build(deps): migrate @casl/ability v7 + @casl/vue v3#4199
Conversation
Bump both together — @casl/vue@2 rejects @casl/ability@^7 as a peer (build breaks), @casl/vue@3 requires it. v7 freezes the ability's internal rule structures, so wrapping it in Vue's reactive() throws a Proxy get-invariant TypeError on the first .can() call. Wrap with a local toReactiveAbility() helper that tracks the `updated` event via a ref read in possibleRulesFor, keeping component computeds reactive. Mirrors @casl/vue's internal reactiveAbility, which v3 declares in its types but does not export at runtime. Supersedes dependabot #4194, #4195. See MIGRATIONS.md for downstream notes.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Migrates CASL dependencies to the required compatible pair (@casl/ability@7 + @casl/vue@3) and updates the shared Vue ability helper to avoid Vue reactive() proxies over CASL v7’s frozen rule internals.
Changes:
- Bump
@casl/abilityto^7.0.0and@casl/vueto^3.0.0(must move together due to peer requirements). - Replace
reactive(createMongoAbility([]))with a localtoReactiveAbility()wrapper that drives Vue reactivity via the ability’supdatedevent. - Add downstream upgrade notes to
MIGRATIONS.md.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/lib/helpers/ability.js | Introduces toReactiveAbility() and switches the exported singleton ability to use it instead of Vue reactive(). |
| package.json | Updates CASL dependency versions to @casl/ability@^7.0.0 and @casl/vue@^3.0.0. |
| package-lock.json | Locks updated CASL versions and transitive @ucast/* upgrades. |
| MIGRATIONS.md | Documents the coordinated CASL upgrade and downstream actions. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #4199 +/- ##
=======================================
Coverage 99.56% 99.56%
=======================================
Files 31 31
Lines 1140 1151 +11
Branches 329 329
=======================================
+ Hits 1135 1146 +11
Misses 5 5 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Review (Copilot): the reactive wrapper overrode possibleRulesFor but only forwarded (action, subject), dropping CASL's optional `field` arg — silently breaking field-level permission checks. Forward all args via (...args). Also corrects the MIGRATIONS wording (v7 renames PureAbility→Ability, doesn't remove it) and drops the stale `reactiveAbility` reference (not exported at runtime).
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Summary
Migrates
@casl/ability^6.8.1→^7.0.0and@casl/vue^2.2.6→^3.0.0together. Supersedes dependabot #4194 + #4195 (each red on its own — they must move together).Why bump both together
@casl/vue@2rejects@casl/ability@^7as a peer (build breaks → #4194), and@casl/vue@3requires@casl/ability@^7.What changed
package.json—@casl/ability ^7.0.0+@casl/vue ^3.0.0.src/lib/helpers/ability.js— dropped Vue'sreactive()around the ability. v7 freezes the ability's internal rule structures, so areactive()proxy over the frozen rules array throws a Proxy get-invariantTypeErroron the first.can()call. Components callability.can()directly in computeds, so reactivity is preserved via a localtoReactiveAbility()helper that tracks the ability'supdatedevent through arefread inpossibleRulesFor. This mirrors@casl/vue's internalreactiveAbility, which v3 declares in its.d.tsbut does not export at runtime.MIGRATIONS.md— downstream-complete upgrade notes.No change to
src/main.js(abilitiesPluginAPI preserved) or thesubject()helper.Test plan
npm run lint— cleannpm run test:unit— 1910 passed (incl. the ability helper test that threw the Proxy TypeError pre-fix)npm run build— passes (validates @casl/vue v3 ESM import resolution)