chore: security dependency upgrades + config adjustments#547
chore: security dependency upgrades + config adjustments#547alex-gilin wants to merge 4 commits into
Conversation
|
|
||
| - name: Build | ||
| run: npm run ci | ||
|
|
There was a problem hiding this comment.
won't it be easier to setup a monorepo?
even npm supports workspace definition, you do not need pnpm
bd82
left a comment
There was a problem hiding this comment.
I started reviewing, but there are too many topics in this PR.
- Eslint upgrade and config changes
- TypeScript build changes
- General deps upgrades
- Logic changes (
id++) - dangling timers handling
- github actions to include pseudo sub-packages builds.
- ???
Maybe some (*.ts) small code changes can go together into one PR.
but most of these are completely separate topics and need separate PRs.
Ask the your AI agent to split this up for you...
| { | ||
| "name": "@sap-devx/webview-rpc", | ||
| "version": "1.1.0", | ||
| "version": "1.2.0", |
There was a problem hiding this comment.
The package version is bumped to 1.2.0 here, but the lockfiles were not regenerated: package-lock.json still has the root package at 1.1.0 and example/package-lock.json still records the local @sap-devx/webview-rpc package as 1.1.0.
Is this how the process works on this repo
| "description": "", | ||
| "main": "index.js", | ||
| "engines": { | ||
| "node": ">=20" |
| ...tseslint.configs["eslint-recommended"].overrides[0].rules, | ||
| // project-specific rules (preserved from original .eslintrc.json) | ||
| "no-unused-vars": "off", | ||
| "@typescript-eslint/no-unused-vars": ["error", { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }], |
There was a problem hiding this comment.
AI Generated Comment To Be reviewed by Human
This relaxes the previous root lint rule. The deleted .eslintrc.json configured @typescript-eslint/no-unused-vars as plain "error", but the flat config now allows unused args and vars when they start with _. If that relaxation is intentional, it should be called out; otherwise please keep the old behavior by using @typescript-eslint/no-unused-vars: "error".
| "compile-browser": "rimraf ./out.browser && tsc -p tsconfig.browser.json", | ||
| "compile-ext": "rimraf ./out.ext && tsc -p ./tsconfig.ext.json", | ||
| "compile-test": "rimraf ./out.test && tsc -p tsconfig.test.json", | ||
| "lint": "eslint ./**/*.ts", |
There was a problem hiding this comment.
AI Generated Comment To Be reviewed by Human
This narrows the root lint scope from the previous eslint ./**/*.ts to only src/**/*.ts. example-ws now has its own lint step, but example does not, so TypeScript in example/ is no longer linted by the root CI path. If the goal is an equivalent ESLint migration, please keep lint coverage for the example package or add a separate lint step for it.
| /** @type {import("eslint").Linter.Config[]} */ | ||
| module.exports = [ | ||
| { | ||
| ignores: ["node_modules/**", "out/**", "src/static/**"], |
There was a problem hiding this comment.
AI Generated Comment To Be reviewed by Human
The old example-ws/.eslintignore ignored only **/*.js; this flat config ignores the entire src/static/** subtree. That is more permissive because any future TypeScript added under src/static would be skipped by ESLint as well. To preserve the old behavior, please ignore only the generated/static JS files rather than the whole directory.
| "compile": "rimraf out && tsc -p . && copyfiles -u 1 ./src/static/** ./out/", | ||
| "test": "echo \"Error: no test specified\" && exit 1", | ||
| "lint": "eslint ./**/*.ts" | ||
| "lint": "eslint \"src/**/*.ts\"" |
There was a problem hiding this comment.
AI Generated Comment To Be reviewed by Human
This also narrows the example-ws lint target from eslint ./**/*.ts to only src/**/*.ts. Today the TypeScript files are under src, but this is still a less comprehensive lint command than before for future .ts files added elsewhere in the example. If the migration is meant to be equivalent, please keep the previous scope or document the intentional narrowing.
|
|
||
| Compile TypeScript and copy static assets to `out/`: | ||
|
|
||
| ```bash |
There was a problem hiding this comment.
is there a single script name that will run all these 4 in a sequence instead of specifying them individually?
| @@ -1,4 +1,37 @@ | |||
| "use strict"; | |||
| var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { | |||
There was a problem hiding this comment.
does this project intentionally commit generated output?
| invoke(method: string, ...params: any[]): Promise<any> { | ||
| const parsed = this.parseMethod(method); | ||
| const id = Math.random(); | ||
| const id = ++this.nextId; |
There was a problem hiding this comment.
what happens when if you hit Number.MAX_SAFE_INTEGER?
Even if its unlikely it would be very hard to debug and handle, probably worth some handling and/or logging.
|
suggested split by GPT 5.5. LLM SuggestionPlan: Split PR #547 Into Focused PRsRecommendationUse 6 PRs, ordered so each PR has one review theme and a clear validation signal. ESLint and TypeScript should be separate because both change tooling semantics in ways that can hide subtle regressions. PR 1: CI And Node BaselineScope: GitHub Actions modernization, Node 20+ baseline, release workflow npm install behavior, Dependabot config, commitlint workflow plumbing. Include:
Avoid:
Why first: It makes later PRs run against the intended platform and keeps workflow review separate from code behavior. PR 2: TypeScript Upgrade And Module ResolutionScope: TypeScript 5.x upgrade, tsconfig module/moduleResolution changes, imports needed to satisfy the new compiler settings, Jest/ts-jest adjustments needed for tests. Include:
Avoid:
Validation:
PR 3: ESLint 9 Flat Config MigrationScope: Convert Include:
Review focus:
Specific issues to avoid from current PR:
Validation:
PR 4: Security And Dependency UpgradesScope: Upgrade dependencies for security after TS and ESLint migrations are isolated. Include:
Avoid:
Validation:
PR 5: RPC Runtime Behavior FixesScope: Actual library behavior changes that deserve functional review. Include:
Avoid:
Why separate: These changes affect runtime semantics and should not be hidden inside tooling/dependency churn. PR 6: Docs And Release MetadataScope: README updates, example README updates, package version bump, release notes if applicable. Include:
Avoid:
Recommendation: Keep the version bump last, after the functional and dependency PRs are merged, so the lockfiles reflect the final package metadata. Alternative If You Want Fewer PRsUse 5 PRs by merging PR 1 and PR 6 workflow/docs/release metadata, but I would not merge ESLint, TypeScript, dependency upgrades, or runtime behavior with each other. Suggested Order
Review StrategyAsk the author to close PR #547 and reopen these slices, or use stacked branches if preserving current work is easier. Each PR description should explicitly list intentional behavior changes versus mechanical migrations. |
No description provided.