Skip to content

chore: deps upgrade + Docusaurus 3.10 hardening#112

Merged
Frooodle merged 3 commits intomainfrom
depsUpdate2026
Apr 17, 2026
Merged

chore: deps upgrade + Docusaurus 3.10 hardening#112
Frooodle merged 3 commits intomainfrom
depsUpdate2026

Conversation

@Frooodle
Copy link
Copy Markdown
Member

@Frooodle Frooodle commented Apr 17, 2026

Upgrades:

  • Docusaurus core/preset/theme-search-algolia 3.6.3 -> ^3.10.0
  • @docusaurus/module-type-aliases ^3.10.0
  • @mdx-js/react 3.0.0 -> ^3.1.1
  • posthog-docusaurus ^2.0.5, clsx ^2.1.1, prism-react-renderer ^2.4.1
  • Node engine >=16.14 -> >=20.0 (Docusaurus 3.9 dropped Node 18)

Vulnerabilities: 40 (4 low, 26 moderate, 10 high) -> 0 via:

  • Docusaurus 3.10 cascade
  • npm overrides for serialize-javascript ^7.0.5 (high-sev RCE/XSS in deep copy-webpack-plugin / css-minimizer-webpack-plugin transitives)
  • npm override for webpackbar ^7.0.0 (v6 used pre-strict ProgressPlugin schema, broke build under newer webpack)

New Docusaurus features adopted:

  • @docusaurus/faster (Rspack/SWC/LightningCSS) via future.faster + the required future.v4.removeLegacyPostBuildHeadAttribute flag
  • storage namespace to avoid localStorage collisions across versioned docs
  • onBrokenAnchors: throw (CI safety net for cross-references)
  • sitemap lastmod from git, drop priority/changefreq (v4 default, SEO win)
  • colorMode.respectPrefersColorScheme (auto follow OS dark/light)
  • markdown.hooks.onBrokenMarkdownLinks (replaces deprecated top-level)

Cleanups uncovered by Faster:

  • Deleted babel.config.js (SWC handles JS now; build emitted notice)
  • Moved scarf tracking pixel from headTags to an inline plugin using injectHtmlTags -> postBodyTags. The in was invalid HTML5 and produced 128 HTML minifier warnings under the strict SWC minifier (browsers tolerated it, tracking still fired). Now warning-free.

v4 prep:

  • :::caution -> :::warning in docs/Server-Admin-Onboarding.md (2 places)

@Frooodle
chore: deps upgrade + Docusaurus 3.10 hardening
915e9da 
Upgrades:
- Docusaurus core/preset/theme-search-algolia 3.6.3 -> ^3.10.0
- @docusaurus/module-type-aliases ^3.10.0
- @mdx-js/react 3.0.0 -> ^3.1.1
- posthog-docusaurus ^2.0.5, clsx ^2.1.1, prism-react-renderer ^2.4.1
- Node engine >=16.14 -> >=20.0 (Docusaurus 3.9 dropped Node 18)

Vulnerabilities: 40 (4 low, 26 moderate, 10 high) -> 0 via:
- Docusaurus 3.10 cascade
- npm overrides for serialize-javascript ^7.0.5 (high-sev RCE/XSS in deep
  copy-webpack-plugin / css-minimizer-webpack-plugin transitives)
- npm override for webpackbar ^7.0.0 (v6 used pre-strict ProgressPlugin
  schema, broke build under newer webpack)

New Docusaurus features adopted:
- @docusaurus/faster (Rspack/SWC/LightningCSS) via future.faster + the
  required future.v4.removeLegacyPostBuildHeadAttribute flag
- storage namespace to avoid localStorage collisions across versioned docs
- onBrokenAnchors: throw (CI safety net for cross-references)
- sitemap lastmod from git, drop priority/changefreq (v4 default, SEO win)
- colorMode.respectPrefersColorScheme (auto follow OS dark/light)
- markdown.hooks.onBrokenMarkdownLinks (replaces deprecated top-level)

Cleanups uncovered by Faster:
- Deleted babel.config.js (SWC handles JS now; build emitted notice)
- Moved scarf tracking pixel from headTags to an inline plugin using
  injectHtmlTags -> postBodyTags. The <img> in <head> was invalid HTML5
  and produced 128 HTML minifier warnings under the strict SWC minifier
  (browsers tolerated it, tracking still fired). Now warning-free.

v4 prep:
- :::caution -> :::warning in docs/Server-Admin-Onboarding.md (2 places)
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
stirling-tools-github-io Ready Ready Preview, Comment Apr 17, 2026 8:14am

Frooodle added 2 commits April 17, 2026 09:12
@Frooodle
ci: bump Node 18 -> 24 (latest LTS) and update GH Actions
16b734b 
- node-version: 18 -> 24 (latest LTS as of Apr 2026)
  Required: serialize-javascript ^7.0.5 (security override) uses the
  global crypto API which only exists in Node 19+, so the prior
  Node 18 runner failed with "ReferenceError: crypto is not defined"
- actions/checkout@v3 -> v4
- actions/setup-node@v3 -> v4
  Both v3 actions were on the deprecated Node 20 runtime
- peaceiris/actions-gh-pages@v3 -> v4

package.json engines stays >=20.0 (Docusaurus 3.10's floor) so users
running 20/22/24 locally remain supported; CI just runs latest LTS.
@Frooodle
chore: pin engines.node to 24.x (latest LTS)
e288388 
Vercel was emitting two warnings on every deploy:
  - "engines >=20.0 ... will automatically upgrade when a new major
    Node.js Version is released"
  - "Node.js Version defined in your Project Settings (22.x) will not
    apply, Node.js Version 24.x will be used instead"

Open-ended ranges trigger Vercel's auto-upgrade behaviour. Pin to
24.x to match CI and the runtime Vercel is already selecting.

Heads-up: the Vercel Project Settings still need to be flipped from
22.x to 24.x to clear the second warning.
@Frooodle Frooodle merged commit 3176dab into main Apr 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbrunton96 jbrunton96 jbrunton96 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Frooodle @jbrunton96