chore(deps): upgrade TypeScript 6 + @hookform/resolvers 5#80
Conversation
…ule declaration - typescript 5.9 → 6.0 (major): requires declare module '*.css' for side-effect imports — TypeScript 6 added TS2882 check that Next.js types don't cover yet - @hookform/resolvers 4.1 → 5.2 (major): no breaking changes in our usage - recharts pinned at ^2.x (recharts 3 has breaking type changes in chart.tsx that require a dedicated fix — deferred to It5) Closes #75 Closes #76 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning
|
| Cohort / File(s) | Summary |
|---|---|
Dependency Updates package.json |
Updated @hookform/resolvers from ^4.1.3 → ^5.2.2 and typescript from ^5.9.3 → ^6.0.3. |
Type Support src/types/css.d.ts |
Added ambient module declaration declare module '*.css' {} to allow importing CSS in TypeScript without type errors. |
CI Workflow .github/workflows/ci.yml |
Upgraded CI jobs to Node.js 24, added step to upgrade npm to v11, and replaced fallback Supabase key behavior with strict validation that fails the job if keys cannot be extracted. |
Docs / Formatting CLAUDE.md |
Minor whitespace/formatting changes (blank lines added/removed) in documentation. |
Estimated code review effort
🎯 3 (Moderate) | ⏱️ ~20 minutes
Poem
🐰
Hopping through changes, I cheer and sing,
Types lifted, resolvers take wing.
CSS imports now glide with ease,
CI stricter — no silent keys.
A tiny hop for code, a joyful spring.
🚥 Pre-merge checks | ✅ 3 | ❌ 2
❌ Failed checks (2 inconclusive)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Description check | ❓ Inconclusive | The description provides a clear summary of changes, impact analysis, and test results. However, it does not follow the repository's template structure with explicit sections like 'Type of Change' and 'Checklist'. | Consider restructuring the description to match the template with explicit checkboxes for test steps and Type of Change, even though the core information is present. |
| Out of Scope Changes check | ❓ Inconclusive | CI workflow updates (Node 24, npm 11, stricter validation) and CLAUDE.md formatting are supporting changes that enable the dependency upgrades but are not strictly required by issues #75 and #76. |
Clarify whether CI and documentation formatting changes were necessary for the main dependency upgrade objectives, or consider separating them into a dedicated infrastructure PR. |
✅ Passed checks (3 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title accurately describes the main changes: upgrading TypeScript to v6 and @hookform/resolvers to v5, addressing the primary objectives. |
| Linked Issues check | ✅ Passed | All code changes directly address the requirements from issues #75 and #76: TypeScript upgraded to v6.0.3 with TS2882 fix via css.d.ts, @hookform/resolvers upgraded to v5.2.2, lockfile regenerated, and all tests passing. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
- Commit unit tests in branch
chore/deps-major
Comment @coderabbitai help to get the list of available commands and usage tips.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 135: The package.json dependency line "typescript": "^6.0.3" conflicts
with the repository policy in CLAUDE.md which mandates TypeScript v5 with strict
catch handling; either revert the package.json change to a supported v5.x range
(replace the "typescript" entry with a v5 version) OR update CLAUDE.md to
explicitly permit TypeScript 6.x and add the required configuration (e.g.,
retain strict mode and document the equivalent for useUnknownInCatchVariables or
any new compiler flags) so the PR and policy stay aligned; update the
package.json dependency key "typescript" and/or the CLAUDE.md policy text
accordingly.
- Line 49: The PR updates TypeScript to 6.0.3 which violates the repo policy
documented in CLAUDE.md that mandates TypeScript 5 (strict); either revert the
TypeScript dependency entry in package.json to an allowed 5.x version (e.g.,
"typescript": "5.x") or update CLAUDE.md to explicitly permit TypeScript 6 and
get the change approved; ensure the change keeps existing code patterns like
zodResolver(formSchema) in form-plano.tsx, form-aluno.tsx,
workout-generator.tsx, treinos-client.tsx, and login/page.tsx functioning by
running the TypeScript build/CI and updating any tsconfig strict settings if you
ratify TypeScript 6.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1b324bed-7a48-4ad7-bca7-940dc5b63609
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (2)
package.jsonsrc/types/css.d.ts
- node-version 22 → 24 (Node 24 LTS, latest stable) - Add 'npm install -g npm@11' in all 3 jobs to match local dev environment (npm 10 vs npm 11 generate incompatible lockfiles — deduplication differs) - Remove hardcoded Supabase demo JWT fallbacks (CWE-321); fail explicitly instead if supabase status does not return keys (supabase CLI ≥ v1.23 always returns keys after supabase start succeeds) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CLAUDE.md was previously gitignored; now tracked, prettier check in CI catches formatting issues. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(it5): open It5-T01 branch — update CURRENT-STATE + CLAUDE.md Marks branch feat/007-it5-instrutor-auth as active. CURRENT-STATE.md reflects the 12-task T01 plan (INSTRUTOR auth hardening), promotes the auth gap to P1 in the incomplete table, and extends the auth.ts key files entry. CLAUDE.md updated with It5 tech context via agent script. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(it5): document pre-existing TS2882 regression in quality gates globals.css side-effect import errors since src/types/css.d.ts was deleted in PR #80 (TypeScript 6 upgrade). Tracked as P2 — must be fixed before any It5 PR merges to main. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(typecheck): restore src/types/css.d.ts deleted in PR #80 TS6 upgrade TS2882 side-effect import error on globals.css was introduced when the TS6 upgrade PR accidentally removed this ambient declaration file. One line: declare module '*.css' {} Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(it5): mark TS2882 resolved in CURRENT-STATE quality gates Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add requireAnyRole helper to auth.ts T001 — exports requireAnyRole(allowedRoles: Role[]): Promise<void> following the exact same fail-closed pattern as requireRole. redirects to /login if unauthenticated, /dashboard if role is not in allowedRoles or on any DB error. needed by the /dashboard/treinos route gate. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add failing E2E negative auth test (TDD red) T002 — instrutor-auth-negative.spec.ts asserts RECEPCIONISTA and ALUNO cannot access /dashboard/treinos (must redirect). tests fail until T003 adds the requireAnyRole gate to the page — that is the intended red phase. also anchors /specs/ in .gitignore to root so tests/e2e/specs/ is no longer inadvertently excluded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): gate /dashboard/treinos with requireAnyRole T003 — replaces bare if(!user) check with requireAnyRole(['INSTRUTOR', 'GERENTE']). RECEPCIONISTA and ALUNO are now redirected fail-closed to /dashboard. getUser() call kept temporarily for instrutorId={user.id} prop; removed in T008 after client cleanup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add failing unit tests for treinos actions (TDD red) T004 + T009 — treinos.test.ts covers upsertTreinoAction (instrutorId derivation) and ownership checks for deleteTreinoAction and updateTreinoDayAction. 4 tests currently fail (red phase): INSTRUTOR instrutorId derivation, RECEPCIONISTA blocked, and both non-owner ownership guards. tests written before implementation as required by constitution principle III. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove instrutorId from TreinoBaseSchema (server-derived) T005: instrutorId is now server-derived from session in upsertTreinoAction. Removed from TreinoBaseSchema (client input); preserved in TreinoSchema (entity read-type). Cascade errors in treinos.ts:35 and treinos-client.tsx:384,433 are intentional red state — fixed in T006/T007. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): derive instrutorId from session in upsertTreinoAction T006: instrutorId is now fetched from the funcionarios table instead of the client payload. RECEPCIONISTA is blocked (Acesso não autorizado). ALUNO (not in funcionarios → data=null) and GERENTE both receive instrutorId=null. INSTRUTOR receives their own user.id. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove instrutorId prop from TreinosManagementClient T007: instrutorId is no longer needed as a component prop since upsertTreinoAction now derives it server-side from session. Removed from props interface and both upsertTreinoAction call sites. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove redundant getUser and instrutorId prop from TreinosPage T008: requireAnyRole already asserts authentication, so the subsequent supabase.auth.getUser() call and instrutorId={user.id} prop are removed. instrutorId is now fully derived server-side in upsertTreinoAction. Zero typecheck errors after this task. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add ownership check to updateTreinoDayAction T010: INSTRUTOR can only update treinos they own (instrutorId = user.id). GERENTE can update any treino. Unauthorized callers receive { success: false, error: 'Acesso não autorizado' }. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add ownership check to deleteTreinoAction T011: mirrors T010 pattern — INSTRUTOR can only delete treinos they own; GERENTE can delete any treino. All 10 unit tests green. Zero typecheck and lint errors. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(it5): update CRITICAL-PATHS.md 18 → 19 scenarios T012: added entry for instrutor-auth-negative.spec.ts (RECEPCIONISTA/ALUNO blocked from /dashboard/treinos). All 12 tasks for 007-it5-instrutor-auth are now complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: update CURRENT-STATE.md for It5 completion All 12 tasks complete. Auth gap closed. Unit tests 22→32. E2E scenarios 18→19. Auth gap removed from incomplete list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test(it5): add requireAnyRole unit tests to restore auth.ts 100% coverage CI coverage threshold for src/lib/auth.ts requires 100%. Adding requireAnyRole tests mirrors the requireRole test structure: allowed role resolves without redirect, wrong role → /dashboard, no user → /login, DB error → /dashboard, null record (ALUNO) → /dashboard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(auth): address CodeRabbit review findings on PR #81 auth.ts: requireRole now delegates to requireAnyRole([role]) eliminating duplicated auth/redirect logic; consistent fail-closed behavior guaranteed by single implementation. treinos.ts: fix two security issues flagged by CodeRabbit: - upsertTreinoAction: ALUNOs (funcData=null) now get alunoId=user.id server-side, preventing cross-user spoofing of alunoId from client - updateTreinoDayAction + deleteTreinoAction: ownership guard now also checks treino.alunoId === user.id, allowing ALUNOs to manage their own treinos (previously blocked because instrutorId is null on ALUNO-created treinos) instrutor-auth-negative.spec.ts: ALUNO redirect test now asserts destination /aluno (middleware redirects non-funcionarios to /aluno) instead of weak negative assertion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Emiya Kiritsugu <emiyakiritsugu3@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(it5): open It5-T01 branch — update CURRENT-STATE + CLAUDE.md Marks branch feat/007-it5-instrutor-auth as active. CURRENT-STATE.md reflects the 12-task T01 plan (INSTRUTOR auth hardening), promotes the auth gap to P1 in the incomplete table, and extends the auth.ts key files entry. CLAUDE.md updated with It5 tech context via agent script. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(it5): document pre-existing TS2882 regression in quality gates globals.css side-effect import errors since src/types/css.d.ts was deleted in PR #80 (TypeScript 6 upgrade). Tracked as P2 — must be fixed before any It5 PR merges to main. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(typecheck): restore src/types/css.d.ts deleted in PR #80 TS6 upgrade TS2882 side-effect import error on globals.css was introduced when the TS6 upgrade PR accidentally removed this ambient declaration file. One line: declare module '*.css' {} Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(it5): mark TS2882 resolved in CURRENT-STATE quality gates Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add requireAnyRole helper to auth.ts T001 — exports requireAnyRole(allowedRoles: Role[]): Promise<void> following the exact same fail-closed pattern as requireRole. redirects to /login if unauthenticated, /dashboard if role is not in allowedRoles or on any DB error. needed by the /dashboard/treinos route gate. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add failing E2E negative auth test (TDD red) T002 — instrutor-auth-negative.spec.ts asserts RECEPCIONISTA and ALUNO cannot access /dashboard/treinos (must redirect). tests fail until T003 adds the requireAnyRole gate to the page — that is the intended red phase. also anchors /specs/ in .gitignore to root so tests/e2e/specs/ is no longer inadvertently excluded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): gate /dashboard/treinos with requireAnyRole T003 — replaces bare if(!user) check with requireAnyRole(['INSTRUTOR', 'GERENTE']). RECEPCIONISTA and ALUNO are now redirected fail-closed to /dashboard. getUser() call kept temporarily for instrutorId={user.id} prop; removed in T008 after client cleanup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add failing unit tests for treinos actions (TDD red) T004 + T009 — treinos.test.ts covers upsertTreinoAction (instrutorId derivation) and ownership checks for deleteTreinoAction and updateTreinoDayAction. 4 tests currently fail (red phase): INSTRUTOR instrutorId derivation, RECEPCIONISTA blocked, and both non-owner ownership guards. tests written before implementation as required by constitution principle III. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove instrutorId from TreinoBaseSchema (server-derived) T005: instrutorId is now server-derived from session in upsertTreinoAction. Removed from TreinoBaseSchema (client input); preserved in TreinoSchema (entity read-type). Cascade errors in treinos.ts:35 and treinos-client.tsx:384,433 are intentional red state — fixed in T006/T007. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): derive instrutorId from session in upsertTreinoAction T006: instrutorId is now fetched from the funcionarios table instead of the client payload. RECEPCIONISTA is blocked (Acesso não autorizado). ALUNO (not in funcionarios → data=null) and GERENTE both receive instrutorId=null. INSTRUTOR receives their own user.id. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove instrutorId prop from TreinosManagementClient T007: instrutorId is no longer needed as a component prop since upsertTreinoAction now derives it server-side from session. Removed from props interface and both upsertTreinoAction call sites. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): remove redundant getUser and instrutorId prop from TreinosPage T008: requireAnyRole already asserts authentication, so the subsequent supabase.auth.getUser() call and instrutorId={user.id} prop are removed. instrutorId is now fully derived server-side in upsertTreinoAction. Zero typecheck errors after this task. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add ownership check to updateTreinoDayAction T010: INSTRUTOR can only update treinos they own (instrutorId = user.id). GERENTE can update any treino. Unauthorized callers receive { success: false, error: 'Acesso não autorizado' }. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(it5): add ownership check to deleteTreinoAction T011: mirrors T010 pattern — INSTRUTOR can only delete treinos they own; GERENTE can delete any treino. All 10 unit tests green. Zero typecheck and lint errors. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(it5): update CRITICAL-PATHS.md 18 → 19 scenarios T012: added entry for instrutor-auth-negative.spec.ts (RECEPCIONISTA/ALUNO blocked from /dashboard/treinos). All 12 tasks for 007-it5-instrutor-auth are now complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: update CURRENT-STATE.md for It5 completion All 12 tasks complete. Auth gap closed. Unit tests 22→32. E2E scenarios 18→19. Auth gap removed from incomplete list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test(it5): add requireAnyRole unit tests to restore auth.ts 100% coverage CI coverage threshold for src/lib/auth.ts requires 100%. Adding requireAnyRole tests mirrors the requireRole test structure: allowed role resolves without redirect, wrong role → /dashboard, no user → /login, DB error → /dashboard, null record (ALUNO) → /dashboard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(auth): address CodeRabbit review findings on PR #81 auth.ts: requireRole now delegates to requireAnyRole([role]) eliminating duplicated auth/redirect logic; consistent fail-closed behavior guaranteed by single implementation. treinos.ts: fix two security issues flagged by CodeRabbit: - upsertTreinoAction: ALUNOs (funcData=null) now get alunoId=user.id server-side, preventing cross-user spoofing of alunoId from client - updateTreinoDayAction + deleteTreinoAction: ownership guard now also checks treino.alunoId === user.id, allowing ALUNOs to manage their own treinos (previously blocked because instrutorId is null on ALUNO-created treinos) instrutor-auth-negative.spec.ts: ALUNO redirect test now asserts destination /aluno (middleware redirects non-funcionarios to /aluno) instead of weak negative assertion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Emiya Kiritsugu <emiyakiritsugu3@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
Handles Dependabot PRs #75 and #76 with a properly regenerated lockfile and all breaking changes addressed.
Changes
typescript@hookform/resolverssrc/types/css.d.ts(new file)TypeScript 6 introduced
TS2882— side-effect imports (import './globals.css') now require module declarations. Next.js hasn't updated its bundled types yet. One-line fix:declare module '*.css' {}.recharts 3 (deferred)
PR #78 (recharts 2 → 3) was NOT included. Recharts 3 has breaking type changes in
src/components/ui/chart.tsx(7 TS errors —payload/labelproperties removed from Tooltip props,anyinference in callbacks). This requires a dedicated chart.tsx rewrite and is deferred to It5.Closes #75
Closes #76
Test plan
npm run typecheck— 0 errors (TS6 strict)npm run lint— 0 errorsnpm test— 22/22 passing🤖 Generated with Claude Code
Summary by CodeRabbit