feat(template-generator): upgrade template deps to latest and harden docker templates#1098
feat(template-generator): upgrade template deps to latest and harden docker templates#1098AmanVarshney01 wants to merge 2 commits into
Conversation
…docker templates Dependency upgrades: - react-router v7 -> v8 (imports unchanged; drop v8_middleware future flag, now default) - react-router-devtools ^1 -> ^6, @clerk/react-router ^3.5 (RR8-compatible) - vite-plus 0.1.24 -> 0.2.2; drop discontinued vite-plus-test vitest override - @tanstack/svelte-query v5 -> v6: thunk options + runes results in svelte templates - @hono/node-server ^2, stripe SDKs (^9/^6), shiki ^4, nx ^23 - ~140 minor/patch bumps across dependencyVersionMap and template pins - expo/native pins left untouched (verified against SDK 57 bundledNativeModules) - remove unused @types/three from electrobun desktop template Docker template fixes: - block webDeploy=docker with tauri/electrobun on next/svelte/astro (desktop addons force static export, breaking the SSR docker images) - copy public/ into next standalone runner when pwa addon emits it - generate root .env for compose build-arg interpolation (CONVEX_URL, CLERK_PUBLISHABLE_KEY were silently baked empty) - pin db images (postgres:18, mysql:8.4, mongo:8) and pnpm@11 in Dockerfiles - add web service healthcheck to generated docker-compose
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cbd68da6ce
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| key: "CLERK_PUBLISHABLE_KEY", | ||
| value: "", |
There was a problem hiding this comment.
Use the documented Clerk env key for Docker builds
For Docker web deployments with Clerk, this new root .env entry is the only value consumed by the compose build arg (${CLERK_PUBLISHABLE_KEY:-}), but the generated setup instructions and apps/web/.env ask users to fill NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY or VITE_CLERK_PUBLISHABLE_KEY. If they follow those instructions, the Docker image is still built with an empty publishable key for Next/React Router/TanStack frontends, so Clerk auth fails only in the compose build.
Useful? React with 👍 / 👎.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThis PR adds a Docker web-deploy compatibility check, updates template-generator dependency pins and tests, changes Docker template outputs, generates root ChangesDocker Web Deploy Compatibility Validation
Template Generator Updates
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
packages/template-generator/templates/deploy/docker/web/astro/Dockerfile.hbs (1)
6-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider pinning an exact pnpm patch version rather than just the major.
pnpm@11floats to the latest 11.x release on every build, which can silently break reproducibility if a future 11.x patch introduces a behavior change (pnpm 11 already required config migrations from v10). Pinning an exact version (e.g.pnpm@11.9.0) would make builds fully reproducible while still getting the intended major-version behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 66d8b9fb-965d-4076-a696-e7a8d785e434
📒 Files selected for processing (39)
apps/cli/src/utils/compatibility-rules.tsapps/cli/src/utils/config-validation.tsapps/cli/test/addons.test.tsapps/cli/test/auth.test.tsapps/cli/test/clerk-matrix.test.tsapps/cli/test/electrobun-addon.test.tsapps/cli/test/external-commands.test.tspackages/template-generator/src/post-process/package-configs.tspackages/template-generator/src/processors/env-vars.tspackages/template-generator/src/templates.generated.tspackages/template-generator/src/utils/add-deps.tspackages/template-generator/templates/addons/electrobun/apps/desktop/package.json.hbspackages/template-generator/templates/auth/better-auth/web/svelte/src/routes/dashboard/+page.svelte.hbspackages/template-generator/templates/db-setup/docker-compose/mongodb/docker-compose.yml.hbspackages/template-generator/templates/db-setup/docker-compose/mysql/docker-compose.yml.hbspackages/template-generator/templates/db-setup/docker-compose/postgres/docker-compose.yml.hbspackages/template-generator/templates/deploy/docker/compose/docker-compose.yml.hbspackages/template-generator/templates/deploy/docker/server/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/astro/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/nuxt/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/react/next/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/react/react-router/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/react/tanstack-router/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/react/tanstack-start/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/solid/Dockerfile.hbspackages/template-generator/templates/deploy/docker/web/svelte/Dockerfile.hbspackages/template-generator/templates/examples/todo/web/svelte/src/routes/todos/+page.svelte.hbspackages/template-generator/templates/frontend/astro/package.json.hbspackages/template-generator/templates/frontend/native/uniwind/package.json.hbspackages/template-generator/templates/frontend/nuxt/package.json.hbspackages/template-generator/templates/frontend/react/next/package.json.hbspackages/template-generator/templates/frontend/react/react-router/package.json.hbspackages/template-generator/templates/frontend/react/react-router/react-router.config.tspackages/template-generator/templates/frontend/react/tanstack-router/package.json.hbspackages/template-generator/templates/frontend/react/tanstack-start/package.json.hbspackages/template-generator/templates/frontend/solid/package.json.hbspackages/template-generator/templates/frontend/svelte/package.json.hbspackages/template-generator/templates/frontend/svelte/src/routes/+page.svelte.hbspackages/template-generator/templates/packages/ui/package.json.hbs
💤 Files with no reviewable changes (3)
- apps/cli/test/electrobun-addon.test.ts
- packages/template-generator/templates/frontend/react/react-router/react-router.config.ts
- packages/template-generator/templates/addons/electrobun/apps/desktop/package.json.hbs
| // Frontends whose docker image needs server output, which desktop addons replace with a static export | ||
| const DOCKER_SERVER_OUTPUT_FRONTENDS = [ | ||
| "next", | ||
| "svelte", | ||
| "astro", | ||
| ] as const satisfies readonly Frontend[]; |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check whether nuxt is compatible with tauri/electrobun addons and whether those addons
# force a static export for nuxt (similar to next/svelte/astro).
rg -n "nuxt" packages/template-generator/templates/addons/tauri -r 2>/dev/null
rg -nP "nuxt" apps/cli/src/utils/compatibility-rules.ts -C3
rg -nP "static" packages/template-generator/templates/addons/electrobun -r 2>/dev/nullRepository: AmanVarshney01/create-better-t-stack
Length of output: 3652
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the server-output frontend list and nearby compatibility logic.
sed -n '320,360p' apps/cli/src/utils/compatibility-rules.ts
# Map addon template files.
find packages/template-generator/templates/addons/tauri -type f | sort
find packages/template-generator/templates/addons/electrobun -type f | sort
# Search for nuxt/static-export related handling in addon templates.
rg -n --hidden --no-messages -S "nuxt|static export|staticExport|prerender|output:\\s*'static'|output:\\s*\"static\"|export default" \
packages/template-generator/templates/addons/tauri \
packages/template-generator/templates/addons/electrobunRepository: AmanVarshney01/create-better-t-stack
Length of output: 1760
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the actual addon/template directories in this repo snapshot.
find . -type d \( -path '*/addons/*' -o -path '*/templates/*' -o -path '*/web/*' \) | sort | sed -n '1,250p'
# Search for Nuxt/docker/static-export handling across the repo.
rg -n --hidden --no-messages -S "nuxt|NUXT_SERVER_URL|static export|prerender|output:\\s*['\"]static['\"]|export default.*static|standalone output" .
# Show the surrounding compatibility logic around the desktop-addon docker check.
sed -n '336,390p' apps/cli/src/utils/compatibility-rules.tsRepository: AmanVarshney01/create-better-t-stack
Length of output: 50392
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '360,430p' packages/template-generator/src/post-process/package-configs.ts
sed -n '110,190p' apps/cli/test/electrobun-addon.test.ts
# Show the Nuxt docker/static-export area from the generated templates.
python3 - <<'PY'
from pathlib import Path
p = Path("packages/template-generator/src/templates.generated.ts")
lines = p.read_text().splitlines()
for start in (15940, 25370, 29520):
print(f"\n=== {start} ===")
for i in range(start-1, min(start+45, len(lines))):
print(f"{i+1}:{lines[i]}")
PYRepository: AmanVarshney01/create-better-t-stack
Length of output: 9991
Add nuxt to DOCKER_SERVER_OUTPUT_FRONTENDS nuxt is already handled as a static-export desktop frontend (generate for electrobun, .output/public output), so this validator should include it with next, svelte, and astro to catch incompatible docker/desktop combinations.
| const packageJson = JSON.parse( | ||
| await fs.readFile(path.join(result.projectDir, "package.json"), "utf8"), | ||
| ); | ||
| expect(packageJson.workspaces.catalog["better-auth"]).toBe("1.6.22"); | ||
| expect(packageJson.workspaces.catalog["better-auth"]).toBe("1.6.23"); | ||
| }); |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Keep the Better Auth catalog expectation consistent.
This update only fixes the later check at Line 778; the earlier packageJson.workspaces.catalog["better-auth"] assertion at Line 301 still expects 1.6.15, so this file will still fail against the new template version.
Suggested fix
- expect(packageJson.workspaces.catalog["better-auth"]).toBe("1.6.15");
+ expect(packageJson.workspaces.catalog["better-auth"]).toBe("1.6.23");🧰 Tools
🪛 ast-grep (0.44.0)
[warning] 775-775: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.readFile(path.join(result.projectDir, "package.json"), "utf8")
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename-typescript)
| COPY --from=builder /app/apps/web/.next/standalone ./ | ||
| COPY --from=builder /app/apps/web/.next/static ./apps/web/.next/static | ||
| {{#if (includes addons "pwa")}} | ||
| # standalone output excludes public/; the pwa addon serves its manifest and icons from there | ||
| COPY --from=builder /app/apps/web/public ./apps/web/public | ||
| {{/if}} |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== target file =="
cat -n packages/template-generator/templates/deploy/docker/web/react/next/Dockerfile.hbs | sed -n '1,120p'
echo
echo "== search for public copy patterns =="
rg -n --glob '**/Dockerfile.hbs' 'COPY .*public' packages/template-generator/templates || true
echo
echo "== search for pwa addon condition in relevant templates =="
rg -n 'includes addons "pwa"|pwa' packages/template-generator/templates/deploy/docker/web -g '*.hbs' || trueRepository: AmanVarshney01/create-better-t-stack
Length of output: 3268
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import requests, sys
urls = [
"https://nextjs.org/docs/app/building-your-application/deploying#output-standalone",
"https://nextjs.org/docs/pages/building-your-application/deploying#output-standalone",
]
for u in urls:
try:
r = requests.get(u, timeout=20)
print("URL:", u, "status:", r.status_code)
print(r.text[:1000].replace("\n"," ")[:1000])
print("---")
except Exception as e:
print("URL:", u, "ERR:", e)
PYRepository: AmanVarshney01/create-better-t-stack
Length of output: 958
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the target template and surrounding package context
sed -n '1,140p' packages/template-generator/templates/deploy/docker/web/react/next/Dockerfile.hbs
echo
echo "== nearby template helpers / conditions =="
rg -n 'includes addons "pwa"|COPY .*public|output: "standalone"|standalone' packages/template-generator -g '*.hbs' -g '*.ts' || trueRepository: AmanVarshney01/create-better-t-stack
Length of output: 6060
🌐 Web query:
Next.js standalone output public folder must be copied manually favicon robots.txt docs
💡 Result:
When using the Next.js standalone output mode, the public folder (which contains assets like favicon.ico and robots.txt) and the.next/static folder are not copied into the standalone directory by default [1][2]. This design choice exists because these files are ideally served by a CDN or a reverse proxy in production environments [1][2]. However, if you are running the application using the generated server.js file and need it to serve these files automatically, you must copy them into the standalone folder manually after the build process completes [1][2]. To include these assets in your standalone deployment, you can use the following command after running next build [1][2]: cp -r public.next/standalone/ && cp -r.next/static.next/standalone/.next/ Once these files are copied to.next/standalone/public and.next/standalone/.next/static respectively, the server.js file will automatically detect and serve them [1][2].
Citations:
- 1: https://nextjs.org/docs/15/pages/api-reference/config/next-config-js/output
- 2: https://nextjs.org/docs/14/app/api-reference/next-config-js/output
Copy public/ for every standalone Next.js build.
output: "standalone" leaves public/ out of the bundle, so gating this copy behind pwa will break non-PWA apps at runtime (favicon, robots.txt, and other static assets will 404).
Proposed fix
COPY --from=builder /app/apps/web/.next/standalone ./
COPY --from=builder /app/apps/web/.next/static ./apps/web/.next/static
-{{`#if` (includes addons "pwa")}}
-# standalone output excludes public/; the pwa addon serves its manifest and icons from there
-COPY --from=builder /app/apps/web/public ./apps/web/public
-{{/if}}
+# standalone output excludes public/; must always be copied for favicon, robots.txt, and other static assets
+COPY --from=builder /app/apps/web/public ./apps/web/public📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| COPY --from=builder /app/apps/web/.next/standalone ./ | |
| COPY --from=builder /app/apps/web/.next/static ./apps/web/.next/static | |
| {{#if (includes addons "pwa")}} | |
| # standalone output excludes public/; the pwa addon serves its manifest and icons from there | |
| COPY --from=builder /app/apps/web/public ./apps/web/public | |
| {{/if}} | |
| COPY --from=builder /app/apps/web/.next/standalone ./ | |
| COPY --from=builder /app/apps/web/.next/static ./apps/web/.next/static | |
| # standalone output excludes public/; must always be copied for favicon, robots.txt, and other static assets | |
| COPY --from=builder /app/apps/web/public ./apps/web/public |
…t public dir - compose build args now interpolate the same frontend-prefixed env names users fill in apps/web/.env (NEXT_PUBLIC_/VITE_/PUBLIC_ variants), and the generated root .env mirrors those names - next docker runner always copies public/ (user-added static assets), with mkdir -p in the builder so the copy never fails when the dir is absent
|
Addressed review comments in 1d21818:
|
Dependency upgrades
Majors (with required code migrations)
@react-router/*packages bumped; removed thev8_middlewarefuture flag (default in v8). Template code needed no changes: imports already come fromreact-routeronly, andmeta()doesn't use the removeddataarg.react-router-devtools^1 → ^6 and@clerk/react-router→ ^3.5.4 (both RR8-compatible).@voidzero-dev/vite-plus-test(stopped at 0.1.24), so thevitestoverride alias is removed; thevite→vite-plus-corealias stays.rolldown→ 1.1.4.createQuery(() => opts)) and results drop the$store prefix.QueryClientProvider/QueryClientusage unchanged.serve), stripe SDKs ^9/^6 (no template code touches them), shiki ^4, nx ^23 (generated nx.json schema unchanged).Minors
~140 minor/patch bumps across
dependencyVersionMapand hbs template pins (vite 8.1.3, heroui-native 1.0.5, uniwind 1.10, SvelteKit 2.69, @nuxt/ui 4.9, TanStack Router 1.170/Start 1.168, tRPC 11.18, hono 4.12, clerk, react-query unified at ^5.101.2, oxlint/oxfmt, wrangler, zod, …).Deliberately untouched
All Expo/native pins — verified against Expo SDK 57's
bundledNativeModules.json(incl.react-native-gesture-handler ~2.32.0; v3 is not supported by SDK 57).@babel/corestays on 7 forbabel-preset-expo. Also removed an orphaned@types/threefrom the electrobun desktop template.Docker template fixes (from a full combination audit)
--web-deploy docker— tauri/electrobun switch next/svelte/astro to static export, which broke the SSR docker images at build time. New CLI validation rejects the combo (keeps the working next+electrobun+convex+better-auth case).public/when the pwa addon emits it (standalone output excludes it → manifest/icons 404'd in-container)..envgenerated for compose build args —${CONVEX_URL:-}/${CLERK_PUBLISHABLE_KEY:-}interpolate from the project root, but onlyapps/web/.envwas scaffolded, so images were silently built with empty values.postgres:18,mysql:8.4,mongo:8) in deploy + db-setup composes —postgres:18also matches the/var/lib/postgresqlvolume layout the templates use. Pinnedpnpm@11in Dockerfiles to avoid lockfile-format drift.Verification
bun run generate-templatesregenerated (506 templates)bun run checkcleantsc --noEmitcleanNot addressed (follow-up candidate): single-stage server/web images ship the full monorepo + dev deps (size/hygiene, not correctness).
Summary by CodeRabbit
.envwith build-arg values when applicable.