refactor(deps): clean deprecated dependencies — acl→casl, joi→zod, body-parser, swig#3134
Merged
Merged
Conversation
- Replace unmaintained acl@0.4.11 with @casl/ability in policy.js - All policy files updated to policy.registerRules([]) pattern - Add express-rate-limit on /api/auth/* routes (forgot, reset, signup, signin) - Add rateLimit config in production (max 10) and test (disabled) envs - Add MIGRATIONS.md with upgrade guide for downstream projects
…ss built-ins - Remove @hapi/joi → replace with zod@3 (safeParse API, superRefine for zxcvbn) - Remove body-parser → use express.json() / express.urlencoded() (Express 4.16+) - Remove swig + consolidate → setEngine() dropped (API-only, no template rendering) - Rename config.joi → config.validation, drop validationOptions (Zod handles internally) - Add TaskUpdate = Task.partial() for PUT routes (partial updates) - Unit tests updated from Joi .validate() to Zod .safeParse() - Empty password allowed in schema (OAuth users without local password)
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3134 +/- ##
==========================================
+ Coverage 88.07% 89.49% +1.42%
==========================================
Files 51 52 +1
Lines 1115 1133 +18
Branches 213 217 +4
==========================================
+ Hits 982 1014 +32
+ Misses 118 107 -11
+ Partials 15 12 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR performs a major dependency refactor, replacing deprecated and unmaintained packages with modern alternatives while adding security improvements. The changes migrate from acl (unmaintained since 2018) to @casl/ability for authorization, @hapi/joi to zod@3 for schema validation, removes body-parser in favor of Express's built-in parsers, and removes swig/consolidate template engines (no longer needed for API-only stack). Additionally, the PR adds rate limiting on authentication routes and improves cookie security with HttpOnly and SameSite flags.
Changes:
- Authorization: ACL library replaced with CASL; all policy files refactored to use
policy.registerRules()pattern with HTTP method→action mapping (GET→read, POST→create, PUT/PATCH→update, DELETE→delete) - Validation: Joi replaced with Zod; schemas migrated to use
safeParse()API; password validation usessuperRefinewith zxcvbn strength checking; partial schemas added for PUT operations (UserUpdate, TaskUpdate) - Security: Auth routes rate-limited via
express-rate-limit; cookies now use HttpOnly and SameSite=Strict flags; comprehensive security tests added - Middleware: body-parser replaced with
express.json()/express.urlencoded(); template engine setup removed - Configuration:
config.joirenamed toconfig.validation; cookie and rate limit configuration added per environment - Documentation: MIGRATIONS.md added with ACL→CASL upgrade guide
Reviewed changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Removed acl, @hapi/joi, body-parser, swig, consolidate; added @casl/ability, zod, express-rate-limit; moved @eslint/js to correct section |
| package-lock.json | Lockfile updated with new dependencies and removed deprecated packages |
| modules/users/tests/user.unit.tests.js | Updated from Joi validate() to Zod safeParse(); removed unused imports |
| modules/users/policies/users.admin.policy.js | Migrated from ACL to CASL registerRules pattern; fixed comment from "Tasks" to "Users Admin" |
| modules/users/policies/users.account.policy.js | Migrated from ACL to CASL registerRules pattern; fixed comment from "Tasks" to "Users Account" |
| modules/users/models/user.schema.js | Migrated from Joi to Zod; password uses superRefine with zxcvbn; UserUpdate partial schema added; empty password allowed for OAuth |
| modules/uploads/policies/uploads.policy.js | Migrated from ACL to CASL registerRules pattern |
| modules/tasks/tests/tasks.unit.tests.js | Updated from Joi validate() to Zod safeParse(); removed unused imports |
| modules/tasks/routes/tasks.routes.js | PUT operation now uses TaskUpdate partial schema instead of full Task schema |
| modules/tasks/policies/tasks.policy.js | Migrated from ACL to CASL registerRules pattern |
| modules/tasks/models/tasks.schema.js | Migrated from Joi to Zod; TaskUpdate partial schema added; uses strip() for unknown fields |
| modules/home/policies/home.policy.js | Migrated from ACL to CASL registerRules pattern; fixed comment from "Tasks" to "Home" |
| modules/core/tests/core.unit.tests.js | Added comprehensive Policy tests for CASL implementation with async ability checks |
| modules/auth/tests/auth.integration.tests.js | Added Security test suite covering cookie flags and rate limit headers |
| modules/auth/routes/auth.routes.js | Applied rate limiting to auth routes (signup, signin, forgot, reset) |
| modules/auth/controllers/auth.password.controller.js | Cookies now use tokenCookieOptions with HttpOnly, secure, and sameSite |
| modules/auth/controllers/auth.controller.js | Replaced getResultFromJoi with getResultFromZod; cookies use tokenCookieOptions; removed unused lodash import |
| lib/services/express.js | Removed body-parser imports; replaced with express.json()/urlencoded(); removed template engine setup |
| lib/middlewares/policy.js | Complete rewrite from ACL to CASL; async defineAbilityFor with lazy loading; registerRules API |
| lib/middlewares/model.js | Replaced getResultFromJoi with getResultFromZod; updated error handling for Zod structure |
| lib/helpers/zod.js | New helper with passwordRefinement for zxcvbn validation |
| config/defaults/test.js | Rate limiting disabled for tests (max: Number.MAX_SAFE_INTEGER) |
| config/defaults/production.js | Added cookie config (secure: true) and stricter rate limits (max: 10) |
| config/defaults/development.js | Renamed joi to validation; added cookie config and rate limit config (max: 20) |
| MIGRATIONS.md | New file documenting ACL→CASL migration with examples and upgrade steps |
| .vscode/settings.json | Added JSON to Copilot enabled languages |
- tasks.unit.tests: check result.data?.toto to verify strip (not result.toto) - auth.controller: fix stale "Joi validation" comment → "Zod validation" - user.unit.tests: use 'azertyui' (in forbiddenPasswords) to cover the "too common" branch - auth.integration.tests: add test for checkOAuthUserProfile validation-error path - MIGRATIONS.md: add @hapi/joi → zod migration guide for downstream projects
DELETE is not in config.validation.supportedMethods so the middleware was a no-op. Removed to keep the route chain consistent.
Add two tests to reach the changed lines in oauthCallback:
- HTTP integration test for the client-side OAuth path (POST /callback
with strategy:false) to cover .cookie('TOKEN', token, tokenCookieOptions)
- Unit test with passport.authenticate mock for the classic web OAuth
success redirect path to cover res.cookie() + res.redirect()
- model.js: fix typo firstname → firstName in checkError sanitizer so profile-update errors are correctly redacted - user.schema.js: build min-size error message from config.zxcvbn.minSize instead of hardcoding 8, keeping message and config in sync - users.routes.js: PUT /api/users now validates with UserUpdate (partial) instead of the full User schema, consistent with MIGRATIONS.md guidance
This was referenced Feb 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
acl→@casl/ability: replace unmaintained ACL lib with CASL; all policy files updated topolicy.registerRules()pattern; auth rate limiting added on/api/auth/*routes@hapi/joi→zod@3: schema-first validation viasafeParse;getResultFromJoi→getResultFromZod; password field usessuperRefine(strength → min, skips empty for OAuth users)body-parserremoved: replaced byexpress.json()/express.urlencoded()(built into Express 4.16+)swig+consolidateremoved:setEngine()dropped — API-only stack, no HTML renderingconfig.joi→config.validation,validationOptionsdropped (Zod handles internally)/api/tasks/:taskIdnow usesTaskUpdate(partial schema) instead ofTaskMIGRATIONS.mdadded with upgrade guide for downstream projectsTest plan
npm run lintpassesnpm testpasses (207/207)checkOAuthUserProfile)/api/auth/signup,/api/auth/signin,/api/auth/forgotnpm remove acl @hapi/joi body-parser swig consolidate && npm install @casl/ability zod@3, update policy files per MIGRATIONS.md