chore(deps): bump bcryptjs, vite, @hono/node-server, zod for security#23
Merged
Conversation
- bcryptjs 2 → 3 (constant-time comparison improvements; ships own types) - vite 5 → 8 (CVE-2025-31125 SSRF, CVE-2025-46565 path traversal) - @hono/node-server 1 → 2 (drops Node 18, refreshed adapter API) - zod 3 → 4 (improved type-narrowing, new error API) Cascading bumps required for compatibility: - figue 2 → 3 (zod 4 / standard-schema spec) - unocss 0.64 → 66, vite-plugin-solid 2.11.6 → 2.11.12 (vite 8 peer) - vitest 3 → 4 (vite 8 peer) - @types/node 22.5 → 22.12 (vite 8 peer) - app-client tsconfig moduleResolution: node → bundler (vite 8) Code adjustments: - error.errors → error.issues, required_error → error (zod 4) - updated test expectations for zod 4 default messages - removed obsolete @ts-expect-error on z.enum(readonly array) - vite.config defineConfig now imported from vitest/config to keep test field types
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (10)
Disabled knowledge base sources:
📝 WalkthroughWalkthroughThe changes upgrade workspace and package dependencies, adjust app-client module configuration, and update app-server Zod schemas, validation formatting, and test expectations for newer validation messages. ChangesValidation and toolchain updates
Estimated code review effort: 3 (Moderate) | ~20 minutes ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying enclosed-twn with
|
| Latest commit: |
45a15dc
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://99417282.enclosed-twn.pages.dev |
| Branch Preview URL: | https://claude-update-security-deps.enclosed-twn.pages.dev |
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
yokoszn
marked this pull request as ready for review
July 18, 2026 04:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security-relevant dependency upgrades:
bcryptjs^2.4.3^3.0.3@types/bcryptjs)vite^5.0.11^8.0.10@hono/node-server^1.12.1^2.0.0zod^3.23.8^4.3.6Cascading bumps required for compatibility
figue2 → 3 (zod 4 / standard-schema spec)unocss0.64 → 66,@unocss/reset0.64 → 66,vite-plugin-solid2.11.6 → 2.11.12 (vite 8 peer)vitest3 → 4 and@vitest/coverage-v83 → 4 (vite 8 peer)@types/node22.5 → 22.12 (vite 8 peer)app-clienttsconfig.jsonmoduleResolution:node→bundler(vite 8 ships ESM-only types)Code adjustments
validation.ts:error.errors→error.issues(zod 4 rename).required_error: '…'→error: '…'; updated expected default messages (Unrecognized key: "foo",Invalid string: must start with …,Invalid input: expected "<literal>").notes.routes.ts: removed two@ts-expect-errordirectives — zod 4 now acceptsz.enum(readonly array).vite.config.ts:defineConfigimported fromvitest/configso thetestfield still typechecks under vite 8.Verification
All workspace tests pass (62 app-server + 29 app-client + 27 lib + 26 crypto + 7 cli). Typecheck and production builds (
app-client,app-server,docs) all succeed. Smoke-tested the built node server:serve()from@hono/node-serverv2 starts and serves API requests correctly with the same options shape used in v1.Test plan
pnpm installsucceeds without unexpected peer-dep failurespnpm -r testpassespnpm -F @enclosed/app-client run buildproduces a working bundlepnpm -F @enclosed/app-server run build:nodeproduces a working CJS bundleusers-authentication-key-generatorpage still hashes passwords client-sidehttps://claude.ai/code/session_012SsqAq1heXEWfPgS1BukkN
Generated by Claude Code
Summary by CodeRabbit
Bug Fixes
Chores