chore(deps): bump youtube-po-token-generator to 0.6.0#51
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 24 minutes and 41 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…vice
0.5.0 -> 0.6.0 contains no runtime code changes: the diff is solely a
version bump plus swapping package-lock.json for npm-shrinkwrap.json in
the package itself. The exported API (generate() returning
{poToken, visitorData}) is unchanged, so no call-site changes are
needed in services/yt-token/index.js.
The root package.json was already on ^0.6.0 (from unrelated prior
work); only the yt-token microservice lockfile needed syncing. Running
npm install in services/yt-token/ also clears stale "extraneous: true"
flags on transitive deps inside the nested shrinkwrap - those flags
were incorrect (the packages are actually required by the global-agent
and jsdom subtrees) and did not affect runtime behavior either way.
jzstern
force-pushed
the
chore/bump-po-token-generator
branch
from
a449667 to
fe337fb
Compare
🚂 Railway Preview Deployment
The preview environment has been deleted. Managed by Railway |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
1 participant
Summary
youtube-po-token-generatorfrom^0.5.0to^0.6.0inservices/yt-token/package.jsonand regeneratesservices/yt-token/package-lock.json.package.json/bun.lockwere already on^0.6.0onmain(from unrelated prior work), so no change was needed there.0.5.0 -> 0.6.0 changelog
No runtime code change. The upstream diff between the two tags is solely:
package.json:"version": "0.5.0"->"0.6.0"package-lock.jsonfornpm-shrinkwrap.json(version bumped to match)See the compare view here (the
0.6.0tag commit). Thegenerate()export still takes zero args and returns{ poToken, visitorData }. No peer-dep changes (jsdom@^26.0.0,global-agent@^3.0.0unchanged). Both call-sites (src/lib/yt-token.tsandservices/yt-token/index.js) remain compatible without modification.Lockfile diff note
Running
npm installinservices/yt-token/legitimately removed a batch of stale"extraneous": trueflags from transitive deps inside the nested shrinkwrap. Those flags were incorrect in the previously-committed lockfile - the marked packages are actually required by theglobal-agent/jsdomsubtrees. No installed versions changed.Local verification
bun run check-> 0 errors, 0 warningsbun run test:run-> 16 files, 221 tests passingbun run lint-> 6 pre-existing warnings (baseline unchanged), 0 errorsPR-preview verification
https://dub-rip-pr-51.up.railway.app) is live and healthy (/api/health-> 200)./api/download-stream?url=<Rick Astley>on the preview succeeds in ~9s, produces a 7.1 MB MP3 with full ID3 metadata. This exercises the in-processyoutube-po-token-generator@0.6.0path viasrc/lib/yt-token.ts.dSA1oUhCdy8) still fails with "This video requires authentication" on the PR preview - that's the known pre-existing Cobalt/yt-dlp auth issue from PR docs(cobalt): version-pinning rationale + 0-byte tunnel runbook #50, not a regression from this bump. Confirmed by the fact that Rick Astley downloads cleanly on the same preview.Caveat: yt-token microservice is NOT exercised by the PR preview
.github/workflows/railway-pr.ymlonly runsrailway up --service dub-rip. The yt-token service is inherited from production viarailway environment new --copy production, which means the PR env's yt-token is still runningyoutube-po-token-generator@0.5.0. The bump to 0.6.0 for the microservice only takes effect oncemaintriggersdeploy-yt-token.yml(which rebuilds the Docker image fromservices/yt-token/).Because 0.6.0 is byte-identical to 0.5.0 at the runtime-code level (only the version string and lockfile format changed), post-merge behavior for the microservice is expected to be identical. But the full end-to-end validation of yt-token-service @ 0.6.0 will only happen after the image rebuild fires on main.
Merge handshake
Draft per the production-change protocol. Ready for merge review. If a reviewer wants stronger confidence on the microservice path before merging, one option is to rebuild the yt-token image from this branch manually (e.g.
gh workflow run deploy-yt-token.yml --ref chore/bump-po-token-generator) and point the PR env at that image - but given 0.5.0 == 0.6.0 at the code level, I don't think that's warranted.Coordination note: No open PR touches
services/yt-token/or proposes swapping tobgutil-ytdlp-pot-provider. Open PRs are #44 (MusicBrainz metadata) and #50 (Cobalt docs) - neither conflicts with this one.Note
Low Risk
Low risk dependency bump confined to
services/yt-token; no application logic changes, but behavior could still shift if the upstream package has unanticipated runtime differences.Overview
Updates the
yt-token-servicedependency onyoutube-po-token-generatorfrom^0.5.0to^0.6.0.Regenerates
services/yt-token/package-lock.jsonto reflect the new resolved version and updated lockfile metadata for the dependency’s transitive tree (including cleanup of previously recordedextraneousflags).Reviewed by Cursor Bugbot for commit fe337fb. Bugbot is set up for automated code reviews on this repo. Configure here.