Skip to content

chore(deps): bump bcryptjs, vite, @hono/node-server, zod for security#23

Merged
yokoszn merged 1 commit into
mainfrom
claude/update-security-deps-e7WL0
Jul 18, 2026
Merged

chore(deps): bump bcryptjs, vite, @hono/node-server, zod for security#23
yokoszn merged 1 commit into
mainfrom
claude/update-security-deps-e7WL0

Conversation

@yokoszn

@yokoszn yokoszn commented Apr 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Security-relevant dependency upgrades:

Package From To Notes
bcryptjs ^2.4.3 ^3.0.3 constant-time comparison improvements; ships own types (drops @types/bcryptjs)
vite ^5.0.11 ^8.0.10 CVE-2025-31125 (SSRF), CVE-2025-46565 (path traversal)
@hono/node-server ^1.12.1 ^2.0.0 drops Node 18 (repo already requires Node ≥22)
zod ^3.23.8 ^4.3.6 improved type-narrowing, new error API

Cascading bumps required for compatibility

  • figue 2 → 3 (zod 4 / standard-schema spec)
  • unocss 0.64 → 66, @unocss/reset 0.64 → 66, vite-plugin-solid 2.11.6 → 2.11.12 (vite 8 peer)
  • vitest 3 → 4 and @vitest/coverage-v8 3 → 4 (vite 8 peer)
  • catalog @types/node 22.5 → 22.12 (vite 8 peer)
  • app-client tsconfig.json moduleResolution: nodebundler (vite 8 ships ESM-only types)

Code adjustments

  • validation.ts: error.errorserror.issues (zod 4 rename).
  • Tests: schema option required_error: '…'error: '…'; updated expected default messages (Unrecognized key: "foo", Invalid string: must start with …, Invalid input: expected "<literal>").
  • notes.routes.ts: removed two @ts-expect-error directives — zod 4 now accepts z.enum(readonly array).
  • vite.config.ts: defineConfig imported from vitest/config so the test field still typechecks under vite 8.

Verification

All workspace tests pass (62 app-server + 29 app-client + 27 lib + 26 crypto + 7 cli). Typecheck and production builds (app-client, app-server, docs) all succeed. Smoke-tested the built node server: serve() from @hono/node-server v2 starts and serves API requests correctly with the same options shape used in v1.

Test plan

  • pnpm install succeeds without unexpected peer-dep failures
  • pnpm -r test passes
  • pnpm -F @enclosed/app-client run build produces a working bundle
  • pnpm -F @enclosed/app-server run build:node produces a working CJS bundle
  • Manual: log in with an existing bcrypt password hash to confirm bcryptjs v3 compare still verifies v2-generated hashes
  • Manual: docs users-authentication-key-generator page still hashes passwords client-side

https://claude.ai/code/session_012SsqAq1heXEWfPgS1BukkN


Generated by Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • Improved validation error reporting for invalid request bodies, query parameters, and URL parameters.
    • Updated note creation validation to provide clearer messages for unsupported formats and encryption algorithms.
  • Chores

    • Updated application build, testing, validation, and server runtime tooling to newer versions.
    • Refreshed shared type and coverage tooling across the workspace.

- bcryptjs 2 → 3 (constant-time comparison improvements; ships own types)
- vite 5 → 8 (CVE-2025-31125 SSRF, CVE-2025-46565 path traversal)
- @hono/node-server 1 → 2 (drops Node 18, refreshed adapter API)
- zod 3 → 4 (improved type-narrowing, new error API)

Cascading bumps required for compatibility:
- figue 2 → 3 (zod 4 / standard-schema spec)
- unocss 0.64 → 66, vite-plugin-solid 2.11.6 → 2.11.12 (vite 8 peer)
- vitest 3 → 4 (vite 8 peer)
- @types/node 22.5 → 22.12 (vite 8 peer)
- app-client tsconfig moduleResolution: node → bundler (vite 8)

Code adjustments:
- error.errors → error.issues, required_error → error (zod 4)
- updated test expectations for zod 4 default messages
- removed obsolete @ts-expect-error on z.enum(readonly array)
- vite.config defineConfig now imported from vitest/config to keep test field types
@coderabbitai

coderabbitai Bot commented Apr 26, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0bbf9790-6be4-4751-83cc-b18a7c689d44

📥 Commits

Reviewing files that changed from the base of the PR and between 461c3d4 and 45a15dc.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (10)
  • packages/app-client/package.json
  • packages/app-client/tsconfig.json
  • packages/app-client/vite.config.ts
  • packages/app-server/package.json
  • packages/app-server/src/modules/notes/e2e/create-and-view-note-unauthenticated.e2e.test.ts
  • packages/app-server/src/modules/notes/notes.routes.ts
  • packages/app-server/src/modules/shared/validation/validation.test.ts
  • packages/app-server/src/modules/shared/validation/validation.ts
  • packages/docs/package.json
  • pnpm-workspace.yaml

Disabled knowledge base sources:

  • Jira integration is disabled
  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.


📝 Walkthrough

Walkthrough

The changes upgrade workspace and package dependencies, adjust app-client module configuration, and update app-server Zod schemas, validation formatting, and test expectations for newer validation messages.

Changes

Validation and toolchain updates

Layer / File(s) Summary
Dependency and build configuration upgrades
packages/app-client/package.json, packages/app-client/tsconfig.json, packages/app-client/vite.config.ts, packages/app-server/package.json, packages/docs/package.json, pnpm-workspace.yaml
Package versions are upgraded across the workspace, app-client uses bundler module resolution, and Vite configuration imports are updated.
Zod validation compatibility updates
packages/app-server/src/modules/notes/notes.routes.ts, packages/app-server/src/modules/shared/validation/validation.ts, packages/app-server/src/modules/shared/validation/validation.test.ts, packages/app-server/src/modules/notes/e2e/create-and-view-note-unauthenticated.e2e.test.ts
Validation formatting uses error.issues, the notes schema removes TypeScript suppression comments, and unit/e2e expectations are updated for newer Zod messages.

Estimated code review effort: 3 (Moderate) | ~20 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/update-security-deps-e7WL0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying enclosed-twn with  Cloudflare Pages  Cloudflare Pages

Latest commit: 45a15dc
Status: ✅  Deploy successful!
Preview URL: https://99417282.enclosed-twn.pages.dev
Branch Preview URL: https://claude-update-security-deps.enclosed-twn.pages.dev

View logs

@github-actions

Copy link
Copy Markdown
built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
enclosed-docs ❌ Failed (View Log) 45a15dc

@github-actions

Copy link
Copy Markdown
built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
enclosed ❌ Failed (View Log) 45a15dc

@yokoszn
yokoszn marked this pull request as ready for review July 18, 2026 04:21
@yokoszn
yokoszn merged commit 5b92c26 into main Jul 18, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants