Skip to content

fix: repair main CI formatting and proxy deploy#13444

Merged
Bekacru merged 2 commits into
mainfrom
fix/main-ci-format-and-proxy-pin
Jun 11, 2026
Merged

fix: repair main CI formatting and proxy deploy#13444
Bekacru merged 2 commits into
mainfrom
fix/main-ci-format-and-proxy-pin

Conversation

@Bekacru

@Bekacru Bekacru commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

☕️ Reasoning

Two unrelated breakages on main, fixed together:

1. Release workflow failing on pnpm format

The "Check formatting" step fails on packages/core/test/actions/callback.test.ts (introduced in 9f7a97f) — one line exceeds prettier's print width. Ran prettier --write on the file; no behavioural change.

2. Proxy Vercel deploys failing on @auth/core/providers/vipps

apps/proxy declares "@auth/core": "latest" and is outside the pnpm workspace, so every Vercel deploy resolves latest fresh from npm. The latest dist-tag currently points to 0.34.3 — a backport patch published (2025-10-29) after 0.41.1, which moved the tag backwards. 0.34.3 predates the Vipps provider (added in 0.35.0), so the edge function build fails on @auth/core/providers/vipps.

This PR pins ^0.41.2 so proxy deploys no longer depend on dist-tag state.

Note for maintainers: the dist-tag itself should also be repaired, since anyone installing @auth/core today gets 0.34.3:

npm dist-tag add @auth/core@0.41.2 latest

and future backports should be published with an explicit --tag so they don't capture latest.

🧢 Checklist

  • Documentation (n/a)
  • Tests (formatting only; existing tests pass)
  • Ready to be merged

Bekacru added 2 commits June 11, 2026 10:44
The npm latest dist-tag for @auth/core currently points to 0.34.3, a
backport patch published after 0.41.x. That version predates the Vipps
provider, so every fresh Vercel deploy of the proxy fails to resolve
@auth/core/providers/vipps. Pinning a caret range keeps deploys
reproducible and immune to dist-tag movement.
@vercel

vercel Bot commented Jun 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth-docs Ready Ready Preview, Comment Jun 11, 2026 5:50pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
next-auth-docs Ignored Ignored Preview Jun 11, 2026 5:50pm
proxy Ignored Ignored Jun 11, 2026 5:50pm

Request Review

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Authorization Bypass in Next.js Middleware

CVE: GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware (CRITICAL)

Affected versions: >= 13.0.0 < 13.5.9; >= 14.0.0 < 14.2.25; >= 15.0.0 < 15.2.3; >= 12.0.0 < 12.3.5

Patched version: 14.2.25

From: apps/examples/nextjs-pages/package.jsonnpm/next@14.2.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@14.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @auth/core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/examples/qwik/pnpm-lock.yamlnpm/@auth/qwik@0.7.1npm/@auth/core@0.39.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@auth/core@0.39.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @types/node is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/examples/nextjs-pages/package.jsonnpm/@types/node@18.19.33

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@18.19.33. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: apps/examples/nextjs-pages/pnpm-lock.yamlnpm/autoprefixer@10.4.19npm/next@14.2.3npm/caniuse-lite@1.0.30001617

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001617. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@9f7a97f). Learn more about missing BASE report.
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #13444   +/-   ##
=======================================
  Coverage        ?   39.34%           
=======================================
  Files           ?      200           
  Lines           ?    32375           
  Branches        ?     1413           
=======================================
  Hits            ?    12738           
  Misses          ?    19637           
  Partials        ?        0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Bekacru Bekacru merged commit de125ba into main Jun 11, 2026
14 of 15 checks passed
@Bekacru Bekacru deleted the fix/main-ci-format-and-proxy-pin branch June 11, 2026 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant