chore: repo-wide hardening and performance improvements#376
Merged
Conversation
- CI: scope mutation workflow permissions, SHA-pin third-party actions, pin release Node version - deps: pin @types/node, declare engines field on published packages - ingest: cap request body size at 32KB, document the endpoint threat model - redact: precompile path matchers once per config, O(1) case-insensitive leaf lookup, drop no-op lastIndex resets - pipeline: unref flush and retry timers so pending batches never hold the process open - audit: guard stableStringify against circular references - adapters: share deprecated-alias handling via applyDeprecatedAlias toolkit helper - vite: warn when sourceLocation is enabled for production builds https://claude.ai/code/session_01HyRiR2xjNsgoDshB64itH3
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
Thank you for following the naming conventions! 🙏 |
Contributor
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR pins CI/actions and Node engines, adds a shared deprecated-config alias helper (adopted by adapters), enforces 32KB ingest request limits with strict JSON parsing, precompiles redact path matchers and optimizes leaf lookups, adds circular-reference detection to audit stringify, and applies runtime/perf tweaks (timer unref, header Set, Vite warning). ChangesDependency hardening and configuration improvements
Redaction and serialization robustness
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install timed out. The project may have too many dependencies for the sandbox. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
commit: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 62: The package.json dependency "`@types/node`" is set to ^25.9.1 which can
expose Node 25+ typings while CI runs Node 22; update the "`@types/node`" entry in
package.json to a Node-22-compatible major (for example "^22.0.0" or a specific
22.x release), run your package manager to update lockfiles, and re-run CI;
alternatively, if you intend to use Node 25 features, change the CI node-version
to match instead (whichever path you choose, keep the `@types/node` major aligned
with the CI Node runtime).
In `@packages/evlog/src/adapters/better-stack.ts`:
- Line 37: Update the envHint text in the BetterStack adapter so it mentions
both Nuxt-specific and generic environment variable names; locate the envHint
property in packages/evlog/src/adapters/better-stack.ts (the current string
'Env: NUXT_BETTER_STACK_SOURCE_TOKEN → NUXT_BETTER_STACK_API_KEY.') and change
it to include BETTER_STACK_SOURCE_TOKEN and BETTER_STACK_API_KEY alongside the
NUXT_* variants (e.g. mention "NUXT_BETTER_STACK_SOURCE_TOKEN /
NUXT_BETTER_STACK_API_KEY or BETTER_STACK_SOURCE_TOKEN / BETTER_STACK_API_KEY")
so non-Nuxt users are not misled.
In `@packages/evlog/src/pipeline.ts`:
- Line 135: The retry backoff timer in sendWithRetry is being unref'd via
unrefTimer(setTimeout(...)) which can allow Node/Bun to exit even when flush()
is awaiting the retry Promise; modify sendWithRetry so that when it's invoked as
part of an explicit flush (the flush caller or a boolean flag passed into
sendWithRetry), the retry timers are kept ref'd (use setTimeout without
unrefTimer) so the awaited Promise will keep the event loop alive; leave the
unref behavior for non-flush paths to avoid preventing shutdown hang-ups. Ensure
you update the call sites (flush and any other callers) to pass the flag and
change the code around getRetryDelay(attempt) / unrefTimer accordingly.
In `@packages/evlog/src/runtime/server/routes/_evlog/ingest.post.ts`:
- Line 52: The check using raw.length mismeasures UTF-8 byte size; update the
ingest POST handler to compute actual UTF-8 byte length (use new
TextEncoder().encode(raw).length) and compare that to MAX_BODY_BYTES instead of
raw.length, replacing the current conditional that references raw and
MAX_BODY_BYTES; ensure the same byte-counting logic is used wherever the body
size is validated in this route so large multi-byte-character payloads are
correctly rejected.
In `@packages/evlog/src/shared/config.ts`:
- Line 60: The guard in applyDeprecatedAlias currently treats falsy values as
unset by using !record[opts.to]; change it to a nullish check so valid falsy
values (0, false, '') are not overwritten—replace the condition with a
null/undefined check such as record[opts.to] == null && record[opts.from] !=
null (or equivalent strict checks) so the alias is only applied when the target
is actually null/undefined and the source exists.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 72370871-86f9-401e-86ce-1f1a48e7ca6c
⛔ Files ignored due to path filters (2)
packages/evlog/test/toolkit/__snapshots__/api-surface.test.ts.snapis excluded by!**/*.snappnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (19)
.changeset/repo-hardening-perf.md.github/workflows/mutation.yml.github/workflows/release.yml.github/workflows/semantic-pull-request.ymlpackage.jsonpackages/evlog/package.jsonpackages/evlog/src/adapters/axiom.tspackages/evlog/src/adapters/better-stack.tspackages/evlog/src/audit.tspackages/evlog/src/pipeline.tspackages/evlog/src/redact.tspackages/evlog/src/runtime/server/routes/_evlog/ingest.post.tspackages/evlog/src/shared/config.tspackages/evlog/src/types.tspackages/evlog/src/utils.tspackages/evlog/src/vite/source-location.tspackages/evlog/test/core/audit.test.tspackages/evlog/test/core/redact.test.tspackages/nuxthub/package.json
- ingest: measure body size in UTF-8 bytes via TextEncoder - toolkit: applyDeprecatedAlias only treats null/undefined as unset - better-stack: include non-Nuxt env vars in deprecation hint - pipeline: keep retry backoff timers ref'd so flush() can't be interrupted by process exit mid-retry; only the idle flush scheduling timer is unref'd https://claude.ai/code/session_01HyRiR2xjNsgoDshB64itH3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Breaking Changes
Improvements