Skip to content

[Snyk] Upgrade dexie from 4.2.1 to 4.4.3#2

Open
sickn33 wants to merge 1 commit into
mainfrom
snyk-upgrade-89658ca27ecf06a8ed88c74c4dfbab8a
Open

[Snyk] Upgrade dexie from 4.2.1 to 4.4.3#2
sickn33 wants to merge 1 commit into
mainfrom
snyk-upgrade-89658ca27ecf06a8ed88c74c4dfbab8a

Conversation

@sickn33

@sickn33 sickn33 commented Jun 24, 2026

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to upgrade dexie from 4.2.1 to 4.4.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 9 versions ahead of your current version.

  • The recommended version was released a month ago.

Release notes
Package name: dexie
  • 4.4.3 - 2026-05-27

    This is a maintenance release with bug fixes and a configuration API improvement.

    Related Package Releases

    Package Version
    dexie 4.4.3
    dexie-cloud-addon 4.4.13

    Bug Fixes

    dexie@4.4.3

    • fix: delByKeyPath() creates empty intermediate objects on missing pathDexie.delByKeyPath(obj, "foo.bar") on an object without foo would create {foo: {}} as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g. claims.sub) would leave {claims: {}} in the spec, which then overwrote the inline primary key with undefined, resulting in: DataError: Evaluating the object store's key path did not yield a value. Fixed in setByKeyPath to bail out early when value is undefined and the intermediate path doesn't exist. (#2303)

    • fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling .sortBy() on a table when using immutable cache mode could throw TypeError: Cannot assign to read only property because Array.sort() was called on a frozen array. Fixed by sorting on a copy instead. (#2294)

    dexie-cloud-addon@4.4.12

    • rename: maxStringLengthlargeStringThreshold — the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)

    • fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native fetch (blob download), Dexie's PSD zone is no longer active, causing table.mutate() to crash with Cannot read properties of undefined (reading 'table'). This surfaced as [dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks through BlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)

    • fix: eager blob downloader could starve RAM — the eager downloader triggered blobResolveMiddleware which resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)

    • fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#2302)

    • fix: use cache: no-store for blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#2302)

    dexie-cloud-addon@4.4.13

    • fix: DataError when applying server-side $logins update — when a user received a server update for the $logins table, dexie-cloud-addon tried to clear claims.sub from the changeSpec using delByKeyPath. Due to the bug above, this left {claims: {}} in the spec, overwriting the inline primary key with undefined and causing DataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#2304)

    Other Changes

    • dexie-observable and dexie-syncable README updated to mark them as legacy/unmaintained, with a recommendation to use dexie-cloud-addon for sync. (#2298)
  • 4.4.2 - 2026-03-31

    This is a maintenance release containing several bug fixes accumulated since v4.4.1.

    Related Package Releases

    Package Version
    dexie 4.4.2
    dexie-cloud-addon 4.4.11
    dexie-react-hooks 4.4.0
    dexie-export-import 4.4.0

    Bug Fixes

    dexie-cloud-addon@4.4.8

    • fix: Allow anonymous blob download — previously anonymous users could not download offloaded blobs. Also fixes a crash in Service Worker context when Dexie.ignoreTransaction() was called (#2287)
    • fix: HMR protection of awareness provider — prevents hot module replacement from breaking the Y.js awareness connection in dev environments (9debfc0)
    • fix: Add configurable: true to awareness defineProperty — fixes compatibility issues with certain bundlers and proxies (#2280)
    • fix: Strip primary key from changeSpecs in update mutations — incorrect inclusion of primary key could cause sync failures in certain edge cases (#2277)
    • fix: Preserve syncState on logout to prevent spinner — logging out no longer resets sync state, avoiding an unwanted loading spinner on re-login (#2276)
    • fix: Update wrappedCursor.value in non-blob and error paths in blob resolve middleware (f470167)

    dexie-cloud-addon@4.4.10

    • fix: Cursor-based queries (anyOf(), each(), ignore-case queries) on tables with blobs, large binary data or very long strings could fail. #2293

    dexie-cloud-addon@4.4.11

    • fix: Every other update from server over websocket was ignored (but always catched up on next update). This bug was introduced recently, in version 4.4.5.

    Other Changes

    • Upgraded dependencies and fixed npm audit warnings
    • Formatted codebase with Prettier (#2282)
  • 4.4.2-pr2297.4 - 2026-04-16
  • 4.4.2-pr2297.3 - 2026-04-16
  • 4.4.2-pr2297.2 - 2026-04-16
  • 4.4.2-pr2297.1 - 2026-04-16
  • 4.4.1 - 2026-03-24

    This release introduces Blob Offloading and String Offloading for Dexie Cloud, enabling efficient handling of large binary and text data. It also includes IDB 3.0 optimizations and several bug fixes.

    Related Package Releases

    Package Version
    dexie 4.4.1
    dexie-cloud-addon 4.4.6
    dexie-cloud-common 1.0.59
    dexie-react-hooks 4.4.0
    dexie-export-import 4.4.0

    New Features

    ⚡ IDB 3.0 Optimizations

    Leverages IndexedDB 3.0 getAll(options) for more efficient key range queries, reducing overhead for collection operations.

    📦 Blob Offloading for Dexie Cloud

    Large binary data (Blob, File, ArrayBuffer, TypedArray) is now automatically offloaded to cloud blob storage during sync. Data is stored normally in IndexedDB — offloading happens transparently during the sync process.

    • Automatic offloading: Binaries ≥ 4 KB are offloaded to blob storage during sync
    • Lazy resolution: BlobRefs are resolved back to their original types on first read
    • Optional Lazy blob mode: Configure blobMode: 'lazy' to download blobs on-demand instead of eagerly after sync (default is 'eager')
    • Progress tracking: Observable db.cloud.blobProgress for download progress
    import Dexie from 'dexie';
    import dexieCloud from 'dexie-cloud-addon';

    const db = new Dexie('mydb', { addons: [dexieCloud] });
    db.version(1).stores({ photos: '@ id, title' });
    db.cloud.configure({ databaseUrl: '...', blobMode: 'eager' });

    // Store binary data — syncs normally, offloads transparently
    await db.photos.add({
    title: 'Vacation',
    image: new Blob([imageData], { type: 'image/jpeg' })
    });

    📝 String Offloading for Dexie Cloud

    Long strings are now offloaded to blob storage during sync, keeping IndexedDB data compact while preserving full string content in the cloud.

    • Configurable threshold: maxStringLength option (default: 32768 characters)
    • Transparent: Offloaded strings resolve back to regular strings on read
    • IndexedDB unchanged: Full strings remain in local IndexedDB
    db.cloud.configure({
      databaseUrl: '...',
      maxStringLength: 32768 // Strings longer than this are offloaded (default)
    });

    Bug Fixes

    • fix(dexie-export-import): Fix UTF-8 corruption for non-ASCII strings during import (#2259)
    • fix(dexie-cloud): Always offload Blob/File objects regardless of size (#2182)
    • fix(react-hooks): Avoid direct React.use access for React < 19
    • fix(dexie): liveQuery could miss to emit values in certain rare circumstances

    Other Changes

    • feat(dexie-cloud): Add copy-to-clipboard button for whitelist command (#2261)
    • Use FinalizationRegistry for Dexie.connections and enforce maxConnections (#2254)
  • 4.4.0 - 2026-03-18

    v4.4.0

  • 4.3.0 - 2025-12-20

    This release introduces Social Authentication for Dexie Cloud, allowing users to sign in with Google, GitHub, Microsoft, Apple, or custom OAuth2 providers as an alternative to email OTP authentication.

    Related Package Releases

    Package Version
    dexie 4.3.0
    dexie-cloud-addon 4.3.9
    dexie-react-hooks 4.2.2-beta.2

    New Features

    🔐 Social Authentication for Dexie Cloud

    Dexie Cloud now supports OAuth 2.0 social login providers as an alternative to the existing OTP (One-Time Password) email authentication.

    Supported Providers:

    • Google
    • GitHub
    • Microsoft
    • Apple
    • Custom OAuth2 providers

    The Dexie Cloud server acts as an OAuth broker, handling all provider interactions. The client library never receives provider tokens—only Dexie Cloud authorization codes which are exchanged for Dexie Cloud tokens.

    Usage:

    Social auth is enabled by default on the client but need to be configured in manager first. When db.cloud.login() is called, users will see a provider selection dialog if OAuth providers are configured on the server.

    // Initiate login - shows provider selection if available
    await db.cloud.login();

    // Or specify a provider directly
    await db.cloud.login({ provider: 'google' });

    Configuration Options:

    https://manager.dexie.cloud
    });">
    db.cloud.configure({
    databaseUrl: 'https://mydb.dexie.cloud',

    // Enable/disable social auth (default: true)
    socialAuth: true, // also configure in https://manager.dexie.cloud
    });

    ⚡ Suspense Support in dexie-react-hooks (Experimental)

    Requires installation of dexie-react-hooks@4.2.1-beta.1

    New experimental hooks for React Suspense integration:

    import { useSuspendingLiveQuery, useSuspendingObservable } from 'dexie-react-hooks';

    function useYoungFriends(ageLimit: number) {
    return useSuspendingLiveQuery(
    () => db.friends.where('age').below(ageLimit).toArray(),
    ["useYoungFriends", ageLimit]
    );
    }

    function MyComponent() {
    // Suspends until data is available - no undefined state!
    const friends = useYoungFriends(30);

    // friends is guaranteed to be defined here
    return <FriendList friends={friends} />;
    }

    // Wrap with Suspense boundary
    function App() {
    return (
    <Suspense fallback={<Loading />}>
    <MyComponent />
    </Suspense>
    );
    }

    dexie-cloud-addon Changes

    New Exports

    • AuthProvidersResponse - Type for the /auth-providers endpoint response
    • OAuthProviderInfo - Type for OAuth provider metadata

    New API Methods

    • db.cloud.getAuthProviders() - Fetches available authentication providers from the server

    Extended LoginHints Interface for db.cloud.login()

    interface LoginHints {
      email?: string;
      userId?: string;
      grant_type?: 'demo' | 'otp';
      otpId?: string;
      otp?: string;
      provider?: string;      // OAuth provider name (e.g., 'google', 'github')
      oauthCode?: string;     // Dexie Cloud authorization code from OAuth callback
      redirectPath?: string;  // Optional redirect path for OAuth redirect URI
    }

    New Configuration Options

    interface DexieCloudOptions {
    // ... existing options ...

/** Enable social/OAuth authentication.
* - true (default): Fetch providers from server, show if available
* - false: Disable OAuth, always use OTP flow
*/
socialAuth?: boolean;

/** Redirect URI for OAuth callback.
* Defaults to window.location.href for web SPAs.
* For Capacitor/native apps, set to a custom URL scheme.
*/
oauthRedirectUri?: string;
}

Default UI Updates

The default login GUI now includes:

  • Provider selection dialog when OAuth providers are available
  • Branded buttons for each OAuth provider
  • Seamless fallback to OTP when no providers are configured

Documentation

Migration Notes

This release is fully backward compatible. Social authentication is opt-in and requires server-side configuration of OAuth providers. Existing OTP authentication continues to work as before.

  • 4.2.1 - 2025-10-03

    New package versions

    • dexie@4.2.1
    • y-dexie@4.2.1
    • dexie-cloud-addon@4.2.2

    dexie

    • Resolve issue #2186 by letting an external closure of the DB make it behave identical to explicit closing the database, except that we still respect autoOpen option by @ dfahlander in #2187
    • Feature: Table.upsert() by @ dfahlander in #2203

    dexie-cloud-addon

    y-dexie

    • Updated README

    Full Changelog: v4.2.0...v4.2.1

  • from dexie GitHub release notes

    Important

    • Check the changes in this PR to ensure they won't cause issues with your project.
    • This PR was automatically created by Snyk using the credentials of a real user.

    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

    For more information:

    @socket-security

    Copy link
    Copy Markdown

    Review the following changes in direct dependencies. Learn more about Socket for GitHub.

    Diff Package Supply Chain
    Security
    Vulnerability Quality Maintenance License
    Updateddexie@​4.2.1 ⏵ 4.4.310010010094 +1100

    View full report

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Labels

    None yet

    Projects

    None yet

    Development

    Successfully merging this pull request may close these issues.

    2 participants