refactor(next-auth): modernize URL handling and remove legacy oauth dependency

.changeset/fix-pr23-feedback.md

@@ -0,0 +1,37 @@
+---
+"@opensourceframework/next-csrf": minor
+"@opensourceframework/next-auth": patch
+"@opensourceframework/critters": patch
+"@opensourceframework/next-cookies": patch
+"@opensourceframework/next-pwa": patch
+"@opensourceframework/next-images": patch
+"@opensourceframework/next-optimized-images": patch
+"@opensourceframework/next-iron-session": patch
+"@opensourceframework/next-compose-plugins": minor
+"@opensourceframework/next-connect": patch
+"@opensourceframework/next-transpile-modules": minor
+"@opensourceframework/next-json-ld": patch
+"@opensourceframework/next-mdx": minor
+"@opensourceframework/next-mdx-toc": patch
+"@opensourceframework/next-seo": patch
+"@opensourceframework/next-session": patch
+"@opensourceframework/react-a11y-utils": patch
+"@opensourceframework/react-query-auth": patch
+"@opensourceframework/react-virtualized": patch
+"@opensourceframework/seeded-rng": patch
+"@opensourceframework/next-circuit-breaker": patch
+---
+
+- **next-csrf**: Added App Router support with `verifyCsrfToken` and automated tests.
+- **next-auth**: Migrated client tests to Vitest and MSW v2, resolving CI regressions and modernization requirements.
+- **critters**: Fixed security vulnerabilities and functional bugs, and cleaned up source files.
+- **next-cookies**: Fixed `useCookies` state update issues and added comprehensive unit tests.
+- **next-pwa**: Improved test discoverability and added E2E test scripts.
+- **next-images**: Repositioned as a supported compatibility-first fork, removed deprecation metadata, refreshed docs, and added regression tests for webpack behavior.
+- **next-optimized-images**: Replaced the vulnerable `imagemin`/`file-type` path with an internal optimizer loader while keeping the compatibility-focused API intact.
+- **next-compose-plugins**: Added support for async plugin functions and async `next.config.js` for Next.js 16 compatibility.
+- **next-transpile-modules**: Added support for Next.js 13+ native `transpilePackages` for better performance and Turbopack compatibility.
+- **next-mdx**: Modernized with current `next-mdx-remote` support, improved config resolution, and removed the prior security advisory.
+- **next-mdx-toc**: Migrated to Vitest and verified compatibility with modernized `next-mdx`.
+- **react-virtualized**: Stabilized the Vitest/jsdom harness, restored missing test dependencies, and fixed mount-time scrolling regressions.
+- **Package metadata**: Published packages now point to the canonical monorepo metadata and include `llms.txt` in tarballs where package-level guidance exists.

.github/workflows/bundle-size.yml

@@ -13,6 +13,17 @@ jobs:
       - uses: pnpm/action-setup@v3
         with:
           version: 9
+
+      - name: Cache pnpm store
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.pnpm-store
+            ~/.local/share/pnpm/store
+            ~/.cache/pnpm
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:

.github/workflows/ci.yml

@@ -7,50 +7,68 @@ on:
     branches: [main]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'push' }}
 
 jobs:
+  prepare-deps:
+    name: Prepare Dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
   # Matrix testing across Node versions and OS
   test-matrix:
+    needs: [prepare-deps]
     name: Test (Node ${{ matrix.node }}, ${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         node: [18, 20, 22]
-        os: [ubuntu-latest, windows-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest]
         exclude:
-          # Skip some combinations to reduce CI time
-          - node: 18
-            os: windows-latest
           - node: 22
             os: macos-latest
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-      
+
       - name: Setup Node.js ${{ matrix.node }}
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
           cache: 'pnpm'
-      
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Test
         run: pnpm test:coverage
         if: matrix.os == 'ubuntu-latest' && matrix.node == 20
-      
+
       - name: Test (no coverage)
         run: pnpm test
         if: matrix.os != 'ubuntu-latest' || matrix.node != 20
-      
+
       - name: Upload Coverage
         if: matrix.os == 'ubuntu-latest' && matrix.node == 20
         uses: codecov/codecov-action@v4
@@ -59,75 +77,101 @@ jobs:
           fail_ci_if_error: false
 
   lint:
+    needs: [prepare-deps]
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-      
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'pnpm'
-      
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Lint
         run: pnpm lint
 
   typecheck:
+    needs: [prepare-deps]
     name: Type Check
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-      
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'pnpm'
-      
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Type Check
         run: pnpm typecheck
 
+  compat:
+    needs: [prepare-deps]
+    name: Compatibility Smoke
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run Compatibility Smoke Checks
+        run: pnpm test:compat
+
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs: [lint, typecheck, test-matrix]
+    needs: [lint, typecheck, test-matrix, compat]
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-      
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'pnpm'
-      
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Build
         run: pnpm build
-      
+
       - name: Upload Build Artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -136,35 +180,35 @@ jobs:
           retention-days: 7
 
   security:
+    needs: [prepare-deps]
     name: Security Audit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-      
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'pnpm'
-      
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Run Security Audit
         run: pnpm audit --audit-level=moderate
-        continue-on-error: true
-
-      # Snyk security scan for vulnerability detection
-      # Note: The SNYK_TOKEN is automatically masked by GitHub Actions and will not appear in logs.
-      # For detailed vulnerability reports, monitor the Snyk dashboard directly at https://snyk.io
-      # rather than relying solely on CI output.
+
       - name: Run Snyk Security Scan
+        if: ${{ secrets.SNYK_TOKEN != '' }}
         uses: snyk/actions/node@master
-        continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Report missing Snyk configuration
+        if: ${{ secrets.SNYK_TOKEN == '' }}
+        run: echo "Snyk scan skipped because SNYK_TOKEN is not configured." >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yml

@@ -34,8 +34,8 @@ jobs:
         id: changesets
         uses: changesets/action@v1
         with:
-          publish: pnpm release
-          version: pnpm version-packages
+          publish: pnpm run publish
+          version: pnpm run release
           commit: 'chore(release): version packages'
           title: 'chore(release): version packages'
         env:
@@ -45,4 +45,4 @@ jobs:
       - name: Send Notification
         if: steps.changesets.outputs.published == 'true'
         run: |
-          echo "Packages were published: ${{ steps.changesets.outputs.publishedPackages }}"
+          echo "Packages were published: ${{ steps.changesets.outputs.publishedPackages }}"

.github/workflows/security-audit.yml

@@ -17,33 +17,47 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-      
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v3
         with:
           version: 9
-
+
+      - name: Cache pnpm store
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.pnpm-store
+            ~/.local/share/pnpm/store
+            ~/.cache/pnpm
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      
+
       - name: Run npm audit
         run: pnpm audit --audit-level=moderate
-        continue-on-error: true
-
+
       - name: Run Snyk Security Scan
+        if: ${{ secrets.SNYK_TOKEN != '' }}
         uses: snyk/actions/node@master
-        continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
+
+      - name: Report missing Snyk configuration
+        if: ${{ secrets.SNYK_TOKEN == '' }}
+        run: echo "Snyk scan skipped because SNYK_TOKEN is not configured." >> $GITHUB_STEP_SUMMARY
+
       - name: Generate Security Report
         if: always()
         run: |
           echo "## Security Audit Report" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Run completed at: $(date)" >> $GITHUB_STEP_SUMMARY
+          echo "Run completed at: $(date)" >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -42,3 +42,4 @@ coverage/
 .eslintcache
 
 # npm config (contains sensitive tokens)
+.desloppify/

.husky/pre-commit

@@ -1,8 +1 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-# Run lint-staged
-npx lint-staged
-
-# Check types (optional - can be slow)
-# npx turbo run typecheck --silent
+pnpm exec lint-staged