Skip to content

fix(npm): unblock portal-v0.1.0 publish + bump endpoint-manager devDeps#99

Merged
voyvodka merged 3 commits into
mainfrom
chore/package-bumps-and-portal-publish-fix
May 11, 2026
Merged

fix(npm): unblock portal-v0.1.0 publish + bump endpoint-manager devDeps#99
voyvodka merged 3 commits into
mainfrom
chore/package-bumps-and-portal-publish-fix

Conversation

@voyvodka
Copy link
Copy Markdown
Owner

@voyvodka voyvodka commented May 11, 2026

Summary

Two coupled fixes that unblock the @webhookengine/endpoint-manager v0.1.0 npm publish (the first publish workflow on the portal-v0.1.0 tag failed; the npm registry has no published version yet).

Fix 1 — workspace protocol unblocks npm publish

samples/portal-host/package.json: "@webhookengine/endpoint-manager": "workspace:*""*".

The portal-v0.1.0 publish workflow failed with:

npm error EUNSUPPORTEDPROTOCOL — Unsupported URL Type "workspace:": workspace:*

npm 10's publish path scans the workspace graph and rejects the workspace: protocol literal. The sample's * range still resolves to the local workspace member during Bun monorepo dev (Bun's workspace resolver picks the workspace package over the registry for any catch-all range), and stops npm from choking when it crawls the graph during publish. The sample's README already explains that consumers should npm install @webhookengine/endpoint-manager — that contract is unchanged.

Fix 2 — devDeps freshen

Brought current to close the security window from the happy-dom CVE chain (PR #98) and unify on the Vite 8 / Vitest 4 line:

Package Before After Type
react (peer) ^19.0.0 ^19.2.6 minor
react-dom (peer) ^19.0.0 ^19.2.6 minor
@testing-library/jest-dom ^6.6.3 ^6.9.1 minor
@testing-library/react ^16.3.0 ^16.3.2 patch
@vitejs/plugin-react ^4.5.2 ^6.0.1 major
tsup ^8.5.0 ^8.5.1 patch
vite ^6.3.5 ^8.0.11 major × 2
vitest ^3.2.1 ^4.1.5 major

Verification (all clean from workspace root after bun install)

Workspace member Result
packages/endpoint-manager typecheck clean
packages/endpoint-manager lint clean
packages/endpoint-manager test 42/42 pass in 847ms
packages/endpoint-manager build ESM 75ms, DTS 489ms
src/dashboard typecheck clean (no regression)
src/dashboard lint clean
src/dashboard build clean (chunk-size warning pre-existing)
samples/portal-host build clean, 245.73 kB / 72 kB gz

Vitest 4 prints a one-line warning ("Both esbuild and oxc options were set. oxc options will be used"). Caused by the existing esbuild: { jsx: "automatic" } in vitest.config.ts; vitest 4 routes JSX through the oxc transformer instead. Tests still run correctly. The config cleanup is a follow-up — non-blocking for the publish.

After merge

The portal-v0.1.0 tag needs to be force-moved (delete + repush) so publish-portal.yml retriggers against the fixed main. The npm registry has nothing under @webhookengine/endpoint-manager yet (the prior workflow run failed before the publish step), so the tag move has no published-version side effect.

Test plan

  • All workspace members lint/typecheck/build clean
  • packages/endpoint-manager 42/42 vitest pass
  • CI green
  • After merge: tag move + publish-portal.yml retrigger → npm publish succeeds

voyvodka added 2 commits May 11, 2026 09:49
@voyvodka
fix(security): bump happy-dom 17.6.3 → 20.9.0 (CRITICAL CVE-2025-61927
d233944 
…+ 2 HIGH)

Closes 3 Dependabot alerts on the test-only happy-dom package:

- #1 CRITICAL CVE-2025-61927 / GHSA-37j7-fg3j-429f — VM Context Escape can lead to Remote Code Execution
- #2 HIGH CVE-2026-33943 / GHSA-6q6h-j7hj-3r64 — ECMAScriptModuleCompiler unsanitized export-name interpolation
- #3 HIGH CVE-2026-34226 / GHSA-w4gp-fjgq-3q4g — fetch credentials use page-origin cookies instead of target

happy-dom is the vitest test environment for @webhookengine/endpoint-manager. It is a devDependency only — never ships in the published package — so the production blast radius for portal-v0.1.0 consumers is zero. The CVE windows still affect any contributor running 'bun run test' locally, so bumping is the right call.

The 17 → 20 major hop is non-breaking for our usage: the 42-test vitest suite passes unchanged (5 test files, 1.01 s), bun run typecheck / lint / build all clean. happy-dom 20's API drift is around DOM corner-cases we do not exercise (we only use it for fetch + DOM rendering of React components in tests).
@voyvodka
fix(npm): unblock portal-v0.1.0 publish + bump endpoint-manager devDeps
1e58eb8 
Two coupled fixes that unblock the @webhookengine/endpoint-manager v0.1.0 npm publish:

1. samples/portal-host/package.json — '@webhookengine/endpoint-manager': 'workspace:*' → '*'.

The portal-v0.1.0 publish workflow failed with 'npm error EUNSUPPORTEDPROTOCOL — Unsupported URL Type "workspace:"' because npm 10's publish path scans the workspace graph and rejects the workspace: protocol literal. The sample's '*' range still resolves to the local workspace member during Bun monorepo dev (Bun's workspace resolver picks the workspace package over the registry for any catch-all range), and stops npm from choking when it crawls the graph during publish. The sample's README already explains that consumers should npm install @webhookengine/endpoint-manager — that contract is unchanged.

2. packages/endpoint-manager — devDeps brought current to close the security window from the happy-dom CVE chain (PR #98) and unify on the Vite 8 / Vitest 4 line:

  peerDependencies:
    react ^19.0.0       → ^19.2.6
    react-dom ^19.0.0   → ^19.2.6
  devDependencies:
    @testing-library/jest-dom ^6.6.3 → ^6.9.1
    @testing-library/react ^16.3.0   → ^16.3.2
    @vitejs/plugin-react ^4.5.2      → ^6.0.1   (major)
    tsup ^8.5.0                      → ^8.5.1
    vite ^6.3.5                      → ^8.0.11  (two majors — matches the dashboard's Vite 8 line)
    vitest ^3.2.1                    → ^4.1.5   (major)

Verification (all clean from the workspace root after bun install):

  packages/endpoint-manager/  bun run typecheck → clean
                              bun run lint      → clean
                              bun run test      → 42/42 pass in 847ms
                              bun run build     → ESM 75ms, DTS 489ms
  src/dashboard/              bun run typecheck → clean (no regression)
                              bun run lint      → clean
                              bun run build     → clean (chunk-size warning is the existing CodeMirror/Recharts one)
  samples/portal-host/        bun run build     → clean, 245.73 kB / 72 kB gz

Vitest 4 prints a one-line warning ('Both esbuild and oxc options were set. oxc options will be used'). Caused by the existing 'esbuild: { jsx: "automatic" }' in vitest.config.ts; vitest 4 routes JSX through the oxc transformer instead. Tests still run correctly. The config can be cleaned up in a follow-up — non-blocking for the publish.

After this PR merges, the portal-v0.1.0 tag needs to be force-moved (delete + repush) so publish-portal.yml retriggers against the fixed main. The npm registry has nothing under @webhookengine/endpoint-manager yet (the prior workflow run failed before the publish step), so the tag move has no published-version side effect.
@voyvodka voyvodka added dependencies Pull requests that update a dependency file security Security-related issues npm npm / Bun dependencies dashboard React dashboard issues labels May 11, 2026
@voyvodka
Merge remote-tracking branch 'origin/main' into chore/package-bumps-a…
ceccce0 
…nd-portal-publish-fix

# Conflicts:
#	bun.lock
@voyvodka voyvodka merged commit ca417d4 into main May 11, 2026
5 checks passed
@voyvodka voyvodka deleted the chore/package-bumps-and-portal-publish-fix branch May 11, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dashboard React dashboard issues dependencies Pull requests that update a dependency file npm npm / Bun dependencies security Security-related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@voyvodka