Skip to content

chore: security fixes#2164

Merged
ohmoses merged 6 commits into
mainfrom
chore/security-fixes
Jul 7, 2026
Merged

chore: security fixes#2164
ohmoses merged 6 commits into
mainfrom
chore/security-fixes

Conversation

@ohmoses

@ohmoses ohmoses commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Bug Fixes
    • Improved build output cleanup reliability by making local folder removal more fault-tolerant when directories are missing.
  • Chores
    • Updated workspace tool versions and aligned packages to resolve dependencies from the shared workspace.
    • Refreshed formatting/tooling dependencies (including adding Prettier) and removed strict npm engine enforcement.
    • Increased Next.js versions used by project packages and updated CI/release workflow pnpm setup.
    • Added stronger dependency version overrides to improve dependency safety.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 27e79493-182a-452d-9960-b476e08aa2f4

📥 Commits

Reviewing files that changed from the base of the PR and between b3a1678 and 8297965.

📒 Files selected for processing (2)
  • .github/workflows/pr-check.yml
  • .github/workflows/release.yml

📝 Walkthrough

Walkthrough

This PR updates dependency versions and workspace references across multiple packages, migrates pnpm override configuration into pnpm-workspace.yaml, updates pnpm versions in workflows, and changes a test import plus a filesystem cleanup call.

Changes

Dependency management and version updates

Layer / File(s) Summary
pnpm overrides migration and changeset
.changeset/every-banks-wink.md, package.json, pnpm-workspace.yaml
Adds a changeset for patch releases and dependency override pins, removes root pnpm overrides while bumping turbo, @changesets/cli, and packageManager, and adds override, engineStrict, allowBuilds, and minimumReleaseAgeExclude settings in pnpm-workspace.yaml.
Workspace reference switches and dependency bumps
legacy/cli/package.json, legacy/sdk/package.json, integrations/directus/package.json, packages/compiler/package.json, packages/react/package.json, scripts/docs/package.json, demo/new-compiler-vite-react-spa/package.json, .github/workflows/pr-check.yml, .github/workflows/release.yml
Updates lingo.dev and @replexica/sdk to workspace references, adds @unhead/vue, bumps next and prettier versions, updates @tanstack/devtools-vite, and raises pnpm to 11.10.0 in the PR and release workflows.
Test import fix and filesystem cleanup change
packages/sdk/src/abort-controller.spec.ts, packages/compiler/src/lib/lcp/index.ts
Updates the test to mock observability utilities and import LingoDotDevEngine locally, and switches .next cleanup from fs.rmdirSync to fs.rmSync with force: true.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related PRs

Suggested reviewers: cherkanovart, AndreyHirsa, maxprilutskiy

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning No PR description was provided, so the required Summary, Changes, Testing, Checklist, and issue reference are missing. Add the template sections: Summary, Changes, Testing, Visuals if needed, Checklist, and a closing issue reference.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the PR’s main goal: applying security-related dependency fixes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/security-fixes

Comment @coderabbitai help to get the list of available commands.

@ohmoses ohmoses enabled auto-merge (squash) July 7, 2026 09:27
@ohmoses ohmoses merged commit 79b1c8f into main Jul 7, 2026
4 of 6 checks passed
@ohmoses ohmoses deleted the chore/security-fixes branch July 7, 2026 09:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/compiler/src/lib/lcp/index.ts`:
- Around line 33-36: The LCP cleanup path in index.ts now uses fs.rmSync, but
the spec in index.spec.ts still mocks fs.rmdirSync, so the real .next directory
can be removed during tests. Update the test stub to mock fs.rmSync instead of
rmdirSync, keeping the LCP.ensureFile() flow isolated and aligned with the
actual deletion call.

In `@packages/react/package.json`:
- Line 57: The React package’s Next.js peer support range is out of sync with
the bumped dev dependency version: `devDependencies.next` now uses `16.2.10`,
but the `peerDependencies.next` range still excludes all v16 releases. Update
the `peerDependencies.next` range in the package manifest so it includes the
validated `next` 16 version while preserving any intended lower-bound support,
keeping the declaration aligned with the `next` dependency used by the package.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad6135b2-928c-44db-98df-dbd2ac2aa814

📥 Commits

Reviewing files that changed from the base of the PR and between fe5b2b0 and b3a1678.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (13)
  • .changeset/every-banks-wink.md
  • .npmrc
  • demo/new-compiler-vite-react-spa/package.json
  • integrations/directus/package.json
  • legacy/cli/package.json
  • legacy/sdk/package.json
  • package.json
  • packages/compiler/package.json
  • packages/compiler/src/lib/lcp/index.ts
  • packages/react/package.json
  • packages/sdk/src/abort-controller.spec.ts
  • pnpm-workspace.yaml
  • scripts/docs/package.json
💤 Files with no reviewable changes (1)
  • .npmrc

Comment on lines +33 to 36
fs.rmSync(path.resolve(process.cwd(), ".next"), {
recursive: true,
force: true,
});

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## File map\n'
git ls-files 'packages/compiler/src/lib/lcp/*'

printf '\n## Outline: index.ts\n'
ast-grep outline packages/compiler/src/lib/lcp/index.ts --view expanded

printf '\n## Outline: index.spec.ts\n'
ast-grep outline packages/compiler/src/lib/lcp/index.spec.ts --view expanded

printf '\n## Relevant fs mocks/usages in spec\n'
rg -n --context 3 'rmdirSync|rmSync|ensureFile|fs\.' packages/compiler/src/lib/lcp/index.spec.ts packages/compiler/src/lib/lcp/index.ts

printf '\n## Relevant source excerpt: index.ts\n'
sed -n '1,120p' packages/compiler/src/lib/lcp/index.ts

printf '\n## Relevant source excerpt: index.spec.ts\n'
sed -n '1,220p' packages/compiler/src/lib/lcp/index.spec.ts

Repository: lingodotdev/lingo.dev

Length of output: 20753


Mock fs.rmSync in packages/compiler/src/lib/lcp/index.spec.ts. The spec still stubs fs.rmdirSync, so LCP.ensureFile() hits the real fs.rmSync() and can delete a real .next directory during the test; swap the mock to rmSync to keep the suite isolated.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/compiler/src/lib/lcp/index.ts` around lines 33 - 36, The LCP cleanup
path in index.ts now uses fs.rmSync, but the spec in index.spec.ts still mocks
fs.rmdirSync, so the real .next directory can be removed during tests. Update
the test stub to mock fs.rmSync instead of rmdirSync, keeping the
LCP.ensureFile() flow isolated and aligned with the actual deletion call.

"@vitejs/plugin-react": "4.4.1",
"chokidar-cli": "3.0.0",
"next": "15.5.19",
"next": "16.2.10",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

next peerDependency range excludes the bumped devDependency version.

devDependencies.next is now 16.2.10, but peerDependencies.next (Line 66, unchanged) remains ">=15.5.19 <16", which excludes v16 entirely. The package will now build/test against a next version outside its own declared peer support range, and consumers on next@16 still won't satisfy the peer requirement despite the library apparently being validated against it.

🔧 Proposed fix to widen the peer range
-    "next": ">=15.5.19 <16"
+    "next": ">=15.5.19 <17"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"next": "16.2.10",
"next": ">=15.5.19 <17"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/react/package.json` at line 57, The React package’s Next.js peer
support range is out of sync with the bumped dev dependency version:
`devDependencies.next` now uses `16.2.10`, but the `peerDependencies.next` range
still excludes all v16 releases. Update the `peerDependencies.next` range in the
package manifest so it includes the validated `next` 16 version while preserving
any intended lower-bound support, keeping the declaration aligned with the
`next` dependency used by the package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants