feat(next-json-ld): modernize for Next.js 16 and React 19#40
Closed
riceharvest wants to merge 75 commits intomainfrom
Closed
feat(next-json-ld): modernize for Next.js 16 and React 19#40riceharvest wants to merge 75 commits intomainfrom
riceharvest wants to merge 75 commits intomainfrom
Conversation
- Upgraded multiple packages to modern standards (Next.js, Next-auth, PWA, SEO). - Added new utility packages: critters, next-circuit-breaker, next-csrf, next-images, next-json-ld. - Integrated Changesets for versioning. - Updated CI/CD workflows and linting configurations. - Fixed numerous linting and type-checking issues across the monorepo.
- Remove legacy NextAuth adapters and resolve workspace version conflicts - Clean up test warning noise and fix tsconfig/jest setups for next-auth - Update Workbox/Terser dependencies in next-pwa to align with workspace - Synchronize root lockfile to reflect nested package resolutions
Fixes `JWT_AUTO_GENERATED_SIGNING_KEY` and `JWT_AUTO_GENERATED_ENCRYPTION_KEY` warnings properly by supplying JWKs directly in the test suite rather than mocking the logger.
ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan Review Summary by QodoModernize monorepo for Next.js 16 and React 19 with Web API support and comprehensive enhancements
WalkthroughsDescription• **Modernized Next.js and React support**: Upgraded to Next.js 16 and React 19 with updated peer dependencies • **Web API compatibility**: Added support for standard Web Request/Response APIs across multiple packages (next-session, next-csrf) • **Enhanced CSRF protection**: Implemented App Router support, improved token extraction/validation, and separated cookie security options • **MDX improvements**: Added comprehensive node retrieval, caching, configuration loading, file discovery, and table of contents generation • **Test framework migrations**: Migrated from Jest to Vitest and from Vitest to Node.js native test runner for better compatibility • **OAuth modernization**: Removed external oauth package dependency with native fetch-based implementation • **Bug fixes**: Improved CSS inlining safety in critters, enhanced container detection robustness • **Type system enhancements**: Added TypeScript definitions for PWA plugin, improved adapter type definitions, updated OAuth provider types • **Build configuration updates**: Simplified and modernized tsup and vitest configurations across packages • **Authentication examples**: Added complete Vite example with MSW mocks, API client, and authentication configuration Diagramflowchart LR
A["Next.js 16<br/>React 19"] -->|"Upgrade"| B["Core Packages"]
B -->|"Add Web API"| C["next-session<br/>next-csrf"]
B -->|"Enhance"| D["MDX System<br/>Authentication"]
B -->|"Migrate Tests"| E["Jest → Vitest<br/>Vitest → Node.js"]
B -->|"Modernize"| F["OAuth Client<br/>Type Definitions"]
C -->|"Support"| G["Standard Request/<br/>Response APIs"]
D -->|"Implement"| H["Node Retrieval<br/>Config Loading<br/>TOC Generation"]
F -->|"Remove"| I["External oauth<br/>Package"]
File Changes1. packages/next-images/test/index.test.ts
|
Code Review by Qodo
1. vitest.config.js uses double quotes
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e1b0f8ba91
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+13
to
+16
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) | ||
| } |
There was a problem hiding this comment.
Return object for OAuth2 providers no longer exposes useAuthorizationHeaderforGET, but oAuthCallback still calls client.useAuthorizationHeaderforGET(...) before requesting tokens (packages/next-auth/src/server/lib/oauth/callback.js). In OAuth2 sign-in callbacks this becomes a runtime TypeError and aborts authentication for providers like Google/GitHub, so the new client interface is not compatible with the existing callback path.
Useful? React with 👍 / 👎.
Comment on lines
+225
to
+227
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") |
There was a problem hiding this comment.
OAuth1 support now instantiates OAuth1Client, but its request-token/access-token/profile methods immediately throw "not yet fully implemented". Any OAuth1 provider flow (for example Twitter version: "1.0A") will fail at runtime during callback processing, which is a regression from the previous working OAuth1 implementation.
Useful? React with 👍 / 👎.
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+1
to
+10
| import { defineConfig } from "vitest/config" | ||
|
|
||
| export default defineConfig({ | ||
| test: { | ||
| globals: true, | ||
| env: { | ||
| NEXTAUTH_URL: "http://localhost:3000/api/auth", | ||
| }, | ||
| }, | ||
| }) |
There was a problem hiding this comment.
1. vitest.config.js uses double quotes 📘 Rule violation ✓ Correctness
The newly added vitest.config.js uses double quotes and omits semicolons, conflicting with the repo’s Prettier style expectations. This can cause inconsistent formatting and CI/pre-commit formatting churn.
Agent Prompt
## Issue description
The newly added `vitest.config.js` does not match the repository Prettier conventions (double quotes and missing semicolons).
## Issue Context
Compliance requires Prettier defaults for consistent formatting across the monorepo.
## Fix Focus Areas
- vitest.config.js[1-10]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+1
to
+5
| const withOptimizedImages = require('../lib'); | ||
|
|
||
| const getNextConfig = (options, webpackOptions = {}) => { | ||
| const webpackConfig = { | ||
| module: { |
There was a problem hiding this comment.
2. index.test.js breaks test naming 📘 Rule violation ⛯ Reliability
A new test file was added with a .test.js suffix instead of the required *.test.ts/*.test.tsx convention. This can complicate consistent test discovery and enforcement across packages.
Agent Prompt
## Issue description
A newly added test file uses `.test.js`, but the repository convention requires `*.test.ts` or `*.test.tsx`.
## Issue Context
Standardized test naming improves consistent discovery across packages and tooling.
## Fix Focus Areas
- packages/next-optimized-images/__tests__/index.test.js[1-5]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
11
to
+16
| export default function oAuthClient(provider) { | ||
| if (provider.version?.startsWith("2.")) { | ||
| // Handle OAuth v2.x | ||
| const authorizationUrl = new URL(provider.authorizationUrl) | ||
| const basePath = authorizationUrl.origin | ||
| const authorizePath = authorizationUrl.pathname | ||
| const accessTokenPath = new URL(provider.accessTokenUrl).pathname | ||
| const oauth2Client = new OAuth2( | ||
| provider.clientId, | ||
| provider.clientSecret, | ||
| basePath, | ||
| authorizePath, | ||
| accessTokenPath, | ||
| provider.headers | ||
| ) | ||
| oauth2Client.getOAuthAccessToken = getOAuth2AccessToken | ||
| oauth2Client.get = getOAuth2 | ||
| return oauth2Client | ||
| } | ||
| // Handle OAuth v1.x | ||
| const oauth1Client = new OAuth( | ||
| provider.requestTokenUrl, | ||
| provider.accessTokenUrl, | ||
| provider.clientId, | ||
| provider.clientSecret, | ||
| provider.version || "1.0", | ||
| provider.callbackUrl, | ||
| provider.encoding || "HMAC-SHA1" | ||
| ) | ||
|
|
||
| // Promisify get() and getOAuth2AccessToken() for OAuth1 | ||
| const originalGet = oauth1Client.get.bind(oauth1Client) | ||
| oauth1Client.get = (...args) => { | ||
| return new Promise((resolve, reject) => { | ||
| originalGet(...args, (error, result) => { | ||
| if (error) { | ||
| return reject(error) | ||
| } | ||
| resolve(result) | ||
| }) | ||
| }) | ||
| } | ||
| const originalGetOAuth1AccessToken = | ||
| oauth1Client.getOAuthAccessToken.bind(oauth1Client) | ||
| oauth1Client.getOAuthAccessToken = (...args) => { | ||
| return new Promise((resolve, reject) => { | ||
| // eslint-disable-next-line camelcase | ||
| originalGetOAuth1AccessToken( | ||
| ...args, | ||
| (error, oauth_token, oauth_token_secret, params) => { | ||
| if (error) { | ||
| return reject(error) | ||
| } | ||
|
|
||
| resolve({ | ||
| // TODO: Remove, this is only kept for backward compativility | ||
| // These are not in the OAuth 1.x spec | ||
| accessToken: oauth_token, | ||
| refreshToken: oauth_token_secret, | ||
| results: params, | ||
|
|
||
| oauth_token, | ||
| oauth_token_secret, | ||
| params, | ||
| }) | ||
| } | ||
| ) | ||
| }) | ||
| return { | ||
| getOAuthAccessToken: (code, codeVerifier) => getOAuth2AccessToken(code, provider, codeVerifier), | ||
| get: (accessToken, results) => getOAuth2(provider, accessToken, results) | ||
| } |
There was a problem hiding this comment.
3. Oauth2 client api broken 🐞 Bug ✓ Correctness
packages/next-auth OAuth2 oAuthClient() now returns an object without useAuthorizationHeaderforGET and with getOAuthAccessToken/get signatures that no longer match the existing oAuthCallback() call sites, causing OAuth2 callbacks to throw and/or pass misordered arguments. This breaks OAuth2 login flows before token exchange and profile fetch.
Agent Prompt
## Issue description
OAuth2 authentication is broken because `oAuthClient()` now returns a different client shape/signature than what `oAuthCallback()` expects: `useAuthorizationHeaderforGET` no longer exists, and `getOAuthAccessToken`/`get` parameter ordering no longer matches the call sites.
## Issue Context
`oAuthCallback()` still calls:
- `client.useAuthorizationHeaderforGET(...)`
- `client.getOAuthAccessToken(code, provider, pkce.code_verifier)`
- `client.get(provider, tokens.accessToken, tokens)`
But the new OAuth2 client returned by `oAuthClient()` only exposes:
- `getOAuthAccessToken(code, codeVerifier)`
- `get(accessToken, results)`
So OAuth2 callbacks will throw and/or shift arguments.
## Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[11-21]
- packages/next-auth/src/server/lib/oauth/callback.js[38-62]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+225
to
+238
| async getOAuthRequestToken(params = {}) { | ||
| // Implement OAuth 1.0a request token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client. Please use OAuth 2.0 or contact maintainers.") | ||
| } | ||
|
|
||
| async getOAuthAccessToken(oauth_token, oauth_token_secret, oauth_verifier) { | ||
| // Implement OAuth 1.0a access token logic | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") | ||
| } | ||
|
|
||
| async get(url, oauth_token, oauth_token_secret) { | ||
| // Implement OAuth 1.0a authenticated request | ||
| throw new Error("OAuth 1.0a is not yet fully implemented in the native client.") | ||
| } |
There was a problem hiding this comment.
4. Oauth1 always throws 🐞 Bug ✓ Correctness
For OAuth 1.x providers, packages/next-auth now returns an OAuth1Client whose getOAuthRequestToken/getOAuthAccessToken/get methods throw unconditionally. The OAuth1 branch in oAuthCallback() still calls these methods, so OAuth1 sign-ins will always fail at runtime.
Agent Prompt
## Issue description
OAuth 1.x flows are now guaranteed to fail because `OAuth1Client` methods throw unconditionally while the callback flow still invokes them.
## Issue Context
`oAuthClient()` returns `new OAuth1Client(provider)` for non-2.x providers, and `oAuthCallback()` still runs the OAuth1 path and calls `getOAuthRequestToken`, `getOAuthAccessToken`, and `get`.
## Fix Focus Areas
- packages/next-auth/src/server/lib/oauth/client.js[19-21]
- packages/next-auth/src/server/lib/oauth/client.js[215-238]
- packages/next-auth/src/server/lib/oauth/callback.js[71-87]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| @@ -1,6 +1,6 @@ | |||
| { | |||
| "name": "@opensourceframework/next-json-ld", | |||
| "version": "0.2.1", | |||
| "version": "0.2.0", | |||
There was a problem hiding this comment.
5. Version/changelog mismatch 🐞 Bug ⛯ Reliability
@opensourceframework/next-json-ld package.json was changed to version 0.2.0 while the package changelog already contains a 0.2.1 entry. This inconsistency can break or confuse release/versioning and may prevent publishing if 0.2.1 was already released.
Agent Prompt
## Issue description
`packages/next-json-ld/package.json` declares version `0.2.0` while `packages/next-json-ld/CHANGELOG.md` already contains a `0.2.1` entry. This mismatch can cause release/publish failures or incorrect release metadata.
## Issue Context
Versioning and changelog entries should reflect the same current state (or be consistently managed by the release tool).
## Fix Focus Areas
- packages/next-json-ld/package.json[1-5]
- packages/next-json-ld/CHANGELOG.md[1-15]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Owner
Author
|
|
4 similar comments
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
|
Owner
Author
|
Superseded by #59 (squash merge of all modernization PRs). Changes included in main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #22 (roadmap).
nextto ^16.0.0 and updatedpeerDependencies.reactandreact-domtodevDependenciesandpeerDependencies.