chore: update @arcjet/* to 1.7.0-rc.1 pre-release#191
Conversation
Dogfoods the arcjet-js build-tooling modernization (arcjet/arcjet-js#6093: rollup->tsdown, dist-only packaging with exports maps, TypeScript 6 declarations) across every example before it ships as stable. @nosecone/next stays at 1.6.1 in the three Next.js examples that use it: the rc widens the published type of its CSP defaults, which breaks the extend-the-defaults pattern in their proxy.ts; the fix is on the arcjet-js branch and those bumps follow with the next rc. The Deno example's source now imports through the deno.json import map (bare specifiers) instead of unversioned npm: specifiers, which had been resolving to latest and ignoring the pinned versions. Validated per example: npm install + build (astro, expressjs, fastify, nestjs, all five nextjs variants, nuxt, react-router, sveltekit, tanstack-start), tsc for firebase-functions, and deno check with a regenerated lockfile for deno. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Arcjet Review — 🟡 Medium Risk
Decision: Reviewers Assigned
Rationale: This PR updates many @arcjet/* dependencies across examples from stable releases to the 1.7.0-rc.0 pre-release and adjusts Deno imports to use the import map. The changes are small and scoped to examples, but they affect security-related middleware/bot-protection packages and introduce pre-release packages, so automated review cannot fully validate compatibility or supply-chain risk. No specific escalation reviewers are configured.
Summary of Changes
Updates Arcjet dependencies in multiple example apps to 1.7.0-rc.0 and changes the Deno example source imports to use deno.json import aliases instead of direct npm: specifiers.
Escalation Triggers
- Dependency Changes: Multiple package.json files update @arcjet/* dependencies to the 1.7.0-rc.0 pre-release.
Review Focus Areas
- Is adopting @arcjet/* 1.7.0-rc.0 across examples intentional despite being a pre-release?
Pre-release security-related packages may contain API or behavior changes that differ from stable releases. - Confirm the Deno import map works with the updated source imports and run the Deno example.
The source now imports @arcjet/deno and @arcjet/inspect via import aliases rather than direct npm: specifiers, so runtime resolution depends on deno.json being loaded. - Verify this example is always run from a context where deno.json import mappings are honored.
Direct execution in an environment that does not load the import map could fail to resolve @arcjet/deno and @arcjet/inspect. - Check whether lockfiles are expected for these examples and whether they need updating.
Dependency version changes without corresponding lockfile updates can lead to inconsistent installs if lockfiles are used elsewhere in the repository. - Review the Arcjet 1.7.0-rc.0 changelog or release notes for breaking changes affecting the examples.
Several examples use Arcjet protection logic; API or behavior changes could silently weaken or break bot detection, shield, rate limiting, or integration middleware.
Notes
No hardcoded secrets or direct injection issues were visible in the diff. Primary concern is dependency and compatibility risk from moving security-related packages to a release candidate.
Path filtering: 15 files excluded by ignore paths. 16 of 31 files included in review.
Review: c4ebeb0b | Model: openai/gpt-5.5 | Powered by Arcjet Review
|
This doesn't really need to merge - CI going green is really the only signal I need here! |
davidmytton
left a comment
There was a problem hiding this comment.
Looks good. Up to you if you want to merge or close.
rc.1 fixes both issues rc.0 dogfooding found: the widened @nosecone/next CSP defaults type (the three Next.js examples that extend the defaults in proxy.ts build again, so their hold at 1.6.1 is lifted) and the unreplaced __ARCJET_SDK_VERSION__ placeholder in the sdkVersion request field. Validated per example as before: npm install + build for the buildable JS examples, tsc for firebase-functions, deno check with a regenerated lockfile for deno. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Dogfoods the arcjet-js build-tooling modernization (arcjet/arcjet-js#6093: rollup→tsdown, dist-only packaging with exports maps, TypeScript 6 declarations) across every example before it ships as stable. Now on 1.7.0-rc.1, which fixes both issues rc.0 dogfooding surfaced:
@nosecone/nextCSPdefaultstype — the three Next.js examples that extend the defaults inproxy.tsbuild again, so@nosecone/nextis now on the rc too (previously held at 1.6.1)__ARCJET_SDK_VERSION__placeholder in thesdkVersionrequest fieldThe Deno example's source now imports through the
deno.jsonimport map (bare specifiers) instead of unversionednpm:specifiers, which had been resolving to latest and silently ignoring the pinned versions.Validated locally per example on rc.1:
npm install+buildfor the 13 buildable JS examples,tscfor firebase-functions, anddeno checkwith a regenerated lockfile — all passing.🤖 Generated with Claude Code