Skip to content

fix: Upgrade packages #40935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 16, 2025
Merged

fix: Upgrade packages #40935

merged 4 commits into from
Jun 16, 2025

Conversation

riodeuno
Copy link
Contributor

@riodeuno riodeuno commented Jun 13, 2025
edited
Loading

Description

  • Upgrades packages reported by Dependabot:
  • nanoid
  • brace-expansion
  • webpack-dev-server
  • path-to-regexp
  • vite
  • http-proxy-middleware

Fixes the following issues

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/15630439422
Commit: 2b6f4a4
Cypress dashboard.
Tags: @tag.All
Spec:

Fri, 13 Jun 2025 10:49:32 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

  • Yes
  • No

Summary by CodeRabbit

  • New Features

    • Improved development server configuration for enhanced compatibility and middleware management.

  • Bug Fixes

    • Updated unique key generation to ensure consistency and reliability across the application.

  • Chores

    • Upgraded and adjusted dependencies for better stability and security.
    • Refined package resolution to address version conflicts.

  • Style

    • Standardized string formatting and code styling in development scripts.

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jun 13, 2025
edited
Loading

Walkthrough

The updates modernize the development environment and codebase by upgrading dependencies, especially webpack-dev-server and nanoid, and refactoring related code to match new APIs. Multiple files replace deprecated nanoid usage with customAlphabet. Middleware setup in the webpack dev server config is consolidated, and stylistic improvements are made in scripts.

Changes

File(s) Change Summary
app/client/config/webpackDevServer.config.js Upgraded config for webpack-dev-server v5: replaced https with dynamic server option; merged middleware setup hooks into setupMiddlewares.
app/client/package.json, app/client/packages/storybook/package.json Upgraded dependencies: nanoid, webpack-dev-server, vite; removed @types/nanoid; added/updated resolutions.
app/client/packages/dsl/src/migrate/utils.ts
app/client/src/utils/generators.tsx
app/client/src/widgets/WidgetUtils.ts		 Replaced nanoid's deprecated generate import with customAlphabet for key generation.
app/client/src/instrumentation/utils.ts
app/client/src/usagePulse/utils.ts		 Changed nanoid import from default to named import.
app/client/scripts/start.js Converted single to double quotes; improved async server shutdown logging and formatting.
app/client/jest.config.js Added nanoid to Jest transformIgnorePatterns to enable transformation during tests.

Sequence Diagram(s)

sequenceDiagram
    participant DevServer as WebpackDevServer
    participant Middleware as MiddlewareStack
    participant UserProxy as UserProxySetup
    participant Utils as MiddlewareUtils

    DevServer->>Utils: getHttpsConfig()
    Utils-->>DevServer: HTTPS config object or boolean
    DevServer->>Middleware: setupMiddlewares(middlewares, devServer)
    Middleware->>Middleware: prepend evalSourceMapMiddleware
    Middleware->>UserProxy: require user proxy setup if present
    Middleware->>Middleware: append redirectServedPath, noopServiceWorkerMiddleware
    Middleware-->>DevServer: return updated middlewares
Loading

Poem

🌟
New nanoids now, with custom flair,
Dev server’s config gets modern care.
Middleware merged, dependencies rise,
Double quotes twinkle before our eyes.
Keys are unique, the flow is neat—
Updates complete, the code’s elite!
🚀

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eda145b and 2b6f4a4.

📒 Files selected for processing (1)
  • app/client/jest.config.js (1 hunks)
✅ Files skipped from review due to trivial changes (1)
  • app/client/jest.config.js
⏰ Context from checks skipped due to timeout of 90000ms (11)
  • GitHub Check: perform-test / rts-build / build
  • GitHub Check: perform-test / server-build / server-unit-tests
  • GitHub Check: perform-test / client-build / client-build
  • GitHub Check: client-unit-tests / client-unit-tests
  • GitHub Check: client-lint / client-lint
  • GitHub Check: client-check-cyclic-deps / check-cyclic-dependencies
  • GitHub Check: client-build / client-build
  • GitHub Check: client-prettier / prettier-check
  • GitHub Check: chromatic-deployment
  • GitHub Check: storybook-tests
  • GitHub Check: chromatic-deployment
✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@riodeuno riodeuno self-assigned this Jun 13, 2025
@riodeuno riodeuno added Dependencies Pull requests that update a dependency file Security Issues related to information security within the product ok-to-test Required label for CI labels Jun 13, 2025
@riodeuno riodeuno changed the title [WIP] Upgrade packages fix: Upgrade packages Jun 13, 2025
@riodeuno riodeuno marked this pull request as ready for review June 13, 2025 08:15
@riodeuno riodeuno requested review from a team as code owners June 13, 2025 08:15
@riodeuno riodeuno requested review from vivek-appsmith and removed request for a team June 13, 2025 08:15
@github-actions github-actions bot added the Bug Something isn't working label Jun 13, 2025
coderabbitai[bot]
coderabbitai bot reviewed Jun 13, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (2)
app/client/packages/storybook/package.json (1)

35-36: Validate Vite 6 pin

See comment in root package.json; same potential resolution failure applies here.

app/client/scripts/start.js (1)

141-146: Duplicate shutdown handler – same caveat

Replicate the error-aware pattern for stdin end handling to keep behaviour consistent.

🧹 Nitpick comments (10)
app/client/src/usagePulse/utils.ts (1)

75-76: Minor nit – avoid regenerating fallback id every reload

nanoid() is called only if no localStorage key exists, but we still allocate the generator each evaluation. Tiny, yet you can micro-optimise with a constant:

-        fallback = nanoid();
+        fallback = nanoid(); // consider hoisting to a util if this grows
app/client/config/webpackDevServer.config.js (1)

116-133: Middleware migration accurate – double-verify order

Order preservation via unshift/push mirrors v4 behaviour. Make sure any custom middleware added in paths.proxySetup doesn’t rely on the now-removed devServer.app.use chain.

app/client/scripts/start.js (2)

1-1: "use strict" is redundant in ES modules

Node treats files executed via import/require as ES-modules/strict mode by default; keeping the directive adds noise only.

-"use strict";
+// File is already executed in strict-mode – directive removed
🧰 Tools
🪛 Biome (1.9.4)

[error] 1-1: Redundant use strict directive.

The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.

(lint/suspicious/noRedundantUseStrict)

134-138: devServer.stop() result is ignored & process exits unconditionally

stop() returns a Promise that can reject. Exiting immediately masks shutdown errors and may leave orphaned child-processes.

-devServer.stop().then(() => process.exit());
+devServer
+  .stop()
+  .then(() => process.exit(0))
+  .catch((e) => {
+    console.error(chalk.red("Dev-server shutdown failed:"), e);
+    process.exit(1);
+  });
app/client/src/widgets/WidgetUtils.ts (2)

24-25: Generator recreated on every call

customAlphabet(ALPHANUMERIC, 10) is executed each time generateReactKey runs, doing extra crypto-setup work. Cache the generator once.

-import { customAlphabet } from "nanoid";
+import { customAlphabet } from "nanoid";
+
+const nanoId10 = customAlphabet(ALPHANUMERIC, 10);

115-121: Reuse cached generator for better perf & readability

Same optimisation applied in import diff; implementation becomes:

-export const generateReactKey = ({
-  prefix = "",
-}: { prefix?: string } = {}): string => {
-  return prefix + customAlphabet(ALPHANUMERIC, 10)();
-};
+export const generateReactKey = ({ prefix = "" } = {}): string =>
+  prefix + nanoId10();
app/client/src/utils/generators.tsx (2)

2-3: Mirror the cached-generator optimisation

Apply the same cached generator pattern here to avoid duplicating heavy crypto setup.

-import { customAlphabet } from "nanoid";
+import { customAlphabet } from "nanoid";
+
+const nanoId10 = customAlphabet(ALPHANUMERIC, 10);

8-12: Use cached generator

-return prefix + customAlphabet(ALPHANUMERIC, 10)();
+return prefix + nanoId10();
app/client/packages/dsl/src/migrate/utils.ts (2)

2-3: Same nanoid initialisation duplicated

Consider moving the cached generator to a shared util to avoid three identical constants across the codebase.

11-15: Apply cached generator

-return prefix + customAlphabet(ALPHANUMERIC, 10)();
+const nanoId10 = customAlphabet(ALPHANUMERIC, 10);
+return prefix + nanoId10();
📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dea1c03 and eda145b.

⛔ Files ignored due to path filters (1)
  • app/client/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (9)
  • app/client/config/webpackDevServer.config.js (2 hunks)
  • app/client/package.json (3 hunks)
  • app/client/packages/dsl/src/migrate/utils.ts (2 hunks)
  • app/client/packages/storybook/package.json (1 hunks)
  • app/client/scripts/start.js (4 hunks)
  • app/client/src/instrumentation/utils.ts (1 hunks)
  • app/client/src/usagePulse/utils.ts (2 hunks)
  • app/client/src/utils/generators.tsx (2 hunks)
  • app/client/src/widgets/WidgetUtils.ts (2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
app/client/config/webpackDevServer.config.js (1)
app/client/scripts/start.js (5)
  • devServer (115-115)
  • fs (17-17)
  • paths (31-31)
  • require (23-28)
  • require (69-69)
🪛 Biome (1.9.4)
app/client/scripts/start.js

[error] 1-1: Redundant use strict directive.

The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.

(lint/suspicious/noRedundantUseStrict)

🔇 Additional comments (6)
app/client/package.json (3)

160-160: nanoid upgrade looks good

Switching to nanoid@3.3.11 is the correct move given the import updates elsewhere, and there are no API-level breaking changes between 3.3.x patch releases.

394-395:

✅ Verification successful

Confirm webpack-dev-server v5 side-effects

webpack-dev-server@5.2.2 introduces breaking changes around the dev-middleware API (now adopted in webpackDevServer.config.js). Verify that the scripts/start.js logic that spawns the server doesn’t rely on any removed v4 fields (e.g. devServer.options).

Run to grep for now-removed API usages:

🏁 Script executed:

#!/usr/bin/env bash
rg -n '"devServer\.' -g 'app/client/**/*.js' | head

Length of output: 53

🏁 Script executed:

#!/usr/bin/env bash
set -e

echo "1) Searching for any use of devServer.options across the repo"
rg -n 'devServer\.options' .

echo
echo "2) Searching for any devServer property access in JS/TS files"
rg -n 'devServer\.' -g '*.{js,ts}'

echo
echo "3) Locating webpackDevServer.config.js in the repo"
fd webpackDevServer.config.js || echo ">> No webpackDevServer.config.js found"

Length of output: 172

🏁 Script executed:

#!/usr/bin/env bash
set -e

echo "Locating all start.js files:"
files=$(fd -HI start.js)

if [ -z "$files" ]; then
  echo ">> No start.js files found"
  exit 0
fi

for f in $files; do
  echo
  echo "## Inspecting $f"
  echo "- Checking for devServer API usage"
  rg -n 'devServer\.' "$f" || echo "  → No devServer references"
  echo "- Checking for spawn calls (webpack-dev-server startup)"
  rg -n 'spawn' "$f" || echo "  → No spawn references"
done

Length of output: 793

No legacy devServer API usage found in scripts/start.js

All checks confirm that we don’t rely on any removed v4 fields:

  • devServer.options is not referenced anywhere in the repo.
  • In app/client/scripts/start.js, only devServer.startCallback(...) and devServer.stop() are used—both supported in v5.
  • There are no spawn-based invocations of the old CLI.

No further changes required.

427-428:

✅ Verification successful

Possible non-existent versions – double-check esbuild & vite pins

esbuild is pinned to ^0.25.1 and Storybook bumps vite to ^6.2.7. Those versions do not exist on the public npm registry at the time of writing (latest esbuild ≈ 0.21.x, vite ≈ 5.x). Yarn will fail to resolve them, blocking CI.

🏁 Script executed:

#!/usr/bin/env bash
# Sanity-check that the requested versions are published.
for pkg in esbuild@0.25.1 vite@6.2.7; do
  if npm view "$pkg" version >/dev/null 2>&1; then
    echo "$pkg exists"
  else
    echo "$pkg NOT FOUND"
  fi
done

Length of output: 247

All pinned versions are valid

Quick sanity check confirms that both esbuild@0.25.1 and vite@6.2.7 are published on npm, so CI resolution won’t be blocked.

app/client/src/instrumentation/utils.ts (1)

8-14: Tiny import tweak LGTM

Switching to named import { nanoid } matches the v3 ESM build – no functional impact.

app/client/src/usagePulse/utils.ts (1)

4-5: Consistent nanoid import – all good

Import style now aligns with package upgrade; nothing else to flag.

app/client/config/webpackDevServer.config.js (1)

92-106: server option mapping is correct

Elegant IIFE gets the job done; matches WDS v5 contract for "http" | "https" | {type,options}". Good catch on forwarding custom cert options.

@riodeuno riodeuno added skip-changelog Adding this label to a PR prevents it from being listed in the changelog ok-to-test Required label for CI and removed ok-to-test Required label for CI Dependencies Pull requests that update a dependency file labels Jun 13, 2025
@github-actions github-actions bot removed the skip-changelog Adding this label to a PR prevents it from being listed in the changelog label Jun 13, 2025
@riodeuno
Copy link
Contributor Author

/build-deploy-preview skip-tests=true

@github-actions GitHub Actions
Copy link

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/15632907059.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 40935.
recreate: .

@github-actions GitHub Actions
Copy link

Deploy-Preview-URL: https://ce-40935.dp.appsmith.com

@riodeuno riodeuno merged commit 7eadf89 into release Jun 16, 2025
163 of 165 checks passed
@riodeuno riodeuno deleted the fix/dependabot-issues-jun-2025 branch June 16, 2025 06:42
@coderabbitai coderabbitai bot mentioned this pull request Jun 16, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@wyattwalter wyattwalter wyattwalter approved these changes

@vivek-appsmith vivek-appsmith Awaiting requested review from vivek-appsmith vivek-appsmith is a code owner automatically assigned from appsmithorg/widgets-blocks

Assignees

@riodeuno riodeuno

Labels
Bug Something isn't working ok-to-test Required label for CI Security Issues related to information security within the product
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@riodeuno @wyattwalter