stack

CodeCow/stack

Fork 0

mirror of https://github.com/stack-auth/stack.git synced 2026-06-04 21:04:37 +08:00

History

Aman Ganapathy 091d3f2a26 Some checks failed all-good: Did all the other checks pass? / all-good (push) Has been cancelled Details Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled Details DB migrations are backwards-compatible with main branch / Check if migrations changed (push) Has been cancelled Details Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled Details Docker Server Build and Run / docker (push) Has been cancelled Details Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled Details Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled Details Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled Details Runs E2E API Tests with external source of truth / build (22.x) (push) Has been cancelled Details Lint & build / lint_and_build (latest) (push) Has been cancelled Details Dev Environment Test With Custom Base Port / restart-dev-and-test-with-custom-base-port (push) Has been cancelled Details Dev Environment Test / restart-dev-and-test (push) Has been cancelled Details Run setup tests with custom base port / setup-tests-with-custom-base-port (push) Has been cancelled Details Run setup tests / setup-tests (push) Has been cancelled Details TOC Generator / TOC Generator (push) Has been cancelled Details DB migrations are backwards-compatible with main branch / Test migrations with main branch code (push) Has been cancelled Details DB migrations are backwards-compatible with main branch / No migration changes (skipped) (push) Has been cancelled Details Update SDK dependencies to latest version and handle the breaking changes (#1100 ) We update the sdk dependencies (the ones present in `package-template.json`) to the latest versions. Since several packages have major version bumps, this results in a variety of breaking changes that have been handled here. Incidentally, when possible, we update similar dependencies across the codebase. We decide to defer the tailwind update to another PR owing to its scale. The rest of the updates and changes have been catalogued below: 1. [Bumping](https://github.com/panva/oauth4webapi/blob/v3.x/CHANGELOG.md) `oauth4webapi` to 3.8.3: this was a major version changed. While there were no compatibility issues in the sdk, there were several breaking changes in `stack-shared`. Namely: a. The removal of `isOauth2Error`. We used this to check if the results of our `oauth4webapi` api invocations had issues. The functions were changed to explicitly throw either `ResponseBodyErrors` or `AuthorizationResponseErrors`, so the code was reworked to account for that with no loss in error handling. b. Dropping of support for http broadly: `oauth4webapi` now only accepts https. This is desired, but I add a carve out for our test environments only. c. `refreshTokenGrantRequest` and `authorizationCodeGrantRequest` now require `clientAuthentication` to be passed explicitly to them. d. Changes in how we handle our `MultiFactorAuthenticationRequired` error: This is an error that we created and is passed to the `oauth4webapi` API if there are MFA issues. Since the `processAuthorizationCodeResponse` now explicitly throws a `ResponseBodyError`, we access the error cause from the body of the error instead. 2. [Bumping](https://github.com/Qix-/color/releases) `color` to 5.0.4: this was a major version bump. Simple type checking change, I checked the API for the correct interface. 3. [Bumping](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md) `simplewebauthn` to 13.2.2: two major version bumps, but no incompatibilities surprisingly 4. [Bumping](https://github.com/jshttp/cookie/releases) `cookie` to 1.1.1: this was a major version bump. a. Changing `parse` to `parseCookie`. In the most recent version, `parse` is still maintained as an alias for `parseCookie` for backwards compatibility, but I thought it would be best to change it over now. No change in functionality. b. Typing is now strongly enforced. A cookie can be `string \| undefined`, and the `Cookies` are now `Record<string, string \| undefined>`. We already have code to handle if a cookie is returned as undefined/ null, so the changes here were more to ensure type compatibility rather than big changes in functionality. 5. [Bumping ](https://github.com/isaacs/rimraf#readme)`rimraf` to 6.1.2: No breaking changes, mostly just bug fixes. 6. [Bumping](https://github.com/panva/jose/releases?page=1) `jose` to 6.1.3: This is another major version bump. We update it across the codebase to ensure compatibility. We use this for importing and processing jwk tokens. There are a few big changes in the version bump, but the only one that applies to us is that `importJwk` now yields a `CryptoKey` instead of a `KeyObject` in Node.js. However, this doesn't appear to break our code. We use `importJwk` in `stack-auth/packages/stack-shared/src/utils/jwt.tsx`. 7. [Bumping](https://github.com/react-hook-form/resolvers/releases) `hookform/resolvers` to 5.2.2 (two major version jumps), and consequently bumping `react-hook-form` to 7.70.0: We already use the patterns that `hookform/resolvers`' latest versions seem to be enforcing. The only other breaking change is that it requires version 7.55.0+ of `react-hook-form`. Though we should pay attention to any interactions with zod and `hookform/resolvers`, some people have reported compatibility issues if they aren't using the latest compatible versions of both. 8. [Bumping](https://github.com/jquense/yup/blob/master/CHANGELOG.md) `yup` to 1.7.1: this was a minor version change, but we had incompatibility issues with this change. Versions 1.4.1 and 1.7.1 cannot exist in the same codebase due to incompatibility, so we bumped it up across the codebase, including in peer dependencies. 9. Some minor version changes for some packages, but these were mostly bug fixes. 10. Edited to add: Bumping freestyle to 0.1.6, and reworking the freestyle mock server. In 0.1.6, freestyle changed their API in two ways: a. We're now supposed to hit their `execute/v2/...` endpoint and b. They've flattened the `config` argument to `serverless.runs.create`. These changes are minor, but are important. As part of a general suite of dependency bumps, this was judged to fit here. We have linked the changelogs for the packages on each line.	2026-01-16 16:02:07 -08:00
..
package.json	Update SDK dependencies to latest version and handle the breaking changes (#1100 )	2026-01-16 16:02:07 -08:00

Aman Ganapathy 091d3f2a26

all-good: Did all the other checks pass? / all-good (push) Has been cancelled

Details

Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled

Details

DB migrations are backwards-compatible with main branch / Check if migrations changed (push) Has been cancelled

Details

Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled

Details

Docker Server Build and Run / docker (push) Has been cancelled

Details

Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled

Details

Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled

Details

Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled

Details

Runs E2E API Tests with external source of truth / build (22.x) (push) Has been cancelled

Details

Lint & build / lint_and_build (latest) (push) Has been cancelled

Details

Dev Environment Test With Custom Base Port / restart-dev-and-test-with-custom-base-port (push) Has been cancelled

Details

Dev Environment Test / restart-dev-and-test (push) Has been cancelled

Details

Run setup tests with custom base port / setup-tests-with-custom-base-port (push) Has been cancelled

Details

Run setup tests / setup-tests (push) Has been cancelled

Details

TOC Generator / TOC Generator (push) Has been cancelled

Details

DB migrations are backwards-compatible with main branch / Test migrations with main branch code (push) Has been cancelled

Details

DB migrations are backwards-compatible with main branch / No migration changes (skipped) (push) Has been cancelled

Details

Update SDK dependencies to latest version and handle the breaking changes (#1100 )

We update the sdk dependencies (the ones present in
`package-template.json`) to the latest versions. Since several packages
have major version bumps, this results in a variety of breaking changes
that have been handled here. Incidentally, when possible, we update
similar dependencies across the codebase.
We decide to defer the tailwind update to another PR owing to its scale.
The rest of the updates and changes have been catalogued below:

1.
[Bumping](https://github.com/panva/oauth4webapi/blob/v3.x/CHANGELOG.md)
`oauth4webapi` to 3.8.3: this was a major version changed. While there
were no compatibility issues in the sdk, there were several breaking
changes in `stack-shared`. Namely:
a. The removal of `isOauth2Error`. We used this to check if the results
of our `oauth4webapi` api invocations had issues. The functions were
changed to explicitly throw either `ResponseBodyErrors` or
`AuthorizationResponseErrors`, so the code was reworked to account for
that with no loss in error handling.
b. Dropping of support for http broadly: `oauth4webapi` now only accepts
https. This is desired, but I add a carve out for our test environments
only.
c. `refreshTokenGrantRequest` and `authorizationCodeGrantRequest` now
require `clientAuthentication` to be passed explicitly to them.
d. Changes in how we handle our `MultiFactorAuthenticationRequired`
error: This is an error that we created and is passed to the
`oauth4webapi` API if there are MFA issues. Since the
`processAuthorizationCodeResponse` now explicitly throws a
`ResponseBodyError`, we access the error cause from the body of the
error instead.
2. [Bumping](https://github.com/Qix-/color/releases) `color` to 5.0.4:
this was a major version bump. Simple type checking change, I checked
the API for the correct interface.
3.
[Bumping](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md)
`simplewebauthn` to 13.2.2: two major version bumps, but no
incompatibilities surprisingly
4. [Bumping](https://github.com/jshttp/cookie/releases) `cookie` to
1.1.1: this was a major version bump.
a. Changing `parse` to `parseCookie`. In the most recent version,
`parse` is still maintained as an alias for `parseCookie` for backwards
compatibility, but I thought it would be best to change it over now. No
change in functionality.
b. Typing is now strongly enforced. A cookie can be `string |
undefined`, and the `Cookies` are now `Record<string, string |
undefined>`. We already have code to handle if a cookie is returned as
undefined/ null, so the changes here were more to ensure type
compatibility rather than big changes in functionality.
5. [Bumping ](https://github.com/isaacs/rimraf#readme)`rimraf` to 6.1.2:
No breaking changes, mostly just bug fixes.
6. [Bumping](https://github.com/panva/jose/releases?page=1) `jose` to
6.1.3: This is another major version bump. We update it across the
codebase to ensure compatibility. We use this for importing and
processing jwk tokens. There are a few big changes in the version bump,
but the only one that applies to us is that `importJwk` now yields a
`CryptoKey` instead of a `KeyObject` in Node.js. However, this doesn't
appear to break our code. We use `importJwk` in
`stack-auth/packages/stack-shared/src/utils/jwt.tsx`.
7. [Bumping](https://github.com/react-hook-form/resolvers/releases)
`hookform/resolvers` to 5.2.2 (two major version jumps), and
consequently bumping `react-hook-form` to 7.70.0: We already use the
patterns that `hookform/resolvers`' latest versions seem to be
enforcing. The only other breaking change is that it requires version
7.55.0+ of `react-hook-form`. Though we should pay attention to any
interactions with zod and `hookform/resolvers`, some people have
reported compatibility issues if they aren't using the latest compatible
versions of both.
8. [Bumping](https://github.com/jquense/yup/blob/master/CHANGELOG.md)
`yup` to 1.7.1: this was a minor version change, but we had
incompatibility issues with this change. Versions 1.4.1 and 1.7.1 cannot
exist in the same codebase due to incompatibility, so we bumped it up
across the codebase, including in peer dependencies.
9. Some minor version changes for some packages, but these were mostly
bug fixes.
10. **Edited to add**: Bumping freestyle to 0.1.6, and reworking the
freestyle mock server. In 0.1.6, freestyle changed their API in two
ways:
    a. We're now supposed to hit their `execute/v2/...` endpoint and 
b. They've flattened the `config` argument to `serverless.runs.create`.
These changes are minor, but are important. As part of a general suite
of dependency bumps, this was judged to fit here.

We have linked the changelogs for the packages on each line.

2026-01-16 16:02:07 -08:00

package.json

Update SDK dependencies to latest version and handle the breaking changes (#1100 )

2026-01-16 16:02:07 -08:00