chore: security fixes#2164
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR updates dependency versions and workspace references across multiple packages, migrates pnpm override configuration into pnpm-workspace.yaml, updates pnpm versions in workflows, and changes a test import plus a filesystem cleanup call. ChangesDependency management and version updates
Estimated code review effort: 2 (Simple) | ~12 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/compiler/src/lib/lcp/index.ts`:
- Around line 33-36: The LCP cleanup path in index.ts now uses fs.rmSync, but
the spec in index.spec.ts still mocks fs.rmdirSync, so the real .next directory
can be removed during tests. Update the test stub to mock fs.rmSync instead of
rmdirSync, keeping the LCP.ensureFile() flow isolated and aligned with the
actual deletion call.
In `@packages/react/package.json`:
- Line 57: The React package’s Next.js peer support range is out of sync with
the bumped dev dependency version: `devDependencies.next` now uses `16.2.10`,
but the `peerDependencies.next` range still excludes all v16 releases. Update
the `peerDependencies.next` range in the package manifest so it includes the
validated `next` 16 version while preserving any intended lower-bound support,
keeping the declaration aligned with the `next` dependency used by the package.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ad6135b2-928c-44db-98df-dbd2ac2aa814
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (13)
.changeset/every-banks-wink.md.npmrcdemo/new-compiler-vite-react-spa/package.jsonintegrations/directus/package.jsonlegacy/cli/package.jsonlegacy/sdk/package.jsonpackage.jsonpackages/compiler/package.jsonpackages/compiler/src/lib/lcp/index.tspackages/react/package.jsonpackages/sdk/src/abort-controller.spec.tspnpm-workspace.yamlscripts/docs/package.json
💤 Files with no reviewable changes (1)
- .npmrc
| fs.rmSync(path.resolve(process.cwd(), ".next"), { | ||
| recursive: true, | ||
| force: true, | ||
| }); |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## File map\n'
git ls-files 'packages/compiler/src/lib/lcp/*'
printf '\n## Outline: index.ts\n'
ast-grep outline packages/compiler/src/lib/lcp/index.ts --view expanded
printf '\n## Outline: index.spec.ts\n'
ast-grep outline packages/compiler/src/lib/lcp/index.spec.ts --view expanded
printf '\n## Relevant fs mocks/usages in spec\n'
rg -n --context 3 'rmdirSync|rmSync|ensureFile|fs\.' packages/compiler/src/lib/lcp/index.spec.ts packages/compiler/src/lib/lcp/index.ts
printf '\n## Relevant source excerpt: index.ts\n'
sed -n '1,120p' packages/compiler/src/lib/lcp/index.ts
printf '\n## Relevant source excerpt: index.spec.ts\n'
sed -n '1,220p' packages/compiler/src/lib/lcp/index.spec.tsRepository: lingodotdev/lingo.dev
Length of output: 20753
Mock fs.rmSync in packages/compiler/src/lib/lcp/index.spec.ts. The spec still stubs fs.rmdirSync, so LCP.ensureFile() hits the real fs.rmSync() and can delete a real .next directory during the test; swap the mock to rmSync to keep the suite isolated.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/compiler/src/lib/lcp/index.ts` around lines 33 - 36, The LCP cleanup
path in index.ts now uses fs.rmSync, but the spec in index.spec.ts still mocks
fs.rmdirSync, so the real .next directory can be removed during tests. Update
the test stub to mock fs.rmSync instead of rmdirSync, keeping the
LCP.ensureFile() flow isolated and aligned with the actual deletion call.
| "@vitejs/plugin-react": "4.4.1", | ||
| "chokidar-cli": "3.0.0", | ||
| "next": "15.5.19", | ||
| "next": "16.2.10", |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
next peerDependency range excludes the bumped devDependency version.
devDependencies.next is now 16.2.10, but peerDependencies.next (Line 66, unchanged) remains ">=15.5.19 <16", which excludes v16 entirely. The package will now build/test against a next version outside its own declared peer support range, and consumers on next@16 still won't satisfy the peer requirement despite the library apparently being validated against it.
🔧 Proposed fix to widen the peer range
- "next": ">=15.5.19 <16"
+ "next": ">=15.5.19 <17"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "next": "16.2.10", | |
| "next": ">=15.5.19 <17" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/react/package.json` at line 57, The React package’s Next.js peer
support range is out of sync with the bumped dev dependency version:
`devDependencies.next` now uses `16.2.10`, but the `peerDependencies.next` range
still excludes all v16 releases. Update the `peerDependencies.next` range in the
package manifest so it includes the validated `next` 16 version while preserving
any intended lower-bound support, keeping the declaration aligned with the
`next` dependency used by the package.
Summary by CodeRabbit