]

I would change this to a regular caret notation

Suggested change

	connectivity_plus: ">=7.1.1 <8.0.0"
	connectivity_plus: "^7.1.1"

[renefloor]

I would change this to a regular caret notation

Suggested change

	desktop_drop: '>=0.7.1 <0.8.0'
	desktop_drop: '^0.7.1'

[renefloor]

Suggested change

	just_audio: ">=0.10.5 <0.11.0"
	just_audio: "^0.10.5"

[renefloor]

Maybe we can also increase the minimum of freezed to 3.0 now?