chore(deps): upgrade Next apps and TypeScript 6#5111
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Confidence Score: 4/5Safe to merge with the redirect-cookie lifetime fix applied first — the rest of the upgrade is well-structured and verified. The auth proxy sets redirect cookies with apps/auth/src/proxy.ts — the REDIRECT_COOKIE_TTL_MS constant and every maxAge usage site need to be reconciled (rename to seconds or divide at call sites).
|
| Filename | Overview |
|---|---|
| apps/auth/src/proxy.ts | New Next 16 proxy (replaces middleware.ts); contains an unaddressed P1 — REDIRECT_COOKIE_TTL_MS=10000 is used directly as HTTP Max-Age (seconds), making cookies live ~2.77 hours instead of 10 s, plus production console.log that exposes full URLs and referer headers. |
| apps/frontend-manage/src/pages/login.tsx | Converted from client-side useEffect redirect to getServerSideProps with server-side redirect; origin validation correctly prevents open redirect. |
| apps/frontend-manage/src/lib/apollo.ts | Replaced Router.push with window.location.assign and a module-level de-dup flag; safe because assign triggers a full page reload that resets the flag. |
| apps/frontend-manage/src/components/Layout.tsx | Moved render-time router.push to useEffect with a derived boolean; correct fix for Next 16's stricter render-phase side-effect checks. |
| packages/next-config/index.js | Centralised image config with dangerouslyAllowLocalIP gated to dev/test, remotePatterns replaces deprecated domains, getHostname helper correctly extracts hostname from full URL or falls back to raw value. |
| pnpm-workspace.yaml | ~20 new high-advisory overrides; notable major-version jump for jsonwebtoken (8.x → 9.x) and lodash (4.17.x → 4.18.1) where no patched minor existed — acknowledged in PR description but could silently break transitive consumers using the callback API. |
| apps/chat/src/proxy.ts | New Next 16 proxy for chat app; JWT verification via jose, frame-ancestors CSP applied on all responses, correct pass-through for static/API paths. |
| packages/graphql/vitest.config.ts | Migrated poolOptions.forks.singleFork to maxWorkers:1 for Vitest 4; added explicit src alias so package-local base-url imports resolve correctly in CI. |
| cypress/cypress/support/commands.ts | Added typeRichText and dismissToasts Cypress commands; typeRichText correctly disables parseSpecialCharSequences to preserve literal braces in Slate editor input. |
| cypress/cypress/e2e/MB-instance-updates-workflow.cy.ts | Replaced bare click + cy.wait(1000) with saveActivityEditAndOpenOverview helper that waits for the overview button to be visible before clicking, eliminating a timing race. |
Sequence Diagram
sequenceDiagram
participant B as Browser
participant M as Manage (Next 16)
participant L as /login (GSP)
participant A as Auth proxy.ts
participant N as NextAuth
B->>M: GET /some-page
M->>M: Apollo query (cache-and-network)
alt Session expired — Apollo error
M->>M: "onError: message==Unauthorized"
M->>M: redirectToLogin() [module-level dedup]
M->>B: "window.location.assign(/login?expired=true&redirect_to=/some-page)"
else "Layout: !dataUser && !loadingUser"
M->>M: "useEffect: redirectToLogin = true"
M->>B: "window.location.assign(/login?expired=true&redirect_to=/some-page)"
end
B->>L: "GET /login?redirect_to=/some-page"
Note over L: getServerSideProps validates origin
L-->>B: "307 to auth.host?redirectTo=https://manage.host/some-page"
B->>A: "GET / ?redirectTo=https://manage.host/some-page"
A->>A: isValidLecturerRedirectUrl(redirectTo) check passes
A->>A: "Set LECTURER_REDIRECT_COOKIE (maxAge=REDIRECT_COOKIE_TTL_MS)"
A->>B: NextResponse.next() show auth UI
B->>N: "POST /api/auth/signin?callbackUrl=..."
A->>A: /api/auth/signin: set cookie with callbackUrl
B->>N: GET /api/auth/callback/...
A->>A: /api/auth/callback: read cookie inject callbackUrl param
A->>A: clearAllRedirectCookies()
N-->>B: 302 to manage.host/some-page
Reviews (9): Last reviewed commit: "docs(project): record next 16 audit comp..." | Re-trigger Greptile
|
Too many files changed for review. ( |
What This Adds
This PR upgrades the KlickerUZH frontend/runtime dependency baseline and then migrates the repo compiler baseline to TypeScript 6.
next-intl@4.12.0.@ducanh2912/next-pwa@10.2.9; Turbopack is deliberately deferred.middleware.ts->proxy.ts, direct ESLint scripts instead ofnext lint, explicit imagequalities, andremotePatterns.pnpm audit --audit-level high.~5.6.3to~6.0.3and@types/nodeto the Node 24 line^24.12.4.How It Works
devandbuildscripts use--webpackso the existing custom webpack condition handling and Workbox/PWA integration remain in place.packages/next-configcentralizes Next 16 image settings and only allows local-IP image optimization in development/test, not staging.poolOptions.forks.singleForkshape withmaxWorkers: 1while preserving test-file isolation.--forceExitbecause Rollup 4.59 plus the TypeScript plugin keeps TypeScript filesystem watchers alive after successful one-shot builds.distto avoid pulling both GraphQLsrcanddistPrismaJson globals into backend typechecking.baseUrlwhere the existingpathsmap can be made explicit, raises old ES5 frontend targets to ES2015, and usesignoreDeprecations: "6.0"only for the Docusaurus inherited-config gap.tsconfig.check.jsonto disable declaration/composite emit duringtsc --noEmit.packages/prisma/scripts/patchPrismaNamespace.mjsruns afterprisma generateand adds publicruntime.ObjectEnumValueannotations to generated Prisma null sentinel exports so Prisma 6 declarations emit under TS6.packages/prisma/src/client.tsnow explicitly exports the generated PothosPrismaTypestype, andpackages/graphql/src/builder.tsimports that type instead of relying on ambient visibility.project/2026-06-07-capacitor-mobile-app-plan.mdrecords the separate mobile-app follow-up strategy without changing runtime code in this PR.Important Details
next-intl@4.13.0was skipped because it was published less than 14 days before 2026-06-01.4.12.0is the selected policy-compliant Next 16 bridge.tmp@0.2.6has an exactminimumReleaseAgeExcludebecause it was published on 2026-05-26 and is needed for the audit remediation.jsonwebtoken@8.5.2andlodash@4.17.24are not published, so the overrides usejsonwebtoken@9.0.3andlodash@4.18.1.pnpm-workspace.yamlalso overrides high-advisory ranges for Apollo Server,defu,effect,fast-xml-parser,flatted,immutable,jws,minimatch,node-forge,path-to-regexp,picomatch,sequelize,serialize-javascript,socket.io-parser,svgo,tar,tmp,underscore,undici,validator,vite, and the stale TS peer forprisma-json-types-generator@3.6.0.apps/response-apion port7078; pending/AddResponserequests indicate response-api needs to be verified/restarted before debugging PWA rendering.Branch Coverage
v384778e48bbf5d081b0through84778e48b.Commits:
bf5d081b0 docs(project): add next 16 upgrade plan74e1415f9 chore(deps): upgrade next apps to next 161dbf6ef4b fix(next): resolve next 16 compatibility issuesf21e78da9 fix(next): restrict local image optimization to dev616940d8a docs(project): report next 16 upgrade findingsca1aab4b1 docs(project): add next 16 browser evidencedde327957 docs(project): update next 16 validation blockersc24ccc1f3 fix(test): restore graphql vitest source alias6667f0cf7 test(next): stabilize next 16 e2e validation1d723a687 docs(project): update next 16 validation statusf5bd782ba docs(project): record playwright browser diagnosisfc4a33583 fix(deps): remediate high audit findings86c54a2e1 fix(frontend): stabilize next 16 redirects and e2e7320867dd docs(project): record next 16 audit completion3ebddb7a8 docs(project): add TypeScript 6 migration plan39e6f164e chore(deps): migrate to TypeScript 6d0d14a998 fix(frontend): resolve rank asset imports376de8eb2 docs(project): record TypeScript 6 migration completion84778e48b docs(project): add Capacitor mobile app planScreenshots
Built-app smoke screenshots are committed under
project/2026-06-01-next-16-screenshots/:Real local production-style test-stack screenshots were captured with
npx agent-browser:Browser verification was not rerun for the TS6 import-path-only rank SVG cleanup because no local PWA/manage/Traefik routes were running on ports 3001/3002 or
*.klicker.com. The affected PWA/manage production builds were rerun and passed.Review Notes
Pay particular attention to:
packages/next-config/index.js, especially image optimizer settings andremotePatterns.--forceExitplacement: it is intentionally limited to non-watch build scripts.apps/chat,apps/olat-api,packages/grading,packages/graphql, andpackages/util.typeRichTextusage in the element/activity specs; it is test-only and preserves literal braces viaparseSpecialCharSequences: false.pnpm-workspace.yaml, especially the major-version overrides for transitive vulnerable packages where no patched version exists in the old major line./loginserver-side redirect handling and the Apollo/Layout unauthorized redirect paths.packages/prisma/scripts/patchPrismaNamespace.mjs; it is intentionally narrow and fails closed if Prisma changes the generated null sentinel output.packages/graphql/tsconfig.check.jsonandpackages/prisma/tsconfig.check.json; they keep puretsc --noEmitchecks separate from declaration-producing Rollup builds.Security Review
patchPrismaNamespace.mjsonly mutates generated local Prisma TypeScript source afterprisma generate; it does not execute generated runtime data or read external input.pnpm audit --audit-level highran after explicit user approval on 2026-06-03 before remediation and failed with 115 total advisories: 13 low, 56 moderate, 46 high, 0 critical.pnpm install --no-frozen-lockfilefound no installed versions matching the checked high-advisory ranges.pnpm audit --audit-level highreruns exited 0 with 48 remaining advisories below the requested threshold: 9 low and 39 moderate.Verification
Passed locally before the audit-remediation commit:
CI=true pnpm install --frozen-lockfilepnpm run check:syncpackpnpm --filter @klicker-uzh/prisma generatepnpm --filter @klicker-uzh/prisma buildpnpm --filter @klicker-uzh/prisma build:testpnpm --filter @klicker-uzh/backend-docker checkpnpm run checkpnpm run lintpnpm run buildpnpm run build:testpnpm --filter @klicker-uzh/cypress exec tsc --noEmitpnpm --filter @klicker-uzh/util test-> 46 tests passedpnpm --filter @klicker-uzh/grading test-> 10 tests passedpnpm --filter @klicker-uzh/chat test:run-> 40 tests passedpnpm --filter @klicker-uzh/office-addin build:officegit diff --checkPassed locally after audit remediation:
pnpm install --no-frozen-lockfileCI=true pnpm install --frozen-lockfilepnpm run check:syncpackpnpm run checkpnpm run lintpnpm run buildpnpm --filter @klicker-uzh/util test-> 46 tests passedpnpm --filter @klicker-uzh/grading test-> 10 tests passedpnpm --filter @klicker-uzh/chat test:run-> 40 tests passedpnpm --filter @klicker-uzh/cypress exec tsc --noEmitpnpm exec prettier --check pnpm-workspace.yaml pnpm-lock.yaml project/2026-06-01-next-16-upgrade-plan.md project/2026-06-01-next-16-upgrade-report.mdgit diff --checkfc4a33583:check, lint, staged Prettier, syncpackfc4a33583Passed locally after the redirect/Cypress stabilization commit
86c54a2e1:pnpm --filter @klicker-uzh/frontend-manage checkpnpm --filter @klicker-uzh/frontend-pwa checkpnpm --filter @klicker-uzh/frontend-manage lint-> pass with pre-existing hook warnings onlypnpm --filter @klicker-uzh/frontend-pwa lint-> pass with pre-existing hook warnings onlypnpm --store-dir /Users/roland/Library/pnpm/store/v11 install --frozen-lockfilepnpm run check:syncpackpnpm run checkpnpm run lintpnpm exec prettier --check AGENTS.md apps/frontend-manage/package.json apps/frontend-manage/src/components/Layout.tsx apps/frontend-manage/src/lib/apollo.ts apps/frontend-manage/src/pages/_app.tsx apps/frontend-manage/src/pages/_document.tsx apps/frontend-manage/src/pages/login.tsx apps/frontend-pwa/package.json apps/frontend-pwa/src/pages/_app.tsx apps/frontend-pwa/src/pages/_document.tsx cypress/cypress/e2e/MB-instance-updates-workflow.cy.ts pnpm-lock.yamlgit diff --check86c54a2e1:check, lint, staged Prettier, syncpack86c54a2e1:pnpm run build-> passPassed locally after the final Next 16 audit completion commit
7320867dd:pnpm audit --audit-level high-> pass at the high threshold; 48 advisories remain below threshold (9 low, 39 moderate)pnpm exec prettier --check project/2026-06-01-next-16-upgrade-plan.md project/2026-06-01-next-16-upgrade-report.mdgit diff --check7320867dd:check, lint, staged Prettier, syncpack7320867dd:pnpm run build-> passPassed locally for the TypeScript 6 slice:
pnpm installpnpm install --frozen-lockfilepnpm run check:syncpackpnpm peers check-> failed only on pre-existing non-TS peer mismatches; TS-specific peer failures removedpnpm --filter @klicker-uzh/frontend-pwa checkpnpm --filter @klicker-uzh/frontend-manage checkpnpm --filter @klicker-uzh/frontend-control checkpnpm --filter @klicker-uzh/office-addin checkpnpm --filter @klicker-uzh/graphql checkpnpm --filter @klicker-uzh/prisma checkpnpm --filter @klicker-uzh/backend-docker checkpnpm --filter @klicker-uzh/prisma buildpnpm run checkpnpm run lintpnpm --filter @klicker-uzh/frontend-pwa buildpnpm --filter @klicker-uzh/frontend-manage buildpnpm -w build-> 19/19 tasks successfulpnpm audit --audit-level high-> pass at the high threshold; 48 advisories remain below threshold (9 low, 39 moderate)pnpm exec prettier --check apps/frontend-manage/src/components/evaluation/ActivityEvaluation.tsx apps/frontend-pwa/src/components/course/SuspendedGroupView.tsx apps/frontend-pwa/src/pages/course/[courseId]/index.tsx project/2026-06-03-pr-5111-typescript-6-migration-plan.mdgit diff --check 7320867dd..HEAD39e6f164e:check, staged-file Prettier,lint,syncpackd0d14a998:check, staged-file Prettier,lint,syncpack376de8eb2:check, staged-file Prettier,lint,syncpack376de8eb2:pnpm run build-> 19/19 tasks successfulPassed locally for the docs-only Capacitor plan commit:
pnpm exec prettier --check project/2026-06-07-capacitor-mobile-app-plan.mdgit diff --cached --check84778e48b:check, staged-file Prettier,lint,syncpack84778e48b:pnpm run build-> 19/19 tasks successful from cacheBuild verification for changed apps:
APP_ORIGIN_* ... pnpm --filter @klicker-uzh/frontend-manage build:test-> passAPP_ORIGIN_* ... pnpm --filter @klicker-uzh/frontend-pwa build:test-> passnext-intlApp Router migration warning, large page data warnings, and existing missing-message warnings.E2E/browser verification:
CYPRESS_FAIL_FAST=false ... pnpm --filter @klicker-uzh/cypress exec cypress run --spec cypress/e2e/A-login-workflow.cy.ts-> 7/7 passing after the login redirect and local KaTeX CSS fixes.0-baselinethroughL-elements-case-study; it later failed when backend port3000was down.MA-elements-operations-workflow.cy.tsrerun after backend restart -> 71/71 passing.MBthroughXpassed all non-live-quiz/non-MB specs:N,P,Q,R,S,T,U,W,X.O-live-quiz-workflow.cy.ts+V-template-workflow.cy.tsrerun after response-api restart -> 111/111 passing.MB-instance-updates-workflow.cy.tsrerun after the save-completion wait patch -> 6/6 passing.PLAYWRIGHT_BASE_URL=http://127.0.0.1:3001 ... playwright test --project=chromium-> 1 passed. Firefox/WebKit coverage was not required for this PR after Chromium was accepted as sufficient.npx agent-browserverified PWA login/home, auth delegated-login, manage library, and control course selection against the real local test stack.GitHub for prior Next 16 head
7320867dd:GitHub for TS6 head
376de8eb2:GitHub for current docs-only head
84778e48b:Remaining Follow-Up
pnpm auditadvisories in a dedicated security dependency slice if they are in production-relevant paths.project/2026-06-07-capacitor-mobile-app-plan.mdas the starting point for a separate Capacitor/native app-store branch.next-intlwarnings, stale Browserslist/caniuse-lite warnings, and GraphQL Rollup TS warning noise after the main framework/compiler upgrade is merged.ClickUp Links