Update meta-corruption with ImgFile fixes and dependency updates #1164
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ication
The JWKS endpoint returns {"keys":[{...}]} but the code was trying to use
the entire response as a single JWK. This caused JWT verification to fail.
Changes:
- Parse JWKS response as {keys: JsonWebKey[]}
- Use the first key from the keys array (standard practice)
- Add validation to ensure keys array is not empty
- Simplify code by removing unnecessary kid matching logic
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
Instead of requiring hardcoded JWKS URLs, automatically discover the JWKS
endpoint from the JWT's issuer field. This makes the system more robust
across different Clerk instances (dev, prod, etc).
Changes:
- Extract issuer from JWT payload automatically
- Construct JWKS URL as {issuer}/.well-known/jwks.json
- Maintain backward compatibility with CLERK_PUB_JWT_URL env var
- Add comprehensive error handling and security validation
- Support both explicit URLs and auto-discovery
Benefits:
- Works seamlessly with different Clerk environments
- No need to manage multiple JWKS URLs
- Follows JWT/JWKS standards for auto-discovery
- More maintainable and flexible
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/vitejs/vite-plugin-react/releases) - [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-react/commits/[email protected]/packages/plugin-react) --- updated-dependencies: - dependency-name: "@vitejs/plugin-react" dependency-version: 5.0.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) from 5.85.5 to 5.87.1. - [Release notes](https://github.com/TanStack/query/releases) - [Commits](https://github.com/TanStack/query/commits/v5.87.1/packages/react-query) --- updated-dependencies: - dependency-name: "@tanstack/react-query" dependency-version: 5.87.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) from 3.4.17 to 4.1.13. - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.1.13/packages/tailwindcss) --- updated-dependencies: - dependency-name: tailwindcss dependency-version: 4.1.13 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@cloudflare/workers-types](https://github.com/cloudflare/workerd) from 4.20250826.0 to 4.20250906.0. - [Release notes](https://github.com/cloudflare/workerd/releases) - [Changelog](https://github.com/cloudflare/workerd/blob/main/Dockerfile.release) - [Commits](https://github.com/cloudflare/workerd/commits) --- updated-dependencies: - dependency-name: "@cloudflare/workers-types" dependency-version: 4.20250906.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [jose](https://github.com/panva/jose) from 6.0.13 to 6.1.0. - [Release notes](https://github.com/panva/jose/releases) - [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md) - [Commits](panva/jose@v6.0.13...v6.1.0) --- updated-dependencies: - dependency-name: jose dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@ipld/dag-cbor](https://github.com/ipld/js-dag-cbor) from 9.2.4 to 9.2.5. - [Release notes](https://github.com/ipld/js-dag-cbor/releases) - [Changelog](https://github.com/ipld/js-dag-cbor/blob/master/CHANGELOG.md) - [Commits](ipld/js-dag-cbor@v9.2.4...v9.2.5) --- updated-dependencies: - dependency-name: "@ipld/dag-cbor" dependency-version: 9.2.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 9.34.0 to 9.35.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.34.0...v9.35.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.35.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.0 to 1.19.1. - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.0...v1.19.1) --- updated-dependencies: - dependency-name: "@hono/node-server" dependency-version: 1.19.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@types/semver](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/semver) from 7.7.0 to 7.7.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/semver) --- updated-dependencies: - dependency-name: "@types/semver" dependency-version: 7.7.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@clerk/clerk-js](https://github.com/clerk/javascript/tree/HEAD/packages/clerk-js) from 5.90.0 to 5.91.2. - [Release notes](https://github.com/clerk/javascript/releases) - [Changelog](https://github.com/clerk/javascript/blob/main/packages/clerk-js/CHANGELOG.md) - [Commits](https://github.com/clerk/javascript/commits/@clerk/[email protected]/packages/clerk-js) --- updated-dependencies: - dependency-name: "@clerk/clerk-js" dependency-version: 5.91.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@typescript/native-preview](https://github.com/microsoft/typescript-go) from 7.0.0-dev.20250824.1 to 7.0.0-dev.20250907.1. - [Changelog](https://github.com/microsoft/typescript-go/blob/main/CHANGES.md) - [Commits](https://github.com/microsoft/typescript-go/commits) --- updated-dependencies: - dependency-name: "@typescript/native-preview" dependency-version: 7.0.0-dev.20250907.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@adviser/cement](https://github.com/mabels/cement) from 0.4.26 to 0.4.30. - [Commits](mabels/cement@v0.4.26...v0.4.30) --- updated-dependencies: - dependency-name: "@adviser/cement" dependency-version: 0.4.30 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.1.3 to 7.1.4. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.1.4/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.1.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [cborg](https://github.com/rvagg/cborg) from 4.2.14 to 4.2.15. - [Release notes](https://github.com/rvagg/cborg/releases) - [Changelog](https://github.com/rvagg/cborg/blob/master/CHANGELOG.md) - [Commits](rvagg/cborg@v4.2.14...v4.2.15) --- updated-dependencies: - dependency-name: cborg dependency-version: 4.2.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [hono](https://github.com/honojs/hono) from 4.9.4 to 4.9.6. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.9.4...v4.9.6) --- updated-dependencies: - dependency-name: hono dependency-version: 4.9.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@clerk/clerk-react](https://github.com/clerk/javascript/tree/HEAD/packages/react) from 5.45.0 to 5.46.1. - [Release notes](https://github.com/clerk/javascript/releases) - [Changelog](https://github.com/clerk/javascript/blob/main/packages/react/CHANGELOG.md) - [Commits](https://github.com/clerk/javascript/commits/@clerk/[email protected]/packages/react) --- updated-dependencies: - dependency-name: "@clerk/clerk-react" dependency-version: 5.46.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@clerk/backend](https://github.com/clerk/javascript/tree/HEAD/packages/backend) from 2.10.1 to 2.12.1. - [Release notes](https://github.com/clerk/javascript/releases) - [Changelog](https://github.com/clerk/javascript/blob/main/packages/backend/CHANGELOG.md) - [Commits](https://github.com/clerk/javascript/commits/@clerk/[email protected]/packages/backend) --- updated-dependencies: - dependency-name: "@clerk/backend" dependency-version: 2.12.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.3.0 to 24.3.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 24.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom) from 19.1.8 to 19.1.9. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom) --- updated-dependencies: - dependency-name: "@types/react-dom" dependency-version: 19.1.9 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@libsql/client](https://github.com/libsql/libsql-client-ts/tree/HEAD/packages/libsql-client) from 0.15.14 to 0.15.15. - [Release notes](https://github.com/libsql/libsql-client-ts/releases) - [Changelog](https://github.com/tursodatabase/libsql-client-ts/blob/main/CHANGELOG.md) - [Commits](https://github.com/libsql/libsql-client-ts/commits/v0.15.15/packages/libsql-client) --- updated-dependencies: - dependency-name: "@libsql/client" dependency-version: 0.15.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.34.0 to 9.35.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.35.0/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.35.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@typescript/native-preview](https://github.com/microsoft/typescript-go) from 7.0.0-dev.20250907.1 to 7.0.0-dev.20250908.1. - [Changelog](https://github.com/microsoft/typescript-go/blob/main/CHANGES.md) - [Commits](https://github.com/microsoft/typescript-go/commits) --- updated-dependencies: - dependency-name: "@typescript/native-preview" dependency-version: 7.0.0-dev.20250908.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) from 4.33.0 to 4.34.0. - [Release notes](https://github.com/cloudflare/workers-sdk/releases) - [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/wrangler/CHANGELOG.md) - [Commits](https://github.com/cloudflare/workers-sdk/commits/[email protected]/packages/wrangler) --- updated-dependencies: - dependency-name: wrangler dependency-version: 4.34.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.41.0 to 8.43.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.43.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: typescript-eslint dependency-version: 8.43.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@clerk/clerk-js](https://github.com/clerk/javascript/tree/HEAD/packages/clerk-js) from 5.91.2 to 5.93.0. - [Release notes](https://github.com/clerk/javascript/releases) - [Changelog](https://github.com/clerk/javascript/blob/main/packages/clerk-js/CHANGELOG.md) - [Commits](https://github.com/clerk/javascript/commits/@clerk/[email protected]/packages/clerk-js) --- updated-dependencies: - dependency-name: "@clerk/clerk-js" dependency-version: 5.93.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [deno](https://github.com/denoland/deno) from 2.4.4 to 2.5.0. - [Release notes](https://github.com/denoland/deno/releases) - [Changelog](https://github.com/denoland/deno/blob/main/Releases.md) - [Commits](denoland/deno@v2.4.4...v2.5.0) --- updated-dependencies: - dependency-name: deno dependency-version: 2.5.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: "@hono/node-server" dependency-version: 1.19.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
## Key Improvements
1. **Enhanced LRUMap Usage**:
- Use cement's LRUMap with maxEntries (50) for memory management
- Add automatic cleanup via onDelete callback to prevent memory leaks
- Set up proper object URL revocation when entries are evicted
2. **Fixed Key Generation**:
- Use namespaced keys: `cid:${cid}` for DocFileMeta, `file:${metadata}` for File objects
- Prevents cache key collisions between different object types
- Ensures stable content identity for database-sourced files
3. **Improved Cache Strategy**:
- CID-based keys for DocFileMeta objects (truly stable content identity)
- File-metadata keys for direct File objects (backwards compatibility)
- Proper cleanup ordering to prevent image flickering
## Technical Details
- Addresses failing test: "does not cleanup blob URL when DocFileMeta returns new objects"
- Uses cement v0.4.35 LRUMap features (maxEntries + onDelete callbacks)
- Maintains backwards compatibility for File objects while optimizing for DocFileMeta
- Prevents memory leaks through automatic object URL cleanup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
- Fixed double cleanup by removing automatic LRUMap onDelete callback - Added stable key tracking to prevent unnecessary cleanup on same CID - Progress: 8/10 tests passing, 2 tests still need fixes - Fixed same-CID tests but broke unmount test - needs refinement Next: Properly handle unmount vs rerender cleanup distinction
- Fixed unmount cleanup by always running useEffect cleanup - Fixed double cleanup issue from LRUMap eviction - 8/10 tests passing: unmount works, cache management works - 2/10 tests failing: same-CID tests expect NO revocation ever The tests require that same content never triggers URL.revokeObjectURL calls, which is stricter than preventing double cleanup. Need final approach to prevent revocation while allowing unmount cleanup.
## Major Improvements ### ✅ Content-Aware Cleanup Logic - File objects: Always cleanup on useEffect change (includes unmount) - DocFileMeta objects: Only cleanup when CID actually changes - Prevents unnecessary URL revocation for same content ### ✅ Enhanced Type Safety - Cleanup functions now store both contentKey and revoke function - Type-safe handling of different cleanup object structures - Proper return types from loadFile function ### ✅ Test Results (9/10 passing) - ✅ Same CID tests: No unnecessary cleanup (0 revoke calls) - ✅ File object tests: Proper cleanup on unmount (1 revoke call) - ✅ Cross-type tests: Correct transitions between File/DocFileMeta - ❌ Different CID test: Still needs nextContentKey tracking fix ### Technical Details - Uses object-type-specific cleanup logic (file: vs cid: prefixes) - LRUMap with maxEntries (50) for memory management - Maintains backwards compatibility for direct File objects - Deferred cleanup timing to prevent image flickering One remaining issue: useEffect cleanup can't access "next" fileData value for different-CID detection. Need layoutEffect or different tracking approach. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
…assing
## Final Fix: useLayoutEffect for Proper Ref Timing
- Add useLayoutEffect to update nextFileDataRef before useEffect cleanup
- Enables detection of different CIDs during cleanup phase
- All 10/10 img-file tests now passing
## Complete Implementation Summary
### ✅ Stable CID-Based Content Keys
- DocFileMeta objects use `cid:${cid}` keys for stable content identity
- File objects use `file:${metadata}` keys for backwards compatibility
- Prevents unnecessary cleanup when same content, different object references
### ✅ Content-Aware Cleanup Logic
- File objects: Always cleanup on useEffect change (includes unmount)
- DocFileMeta objects: Only cleanup when CID actually changes
- Zero cleanup calls for same content, proper cleanup for different content
### ✅ Enhanced Cache Management
- LRUMap with maxEntries (50) for memory management
- Namespaced keys prevent collisions between File/DocFileMeta objects
- Updated cement dependency for improved cache controls
### ✅ Test Coverage & Requirements Met
- Same CID: 0 URL.revokeObjectURL calls ✅
- Different CID: 1 URL.revokeObjectURL call ✅
- Component unmount: Proper cleanup ✅
- Cross-type transitions: Working correctly ✅
Fully addresses CodeRabbit feedback from PR 1137 discussions r2334960605 and r2334960613.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <[email protected]>
- Add CRDT head tracking in crdt.ts and crdt-clock.ts - Add network request logging in loader.ts for CAR file loads - Add carLog state logging before validation - Add post-compact carLog logging in test Investigation findings: - Race condition between CAR file writes (async via commit queue) and DbMeta sends - Network requests fail when CAR files not yet written to remote stores - "missing car file" errors cause CAR files to be marked as stale - Validation fails because blocks become inaccessible Attempted fixes (both cause deadlocks): - Promise.all() on commit queue operations - commitQueue.waitIdle() before DbMeta send Next: Need alternative architectural solution for CAR write coordination 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
Reply with @codex fix comments to fix any unresolved comments.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
Comment on lines
228
to
232
| const store = this.attachedStores.activate(at.stores); | ||
| await this.tryToLoadStaleCars(store); | ||
| const localDbMeta = this.currentMeta; // await store.local().active.meta.load(); | ||
| const localDbMeta = this.XXXcurrentMeta; // await store.local().active.meta.load(); | ||
| const remoteDbMeta = store.active.meta.stream(); | ||
| await this.waitFirstMeta(remoteDbMeta.getReader(), store, { origin: store.active.meta.url() }); |
There was a problem hiding this comment.
[P1] Use current meta when attaching stores
attach now assigns const localDbMeta = this.XXXcurrentMeta, but the class only defines currentMeta. Because XXXcurrentMeta is undefined, localDbMeta is always undefined and the following ensureAttachedStore call never runs. When attaching a store without WAL, any locally persisted CAR groups are skipped, so the remote store never receives the existing meta and may fall out of sync. The code previously read this.currentMeta, so this looks like a typo introduced in this commit.
Useful? React with 👍 / 👎.
jchris
had a problem deploying
to
external-pr
GitHub Actions
Failure
jchris
had a problem deploying
to
external-pr
GitHub Actions
Failure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Changes
🤖 Generated with Claude Code