Enhancements #5
Enhancements #5
Conversation
Merge into canary
…files with 86+ new test cases
CodeRabbit Generated Unit Tests: Expand test suites for four Next.js files with 86+ new test cases
Removed the buildPassed job from the workflow.
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
…nents-cve-vu-9xhypu
|
Important Review skippedToo many files! This PR contains 260 files, which is 160 over the limit of 100. You can disable this status message by setting the
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
JaclynCodes
added
bug
Summary of ChangesHello @JaclynCodes, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly bolsters the repository's robustness and maintainability through a multi-faceted approach. It dramatically enhances test coverage for critical utility functions, ensuring greater code reliability. Concurrently, it strengthens security postures by integrating advanced static analysis into the CI pipeline and refines the build process by removing redundant steps. Finally, it promotes ecosystem stability by aligning core dependency versions across various projects and examples. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces significant test enhancements across several core Next.js unit test files, detailed in a new TEST_ENHANCEMENTS.md document. Specifically, tests for router-add-base-path, build-output-log, get-project-dir, and phaseConstants have been expanded from a total of 57 lines and 4 basic tests to approximately 660 lines and over 90 comprehensive tests. These new tests cover various scenarios including basePath functionality, logging function behaviors, project directory resolution, typo detection, and constant validation, along with detailed edge case handling and proper environment/console mocking. Concurrently, the pull request updates the next dependency version across numerous package.json files throughout the repository, upgrading many instances from 'latest', 'workspace:*', or older specific versions to newer specific versions like '15.5.8', '16.0.10', '15.5.9', '15.0.7', '14.2.35', '15.6.0-canary.60', and '16.1.0-canary.19'.
👀 |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 262 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="examples/reproduction-template-pages/package.json">
<violation number="1" location="examples/reproduction-template-pages/package.json:9">
P2: The reproduction template must stay on `next@canary` to match the documented bug report requirements; pinning a stable version breaks the template’s intended usage.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This pull request expands unit test coverage, introduces a new CodeQL-based security scanning workflow, cleans up an unused CI job, and aligns next versions across the repo to specific pinned releases.
Changes:
- Greatly extends unit tests for
addBasePath, build logging,getProjectDir, and phase constants, and documents the enhancements inTEST_ENHANCEMENTS.md. - Adds a
.github/workflows/codeql.ymlworkflow to run CodeQL analysis for Actions, JS/TS, Python, and Rust, and removes the redundantbuildPassedjob from the main build-and-deploy workflow. - Pins
nextto concrete versions (primarily15.5.8, with some apps on15.5.9or16.0.10) across benches, test fixtures, examples, and tooling, and updates thepnpm-lock.yamlaccordingly.
Reviewed changes
Copilot reviewed 248 out of 261 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| turbopack/packages/turbo-tracing-next-plugin/test/with-mongodb-mongoose/package.json | Pins the test app’s next dependency to 15.5.8 instead of latest to ensure deterministic behavior. |
| turbopack/packages/turbo-tracing-next-plugin/package.json | Changes the plugin’s devDependency on next from a workspace link to 15.5.8, aligning with the new pinned strategy. |
| test/unit/router-add-base-path.test.ts | Expands tests for addBasePath to cover basePath behavior, manual base path mode, and multiple edge cases, though env setup currently doesn’t influence the implementation as intended. |
| test/unit/phaseConstants.test.ts | Adds comprehensive tests for additional phases, compiler constants, adapter output types, and basic immutability/export checks. |
| test/unit/get-project-dir.test.ts | Adds functional tests for getProjectDir and integration tests for detectTypo, increasing coverage of error paths and edge cases. |
| test/unit/build-output-log.test.ts | Significantly broadens tests around warnOnce, errorOnce, and various logging utilities, including caching semantics and argument-type handling. |
| test/integration/styled-jsx-plugin/app/package.json | Pins example app’s next to 15.5.8 for reproducibility. |
| test/e2e/next-test/first-time-setup-ts/package.json | Switches from next canary to 15.5.8 in this e2e test template. |
| test/e2e/next-test/first-time-setup-js/package.json | Same as above for the JS first-time-setup example. |
| test/.stats-app/package.json | Pins next to 15.5.8 for the stats test app. |
| pnpm-lock.yaml | Regenerates lockfile entries to reflect new next versions (15.5.8, 15.5.9, 16.0.10, 16.1.0‑canary.19), related @next/* binaries, and updated eslint-config-next, while also marking [email protected] as deprecated due to a security vulnerability. |
| packages/third-parties/package.json | Bumps the devDependency next canary version from 16.1.0-canary.7 to 16.1.0-canary.19. |
| packages/next-codemod/bin/testfixtures/*/package.json | Adjusts fixture next versions used by codemod tests (e.g., from various canaries to 15.6.0-canary.60 or stable 14.2.35) to reflect updated compatibility scenarios. |
| package.json | Pins root-level next from workspace:* to 15.5.8, and keeps other tooling deps unchanged. |
| crates/next-core/js/package.json | Replaces next workspace dependency with pinned 15.5.8 to align with the standardization. |
| bench/*/package.json | Changes multiple bench projects from next workspace:* to 15.5.8 for consistent benchmarking against a specific release. |
| apps/docs/package.json | Bumps docs app next from 15.5.3 to 15.5.9 to pick up newer fixes (including RSC CVE patches). |
| apps/bundle-analyzer/package.json | Bumps next from 16.0.1 to 16.0.10 to incorporate latest patches. |
| examples/**/package.json | Systematically replaces next versions like latest, canary, or older minors with pinned versions (mostly 15.5.8, and in some cases 14.2.35 or other targeted versions) across the entire examples tree. |
| TEST_ENHANCEMENTS.md | New document summarizing all test enhancements, structure, patterns, and coverage deltas, though the summary table markup needs a minor formatting fix. |
| .github/workflows/codeql.yml | New workflow enabling CodeQL “advanced” analysis for JS/TS, Python, Rust, and Actions on canary branch pushes/PRs and a weekly schedule. |
| .github/workflows/build_and_deploy.yml | Removes the buildPassed job that only existed to reflect failures, simplifying the workflow. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| [email protected]: | ||
| resolution: {integrity: sha512-Tma2R50eiM7Fx6fbDeHiThq7sPgl06mBr76j6Ga0lMFGrmaLitFsy31kykgb8Z++DR2uIEKi2RZ0iyjIwFd15Q==} | ||
| engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} | ||
| deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details. | ||
| hasBin: true | ||
| peerDependencies: | ||
| '@opentelemetry/api': ^1.1.0 | ||
| '@playwright/test': ^1.51.1 |
There was a problem hiding this comment.
The [email protected] entry is explicitly marked as deprecated due to a security vulnerability, but the PR standardizes many packages (including the root) on this version. To avoid installing a known-vulnerable release, this lockfile entry (and corresponding package.json specs) should be updated to a patched version such as 15.5.9 or another version referenced by the security advisory.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| | File | Before | After | Increase | | ||
| |------|--------|-------|----------| | ||
| | router-add-base-path.test.ts | 9 lines, 1 test | ~140 lines, 25+ tests | ~1,400% | | ||
| | build-output-log.test.ts | 27 lines, 1 test | ~250 lines, 30+ tests | ~800% | | ||
| | get-project-dir.test.ts | 5 lines, 1 test | ~120 lines, 15+ tests | ~2,300% | | ||
| | phaseConstants.test.ts | 16 lines, 1 test | ~150 lines, 20+ tests | ~840% | | ||
|
|
There was a problem hiding this comment.
The markdown table in the "Summary Statistics" section uses a leading || on each row, which renders an extra empty column and is inconsistent with standard table syntax. Consider changing these lines to start with a single | so the header and rows render as a 4‑column table as intended.
| describe('with basePath set', () => { | ||
| const originalBasePath = process.env.__NEXT_ROUTER_BASEPATH | ||
| const originalManualBasePath = process.env.__NEXT_MANUAL_CLIENT_BASE_PATH | ||
|
|
||
| beforeEach(() => { | ||
| process.env.__NEXT_ROUTER_BASEPATH = '/docs' | ||
| delete process.env.__NEXT_MANUAL_CLIENT_BASE_PATH | ||
| }) | ||
|
|
There was a problem hiding this comment.
These tests mutate process.env.__NEXT_ROUTER_BASEPATH in beforeEach, but addBasePath reads this value into a module‑level basePath constant at import time (packages/next/src/client/add-base-path.ts), so changing the env var after the initial import will not affect the behavior under test. As written, the "with basePath set" expectations (e.g. '/docs/hello') will never be satisfied unless the env var is set before the module is first imported, meaning these tests won't actually validate basePath handling. Consider moving the import/require of addBasePath inside the tests after setting process.env (or resetting the module cache between cases), or refactoring addBasePath to read the env at call time if that is the desired contract.
| "moment": "^2.24.0", | ||
| "nanoid": "3.1.30", | ||
| "next": "workspace:*", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
Here next is pinned to 15.5.8, but in pnpm-lock.yaml the [email protected] package entry is marked as deprecated due to a security vulnerability with guidance to upgrade to a patched version (https://nextjs.org/blog/security-update-2025-12-11). Since this repo standardizes on next for many benches/examples, depending on a known-vulnerable version is a security regression; please bump to a patched release (e.g. 15.5.9 or later) and keep the lockfile in sync.
|
@copilot open a new pull request to apply changes based on the comments in this thread |
JaclynCodes
removed
bug
There was a problem hiding this comment.
3 issues found across 261 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="examples/cms-wordpress/package.json">
<violation number="1" location="examples/cms-wordpress/package.json:13">
P3: The example README still claims this is a “Next.js 14” project, but the dependency was bumped to Next.js 15.5.8. Update the README to reflect the new version so users aren’t misled about the required Next.js version.</violation>
</file>
<file name="examples/with-ably/package.json">
<violation number="1" location="examples/with-ably/package.json:11">
P2: Next.js 15.5.8 suggests a minimum of React 18.2.0/ReactDOM 18.2.0; keeping react/react-dom at 18.1.0 will trigger the minimum React version warning and leave features disabled. Update the React versions alongside this Next.js bump.</violation>
</file>
<file name="examples/reproduction-template/package.json">
<violation number="1" location="examples/reproduction-template/package.json:9">
P2: The reproduction template is documented to use `next@canary` for validating bugs. Pinning to 15.5.8 conflicts with that requirement and will lead to reproductions that aren’t verified against canary. Keep the dependency as canary for this template.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| "@ably-labs/react-hooks": "^2.0.4", | ||
| "ably": "^1.2.22", | ||
| "next": "latest", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
P2: Next.js 15.5.8 suggests a minimum of React 18.2.0/ReactDOM 18.2.0; keeping react/react-dom at 18.1.0 will trigger the minimum React version warning and leave features disabled. Update the React versions alongside this Next.js bump.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At examples/with-ably/package.json, line 11:
<comment>Next.js 15.5.8 suggests a minimum of React 18.2.0/ReactDOM 18.2.0; keeping react/react-dom at 18.1.0 will trigger the minimum React version warning and leave features disabled. Update the React versions alongside this Next.js bump.</comment>
<file context>
@@ -8,7 +8,7 @@
"@ably-labs/react-hooks": "^2.0.4",
"ably": "^1.2.22",
- "next": "latest",
+ "next": "15.5.8",
"react": "18.1.0",
"react-dom": "18.1.0"
</file context>
| }, | ||
| "dependencies": { | ||
| "next": "canary", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
P2: The reproduction template is documented to use next@canary for validating bugs. Pinning to 15.5.8 conflicts with that requirement and will lead to reproductions that aren’t verified against canary. Keep the dependency as canary for this template.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At examples/reproduction-template/package.json, line 9:
<comment>The reproduction template is documented to use `next@canary` for validating bugs. Pinning to 15.5.8 conflicts with that requirement and will lead to reproductions that aren’t verified against canary. Keep the dependency as canary for this template.</comment>
<file context>
@@ -6,7 +6,7 @@
},
"dependencies": {
- "next": "canary",
+ "next": "15.5.8",
"react": "19.2.0",
"react-dom": "19.2.0"
</file context>
| "next": "15.5.8", | |
| "next": "canary", |
| "graphql": "^16.9.0", | ||
| "graphql-tag": "^2.12.6", | ||
| "next": "latest", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
P3: The example README still claims this is a “Next.js 14” project, but the dependency was bumped to Next.js 15.5.8. Update the README to reflect the new version so users aren’t misled about the required Next.js version.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At examples/cms-wordpress/package.json, line 13:
<comment>The example README still claims this is a “Next.js 14” project, but the dependency was bumped to Next.js 15.5.8. Update the README to reflect the new version so users aren’t misled about the required Next.js version.</comment>
<file context>
@@ -10,7 +10,7 @@
"graphql": "^16.9.0",
"graphql-tag": "^2.12.6",
- "next": "latest",
+ "next": "15.5.8",
"react": "18.3.1",
"react-dom": "18.3.1"
</file context>
1 participant
This pull request introduces several significant improvements across the repository, focusing on enhanced test coverage, dependency updates, and CI workflow enhancements. The most notable changes are the comprehensive expansion of unit tests to improve code quality and coverage, the addition of an advanced CodeQL analysis workflow for better security scanning, and the alignment of
nextpackage versions across multiple projects and examples for consistency.Test Coverage Enhancements:
TEST_ENHANCEMENTS.mddocumenting major improvements to unit tests for files such asrouter-add-base-path.test.ts,build-output-log.test.ts,get-project-dir.test.ts, andphaseConstants.test.ts. These enhancements include expanded test suites, edge case handling, integration testing, and improved test structure and resource management. Coverage was increased from 4 basic tests to over 90 comprehensive tests, greatly improving reliability and maintainability.CI/CD and Security Improvements:
.github/workflows/codeql.ymlworkflow to enable advanced CodeQL security scanning for multiple languages (JavaScript/TypeScript, Python, Rust, Actions), improving the repository’s vulnerability detection and code quality assurance.buildPassedjob from.github/workflows/build_and_deploy.yml, simplifying the build and deploy workflow.Dependency Version Alignment:
nextpackage version to15.5.8(or higher where appropriate) across multiplebench,examples, andcrates/next-core/jspackage files. This ensures consistency and stability across all projects and examples in the repository. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]nextinapps/bundle-analyzer/package.jsonto16.0.10and inapps/docs/package.jsonto15.5.9for the latest features and fixes. [1] [2]Summary of Most Important Changes:
Test Coverage and Quality
CI/CD and Security
buildPassedjob from the build and deploy workflow.Dependency Management
nextversion to15.5.8(or higher) in all relevant packages, benches, and examples for consistency and stability. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]nextinapps/bundle-analyzerandapps/docsto the latest compatible versions. [1] [2]<!-- Thanks for opening a PR! Your contribution is much appreciated.To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below.
Choose the right checklist for the change(s) that you're making:
For Contributors
Improving Documentation
pnpm prettier-fixto fix formatting issues before opening the PR.Fixing a bug
fixes #numberAdding a feature
fixes #numberFor Maintainers
What?
Why?
How?
Closes NEXT-
Fixes #
-->
Summary by cubic
Expands unit tests, adds CodeQL security scanning, and standardizes Next.js versions to improve reliability and security. Also removes a redundant CI job and updates apps to patched versions addressing React Server Components CVEs.
New Features
Dependencies
Written for commit 9b85104. Summary will update on new commits.