Skip to content

chore(deps): upgrade Next.js 16 and React 19#5166

Draft
rschlaefli wants to merge 12 commits into
v3from
feature/upgrade-next-react
Draft

chore(deps): upgrade Next.js 16 and React 19#5166
rschlaefli wants to merge 12 commits into
v3from
feature/upgrade-next-react

Conversation

@rschlaefli

Copy link
Copy Markdown
Member

Summary

This draft replaces #5091 with a rebuilt and independently verified Next.js 16 and React 19 upgrade.

  • Upgrades the five Next apps to Next.js 16.2.9, React and React DOM to 19.2.7, and @ducanh2912/next-pwa to 10.2.9.
  • Uses Webpack consistently for development and production. This preserves PWA worker generation and the chat standalone server contract.
  • Migrates Next app linting to ESLint flat configs and scopes new React Compiler warnings to known existing debt.
  • Makes Next route type generation deterministic across auth, chat, control, manage, and PWA.
  • Preserves and tests auth return-target behavior for manage, PWA, and chat without allowing arbitrary external redirects.
  • Keeps the legacy Cypress suite intact, with only reproduced Next 16 compatibility waits.

How it works

  • Shared Next config owns Webpack resolution, image policy, source maps, and development-only allowedDevOrigins for namespaced **.klicker.localhost worktrees.
  • Chat removes Pages Router i18n config and still emits apps/chat/.next/standalone/apps/chat/server.js.
  • Control, manage, and PWA emit sw.js, a Workbox chunk, and their custom worker during production builds. Development disables service-worker registration.
  • App checks call next typegen before TypeScript. Pages Router check configs exclude conflicting development route declarations.
  • Login redirects normalize same-PWA absolute URLs, permit the configured chat origin, preserve path/query/hash, and reject malformed or untrusted targets.

Branch coverage

  • Base: v3
  • Head: bdc670190
  • Reviewed: 12 commits, 68 files, 4,554 insertions, 2,892 deletions
  • Covered: dependency normalization, Next/ESLint config, deterministic type generation, auth redirects, Playwright and Cypress compatibility, wiki updates, devrouter origin handling, fresh-environment verification, security review, and maintainability review

Review focus

  • Check the Webpack-only strategy against PWA output and chat standalone deployment requirements.
  • Review the redirect allowlists and server-to-client return-target contract in auth, manage, and PWA.
  • Check scoped React Compiler lint exceptions and generated-file ignores. They intentionally avoid broad rule suppression.
  • Treat the remaining CI and browser gaps below as merge blockers, not follow-up polish.

Verification

Current head and immediately preceding code SHA:

  • CI=true pnpm install --frozen-lockfile in a fresh DevPod with Node 24.16.0 and pnpm 11.5.0: passed.
  • NODE_ENV=production pnpm exec turbo run build --concurrency=4 --force: 21/21 tasks passed, zero cached.
  • TURBO_CONCURRENCY=4 pnpm run build:test: 19/19 tasks passed.
  • pnpm run check:all: passed. Typecheck completed 23/23 tasks.
  • Chat Vitest: 9 files and 40 tests passed.
  • Focused Playwright login and redirect coverage: passed.
  • Cypress A-login.cy.ts: 7/7 passed twice in the seeded Next 16 environment.
  • Browser checks: delegated manage login, participant PWA login, authenticated control, auth surface, logged-out chat, and mobile PWA all rendered against the fresh stack.
  • Push pre-hook production build: 21/21 tasks passed.
  • Security review: no high-confidence branch-introduced findings. Scoped Opengrep scan of changed runtime and config files returned zero findings.
  • Strict maintainability and independent branch reviews: no remaining code findings.

Warnings and limits:

  • Repository-wide Opengrep reports 607 baseline findings. This PR's scoped changed-file scan reports zero.
  • Existing framework, page-size, lint, cache, and missing local provider warnings remain outside this upgrade.
  • Authenticated chat content could not render without seeded chatbot and provider configuration.

Full report: project/2026-07-11-next-react-verification/verification.md

Screenshots

Manage PWA desktop PWA mobile
Authenticated manage library Authenticated PWA home PWA mobile home

Additional captures: auth, control, logged-out chat.

Security / privacy

  • Redirect destinations use explicit origin checks and fail closed.
  • Production image policy does not enable local-IP access.
  • PWA cache behavior stays within the existing worker contract.
  • No secrets, private payloads, or credentials are included in the branch or verification artifacts.

Blocking before merge

  • Replacement PR CI passes, including AMD and ARM image jobs.
  • Full legacy live-quiz Cypress path clears the documented response-state boundary.
  • Production-mode PWA registration, update, and offline behavior is checked in a browser.
  • Authenticated chat content renders with a configured chatbot and provider environment.

Follow-up after merge

  • Remove scoped React Compiler lint exceptions as each app reaches zero violations for the corresponding rule.
  • Revisit Turbopack after it can satisfy both PWA plugin output and chat standalone deployment requirements.

Old PR #5091 remains open until a maintainer approves closing it.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f550562-e50e-422d-8b51-5c973ab39b4b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jul 11, 2026

Copy link
Copy Markdown

Confidence Score: 4/5

This looks safe to merge after the documented CI and browser checks pass.

  • No blocking issue was found in the changed code.
  • The most important changed paths keep explicit origin checks for login returns.
  • The framework upgrade still depends on the noted production build, image, and browser checks.

packages/next-config/index.js and the app login pages are the main runtime surfaces to keep covered in CI.

Important Files Changed

Filename Overview
packages/next-config/index.js Centralizes Next 16 shared config for Webpack, i18n, image policy, source maps, and development origins.
apps/frontend-manage/src/components/Layout.tsx Moves unauthenticated manage redirects into an effect and preserves the current path as a login return target.
apps/frontend-manage/src/pages/login.tsx Replaces client-side login forwarding with an SSR redirect that only accepts the configured manage origin.
apps/frontend-pwa/src/pages/login.tsx Adds server-side return-target normalization for PWA, assessment, and configured chat redirects.
apps/chat/next.config.ts Uses the shared Next config with chat-specific i18n disabled for the app-router build.
apps/auth/src/pages/index.tsx Updates the Edu-ID login button wrapper and accessible disabled-state hint while preserving callback URL behavior.
apps/*/eslint.config.mjs Migrates Next app linting to flat ESLint configs with scoped generated-file ignores and React Compiler rule exceptions.
apps/*/package.json Updates framework dependencies and switches Next app scripts to explicit Webpack builds and route type generation.

Reviews (1): Last reviewed commit: "docs(project): record Next React verific..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant