chore: bump cookie to ^0.7.0 (security)#1
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to bump the cookie package to ^0.7.0 to address a security advisory, but includes substantial additional changes beyond the security update.
Key changes:
- Updated cookie package from ^0.6.0 to ^0.7.0 in packages/js, packages/react, packages/stack, and packages/template
- Refactored ConfigCrud types to inline type definitions
- Large-scale test refactoring replacing Auth.Otp.signIn with Auth.fastSignUp
- Added new dev-stats feature for monitoring API performance
- Updated build configuration and scripts
- Added database migrations for performance indices
Reviewed changes
Copilot reviewed 58 out of 58 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/js/package.json | Updated cookie to ^0.7.0 |
| packages/react/package.json | Updated cookie to ^0.7.0 |
| packages/stack/package.json | Updated cookie to ^0.7.0 |
| packages/template/package.json | Updated cookie to ^0.7.0 |
| packages/stack-shared/src/interface/crud/config.ts | Removed ConfigCrud type definitions |
| packages/stack-shared/src/interface/admin-interface.ts | Replaced ConfigCrud types with inline types, changed updateConfig to return void |
| packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts | Updated to use inline type definition |
| package.json | Updated build scripts, removed generate-openapi-fumadocs command |
| turbo.json | Removed generate-openapi-fumadocs task |
| apps/e2e/tests/** | Extensive test refactoring: Auth.Otp.signIn → Auth.fastSignUp |
| apps/backend/src/route-handlers/smart-route-handler.tsx | Added request stats recording |
| apps/backend/src/lib/dev-request-stats.tsx | New file: request statistics tracking |
| apps/backend/src/app/dev-stats/** | New feature: dev stats page and API |
| apps/backend/src/app/api/latest/internal/config/** | Refactored config handlers from CRUD to direct implementations |
| apps/backend/prisma/migrations/** | Added migration for email outbox and team member indices |
| apps/backend/prisma/schema.prisma | Added database indices |
| apps/backend/package.json | Updated script commands with environment configurations |
| apps/backend/scripts/run-email-queue.ts | Added startup delay |
| .github/workflows/check-prisma-migrations.yaml | Updated to use prisma:dev command |
| docs/scripts/generate-functional-api-docs.mjs | Updated error message to reference new codegen command |
| docker/server/Dockerfile | Removed debug line |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "clean": "pnpm pre-no-codegen && turbo run clean && rimraf --glob **/.next && rimraf --glob **/.turbo && rimraf .turbo && rimraf --glob **/node_modules", | ||
| "codegen": "pnpm pre && turbo run codegen && pnpm run generate-sdks && pnpm run generate-openapi-fumadocs", | ||
| "codegen": "pnpm pre && turbo run codegen && pnpm run generate-sdks", | ||
| "codegen:backend": "pnpm pre && turbo run codegen --filter=@stackframe/stack-backend...", |
There was a problem hiding this comment.
The naming inconsistency "codegen:backend" differs from the pattern "build:backend", "build:packages", etc. Consider renaming to "codegen:backend" or adding similar specific codegen commands for other components to maintain consistency.
| "typecheck": "tsc --noEmit", | ||
| "with-env": "dotenv -c development --", | ||
| "with-env:prod": "dotenv -c --", | ||
| "with-env": "dotenv -c --", |
There was a problem hiding this comment.
The script commands have been updated from "with-env" to "with-env:dev" or "with-env:prod", but the base "with-env" command now uses "dotenv -c --" without specifying development or production. This changes the default behavior. Ensure this is intentional and that all scripts that relied on the previous "with-env" behavior are updated appropriately.
| "with-env": "dotenv -c --", | |
| "with-env": "dotenv -c development --", |
| "build:backend": "pnpm pre && turbo run build --filter=@stackframe/stack-backend...", | ||
| "build:dashboard": "pnpm pre && turbo run build --filter=@stackframe/stack-dashboard...", | ||
| "build:demo": "pnpm pre && turbo run build --filter=demo-app...", | ||
| "build:docs": "pnpm run build:packages && pnpm run build:backend && turbo run generate-openapi-fumadocs && pnpm run --filter=@stackframe/stack-docs generate-openapi-docs && turbo run build --filter=@stackframe/stack-docs", | ||
| "build:docs": "pnpm run build:packages && pnpm run codegen && pnpm run build:backend && pnpm run --filter=@stackframe/stack-docs generate-openapi-docs && turbo run build --filter=@stackframe/stack-docs", | ||
| "build:packages": "pnpm pre && turbo run build --filter=./packages/*", | ||
| "restart-dev-in-background": "pnpm pre && pnpm run kill-dev:named && (pnpm run dev:named > dev-server.log.untracked.txt 2>&1 &) && echo 'Starting dev server in background... (Logs are in dev-server.log.untracked.txt)' && pnpx wait-on http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}02 -t 120000 && echo 'Dev server running.'", | ||
| "restart-dev-environment": "pnpm pre && pnpm run build:packages && pnpm run codegen && pnpm run restart-deps && pnpm run restart-dev-in-background", | ||
| "stop-dev-environment": "pnpm pre && pnpm run kill-dev:named && pnpm run stop-deps", | ||
| "clean": "pnpm pre-no-codegen && turbo run clean && rimraf --glob **/.next && rimraf --glob **/.turbo && rimraf .turbo && rimraf --glob **/node_modules", | ||
| "codegen": "pnpm pre && turbo run codegen && pnpm run generate-sdks && pnpm run generate-openapi-fumadocs", | ||
| "codegen": "pnpm pre && turbo run codegen && pnpm run generate-sdks", |
There was a problem hiding this comment.
The PR title and description mention this is a security update to bump the cookie package to ^0.7.0, but this PR includes many unrelated changes such as:
- Removal of ConfigCrud types and related code
- Changes to turbo.json removing generate-openapi-fumadocs task
- Large test refactoring changing Auth.Otp.signIn to Auth.fastSignUp
- Addition of new dev-stats feature
- Database migration changes
- Build script updates
These changes appear to be outside the scope of a security patch for the cookie package. Consider splitting this PR into separate PRs for each logical change to make review easier and maintain a clearer git history.
| } | ||
|
|
||
| _adminConfigFromCrud(data: ConfigCrud['Admin']['Read']): CompleteConfig { | ||
| _adminConfigFromCrud(data: { config_string: string }): CompleteConfig { |
There was a problem hiding this comment.
The inline type definition { config_string: string } should be extracted to a shared type definition for maintainability. This type is used in multiple places (admin-interface.ts and admin-app-impl.ts) and should be defined once to avoid duplication and ensure consistency.
|
|
||
| // Record request stats for dev-stats page | ||
| recordRequestStats(req.method, req.nextUrl.pathname, time); |
There was a problem hiding this comment.
The function name "recordRequestStats" is called before request handling completes, but the name suggests it records stats for a completed request. Consider renaming to something like "recordRequestCompletion" or update the JSDoc comment to clarify it's called after the request handler completes.
| // Wait a few seconds to make sure the server is fully started | ||
| await wait(5_000); |
There was a problem hiding this comment.
The wait time of 5 seconds is hardcoded. This magic number should be extracted to a named constant with a descriptive name like "SERVER_STARTUP_DELAY_MS" to improve code readability and make it easier to adjust if needed.
| "codegen-prisma": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-placeholder-database-connection-string}\" pnpm run prisma generate", | ||
| "codegen-prisma:watch": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-placeholder-database-connection-string}\" pnpm run prisma generate --watch", |
There was a problem hiding this comment.
The placeholder value "placeholder-database-connection-string" might cause confusion or issues if Prisma attempts to use it. Consider using a more explicit placeholder like "postgresql://placeholder" or documenting why this approach is used, especially since this value could appear in error messages.
| "codegen-prisma": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-placeholder-database-connection-string}\" pnpm run prisma generate", | |
| "codegen-prisma:watch": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-placeholder-database-connection-string}\" pnpm run prisma generate --watch", | |
| "codegen-prisma": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-postgresql://placeholder}\" pnpm run prisma generate", | |
| "codegen-prisma:watch": "STACK_DATABASE_CONNECTION_STRING=\"${STACK_DATABASE_CONNECTION_STRING:-postgresql://placeholder}\" pnpm run prisma generate --watch", |
| // Create second user | ||
| const user2Mailbox = await bumpEmailAddress(); | ||
| const { userId: user2Id } = await Auth.Otp.signIn(); | ||
| const { userId: user2Id } = await Auth.fastSignUp(); |
There was a problem hiding this comment.
Unused variable user2Id.
| const { userId: user2Id } = await Auth.fastSignUp(); | |
| await Auth.fastSignUp(); |
|
|
||
| backendContext.set({ mailbox: createMailbox() }); | ||
| const user2 = await Auth.Otp.signIn(); | ||
| const user2 = await Auth.fastSignUp(); |
There was a problem hiding this comment.
Unused variable user2.
|
|
||
| it("lets users be on multiple teams", async ({ expect }) => { | ||
| const { userId: creatorUserId } = await Auth.Otp.signIn(); | ||
| const { userId: creatorUserId } = await Auth.fastSignUp(); |
There was a problem hiding this comment.
Unused variable creatorUserId.
Bumps cookie to ^0.7.0 in packages/js, packages/react, packages/stack, and packages/template to address a security advisory (cookie <0.7.0). I validated builds locally. This should remove the vulnerable transitive dependency for consumers. Closes: hexclave#1077