feat(next-images): modernize for Next.js 16 and React 19#36
Closed
riceharvest wants to merge 71 commits intomainfrom
Closed
feat(next-images): modernize for Next.js 16 and React 19#36riceharvest wants to merge 71 commits intomainfrom
riceharvest wants to merge 71 commits intomainfrom
Conversation
- Upgraded multiple packages to modern standards (Next.js, Next-auth, PWA, SEO). - Added new utility packages: critters, next-circuit-breaker, next-csrf, next-images, next-json-ld. - Integrated Changesets for versioning. - Updated CI/CD workflows and linting configurations. - Fixed numerous linting and type-checking issues across the monorepo.
- Remove legacy NextAuth adapters and resolve workspace version conflicts - Clean up test warning noise and fix tsconfig/jest setups for next-auth - Update Workbox/Terser dependencies in next-pwa to align with workspace - Synchronize root lockfile to reflect nested package resolutions
Fixes `JWT_AUTO_GENERATED_SIGNING_KEY` and `JWT_AUTO_GENERATED_ENCRYPTION_KEY` warnings properly by supplying JWKs directly in the test suite rather than mocking the logger.
Review Summary by QodoModernize Next.js ecosystem for Next.js 16 and React 19 with enhanced features and test coverage
WalkthroughsDescription• **Modernized Next.js ecosystem packages for Next.js 16 and React 19** with comprehensive test coverage improvements and new features • **Session handling refactored** to support Web API (Request/Response) alongside Node.js APIs via new getWebSession() function and callback-based decorateSession() • **CSRF protection enhanced** with App Router support, token extraction/validation middleware, and updated cookie handling (httpOnly default changed to false for tokens) • **MDX package expanded** with new utilities: getMdxNode(), getAllMdxNodes(), configuration loader, file discovery, path generation, and client-side hydration • **OAuth implementation modernized** by removing external oauth package dependency and using native fetch API with async/await patterns • **Test suite migrations** across multiple packages: vitest to Node.js native testing, Jest to Vitest, with simplified test coverage focusing on core functionality • **New packages and features**: MDX table of contents generator, Prisma legacy adapter for next-auth, react-query-auth example with MSW mock server, image optimization loaders • **Bug fixes** in critters for CSS inlining safety and container detection robustness • **Build configuration updates** for multiple packages with simplified tsup and vitest configurations • **Type definitions added** for PWA plugin, react-virtualized, and MDX client exports Diagramflowchart LR
A["Next.js 16<br/>React 19"] -->|"Upgrade"| B["Core Packages"]
B -->|"Refactor"| C["Session API<br/>Web + Node.js"]
B -->|"Enhance"| D["CSRF<br/>App Router"]
B -->|"Expand"| E["MDX<br/>Utilities"]
B -->|"Modernize"| F["OAuth<br/>Native Fetch"]
G["Test Suites"] -->|"Migrate"| H["Vitest<br/>Node.js native"]
H -->|"Simplify"| I["Focused<br/>Coverage"]
J["New Features"] -->|"Add"| K["Auth Examples<br/>MSW Server"]
J -->|"Add"| L["Image<br/>Optimization"]
J -->|"Add"| M["Type<br/>Definitions"]
File Changes1. packages/next-images/test/index.test.ts
|
Code Review by Qodo
1. vitest.config.js not Prettier
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+1
to
+10
| import { defineConfig } from "vitest/config" | ||
|
|
||
| export default defineConfig({ | ||
| test: { | ||
| globals: true, | ||
| env: { | ||
| NEXTAUTH_URL: "http://localhost:3000/api/auth", | ||
| }, | ||
| }, | ||
| }) |
There was a problem hiding this comment.
1. vitest.config.js not prettier 📘 Rule violation ✓ Correctness
The newly added vitest.config.js does not match the stated Prettier defaults (uses double quotes and omits semicolons/trailing commas). This introduces formatting drift and will likely fail formatting checks if Prettier is enforced in CI.
Agent Prompt
## Issue description
`vitest.config.js` is not formatted according to the repository's Prettier standards (double quotes and missing semicolons).
## Issue Context
This file is newly added, so formatting drift is introduced by this PR and may cause CI/lint failures or style inconsistency.
## Fix Focus Areas
- vitest.config.js[1-10]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+13
to
+16
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) | ||
| } |
There was a problem hiding this comment.
2. Oauth2 client api break 🐞 Bug ✓ Correctness
packages/next-auth/src/server/lib/oauth/client.js now returns an OAuth2 client object that does not implement the methods/signatures used by the existing sign-in and callback handlers, causing OAuth2 login flows to throw (e.g., missing getAuthorizeUrl/useAuthorizationHeaderforGET) and to pass wrong arguments (provider object used as code_verifier / accessToken).
Agent Prompt
### Issue description
`oAuthClient()` was refactored to return a minimal OAuth2 client object, but existing NextAuth OAuth2 sign-in/callback code still expects the previous client interface (e.g., `getAuthorizeUrl()`, `useAuthorizationHeaderforGET()`, and `getOAuthAccessToken(code, provider, codeVerifier)` / `get(provider, accessToken, tokens)`). This causes runtime failures and incorrect token exchange/profile fetch arguments.
### Issue Context
- OAuth2 sign-in uses `client.getAuthorizeUrl(...)`.
- OAuth2 callback uses `client.useAuthorizationHeaderforGET(...)`, calls `client.getOAuthAccessToken(code, provider, pkce.code_verifier)`, and fetches profile via `client.get(provider, tokens.accessToken, tokens)`.
- The new OAuth2 client returned by `oAuthClient()` only implements `getOAuthAccessToken(code, codeVerifier)` and `get(accessToken, results)`.
### Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[11-17]
- packages/next-auth/src/server/lib/signin/oauth.js[14-38]
- packages/next-auth/src/server/lib/oauth/callback.js[38-63]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+225
to
+237
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") | ||
| } | ||
|
|
||
| async getOAuthAccessToken(oauth_token, oauth_token_secret, oauth_verifier) { | ||
| // Implement OAuth 1.0a access token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") | ||
| } | ||
|
|
||
| async get(url, oauth_token, oauth_token_secret) { | ||
| // Implement OAuth 1.0a authenticated request | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") |
There was a problem hiding this comment.
3. Oauth1 flow not implemented 🐞 Bug ✓ Correctness
packages/next-auth/src/server/lib/oauth/client.js introduces an OAuth1Client whose core methods throw "not yet fully implemented", so any OAuth1 provider (e.g., Twitter) will fail during authorization/callback.
Agent Prompt
### Issue description
OAuth1 providers are broken because `OAuth1Client` methods throw "not yet fully implemented" errors, but OAuth1 flows are still exercised by existing NextAuth code and providers.
### Issue Context
- NextAuth still runs an OAuth v1 callback path that calls `getOAuthRequestToken`, `getOAuthAccessToken`, and `get`.
- At least one bundled provider (`twitter`) declares `version: "1.0A"`.
### Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[19-21]
- packages/next-auth/src/server/lib/oauth/client.js[215-238]
- packages/next-auth/src/server/lib/oauth/callback.js[71-90]
- packages/next-auth/src/server/lib/signin/oauth.js[39-52]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 05377ad985
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+13
to
+16
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) | ||
| } |
There was a problem hiding this comment.
The OAuth2 branch now returns a plain object without useAuthorizationHeaderforGET, but oAuthCallback still calls that method unconditionally for OAuth2 providers before exchanging the code. This causes a runtime TypeError for standard OAuth2 sign-ins (for example Google/GitHub flows) before token retrieval, so login breaks for the primary provider path.
Useful? React with 👍 / 👎.
Comment on lines
+14
to
+15
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) |
There was a problem hiding this comment.
These wrappers changed the callable signature, but existing callback code still invokes getOAuthAccessToken(code, provider, codeVerifier) and get(provider, accessToken, tokens). With the current closures, arguments are shifted (codeVerifier becomes the provider object and profile calls use the provider object as bearer token), so PKCE exchanges and profile fetches fail even if the missing method issue is fixed.
Useful? React with 👍 / 👎.
Comment on lines
+225
to
+228
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") | ||
| } |
There was a problem hiding this comment.
The OAuth1 path now returns stub methods that always throw "not yet fully implemented" errors, replacing previously functional request/access token exchange logic. Any configured OAuth1 provider (including existing 1.0A provider configs such as Twitter) will now fail during sign-in callback, which is a direct compatibility regression.
Useful? React with 👍 / 👎.
Owner
Author
|
|
4 similar comments
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
Superseded by #59 (squash merge of all modernization PRs). Changes included in main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #22 (roadmap).
nextto ^16.0.0 and updatedpeerDependenciesfor React 19.