Skip to content

docs: document npm audit workaround#341

Open
compoodment wants to merge 1 commit into
xDarkicex:mainfrom
compoodment:fix/issue-340-npm-audit-docs
Open

docs: document npm audit workaround#341
compoodment wants to merge 1 commit into
xDarkicex:mainfrom
compoodment:fix/issue-340-npm-audit-docs

Conversation

@compoodment

@compoodment compoodment commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Documents why npm consumers can still see @connectrpc/connect-node -> undici@5.29.0 audit findings even though this repo has a pnpm override.
  • Adds a narrow root-project npm overrides.undici = 6.24.0 workaround for operators who need to clear the current audit path while the plugin targets Connect 1.x.
  • Calls out that the durable upstream fix is a coordinated Connect/protobuf 2.x migration, not a one-line dependency bump.

Fixes #340.

Verification

  • Created a fresh npm throwaway project with @xdarkicex/openclaw-memory-libravdb@1.9.8 and overrides.undici = 6.24.0.
  • Confirmed npm ls @xdarkicex/openclaw-memory-libravdb @connectrpc/connect-node undici --all --package-lock-only resolves @connectrpc/connect-node@1.7.0 -> undici@6.24.0 overridden.
  • Confirmed npm audit --omit=dev --json reports 0 vulnerabilities for that throwaway install.
  • Docs-only change; no runtime tests run.

Documentation-only PR: npm audit workaround guide

This PR adds a new section to docs/dependencies.md explaining the npm audit vulnerability path caused by the plugin's dependency on @connectrpc/connect-node@1.7.0, which transitively pulls in undici@5.29.0.

Key points documented:

  • Root cause: The repository's pnpm.overrides entry for undici does not affect npm consumers, only this repository's own pnpm install
  • Workaround: Provides instructions for consuming projects to apply a temporary npm-side overrides entry (undici: 6.24.0) with reinstall and re-audit commands
  • Upstream context: Clarifies that a durable fix requires migrating the plugin from Connect 1.x to Connect 2.x, which is a broader source migration (not a simple dependency bump) due to API removals in both Connect 2 and protobuf 2

The documentation also preserves existing sections explaining the rationale for LibraVDB (chosen over LanceDB for its collection-level namespacing, delete operations, and local-first architecture) and Slabby (allocation-optimized slab storage for the vector-heavy workload).

Note: Complexity analysis not applicable—this is a documentation-only change with no code modifications.

Verification: Operator-performed steps confirmed the workaround effectiveness on a test project with overrides applied.

Fixes #340.

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Documentation added to docs/dependencies.md explaining how npm consumers encounter an audit finding through @connectrpc/connect-node@1.7.0 → undici@5.29.0, why the repository's pnpm.overrides does not mitigate the issue for npm consumers, and how to apply a consuming-project-level overrides entry to resolve undici to 6.24.0 as a temporary workaround, with example configuration and commands.

Changes

npm audit dependency documentation

Layer / File(s) Summary
npm audit undici workaround documentation
docs/dependencies.md
New section documents the audit path via @connectrpc/connect-node@1.7.0 → undici@5.29.0, clarifies why repo-level pnpm.overrides does not fix npm resolution for consumers, and provides an overrides-based workaround (undici: 6.24.0) with example JSON configuration and reinstall/audit verification commands.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📚 A rabbit hops through docs so bright,
Explaining audit paths and fixes right,
undici bumps make vulnerabilities flee,
With overrides neat, your packages are free!
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'docs: document npm audit workaround' accurately summarizes the main change: adding documentation for an npm audit dependency workaround.
Linked Issues check ✅ Passed The PR satisfies issue #340 by documenting why npm consumers see the undici audit finding and providing a concrete workaround (overrides.undici = 6.24.0) with verification steps.
Out of Scope Changes check ✅ Passed The changes are limited to documentation explaining the npm audit issue and workaround, remaining fully within the scope of issue #340.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@compoodment compoodment marked this pull request as ready for review June 12, 2026 14:09

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/dependencies.md`:
- Around line 5-19: Update the paragraph to explicitly state that the
`undici@5.29.0` path is what npm consumers may see during their registry
resolution (via `@connectrpc/connect-node@1.7.0`), and that this repo itself
uses `pnpm.overrides` to resolve `undici` to `8.3.0`; reference the symbols
`@connectrpc/connect-node`, `undici@5.29.0`, `undici@8.3.0`, and
`pnpm.overrides` so readers understand the distinction between consuming
projects (npm resolution) and this repository’s pnpm install.
- Around line 39-44: Update docs/dependencies.md to cite upstream migration docs
and specify exact breaking changes: mention that Connect-ES v2 replaces
createPromiseClient with createClient and that Protobuf-ES v2 removes the
PartialMessage export, and replace “transport options changed” with the specific
transport change (e.g., removal of credentials in favor of a fetch override)
with links to the Connect-ES MIGRATING guide and Protobuf-ES v2
release/migration notes; reference the symbols createPromiseClient,
createClient, PartialMessage, and credentials/fetch in the updated text so
readers can correlate to the codebase imports and generated contracts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ba2381f-b982-4f1a-8d2c-85908bbd1fb1

📥 Commits

Reviewing files that changed from the base of the PR and between 96b7694 and 9df75da.

📒 Files selected for processing (1)
  • docs/dependencies.md

Comment thread docs/dependencies.md
Comment on lines +5 to +19
The npm package depends on `@connectrpc/connect-node` for the gRPC transport used
to reach the separately installed `libravdbd` service. The current Connect 1.x
line resolves `@connectrpc/connect-node@1.7.0`, which depends on `undici@5.29.0`.

Some npm consumers may therefore see `npm audit --omit=dev` report this path:

```text
@xdarkicex/openclaw-memory-libravdb
└─┬ @connectrpc/connect-node@1.7.0
└── undici@5.29.0
```

This is not fixed by the `pnpm.overrides` entry in this repository. That override
only affects this repo's own pnpm install; it does not force npm's dependency
resolution in a consuming OpenClaw project.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify that the undici@5.29.0 path is about npm consumers, not this repo’s pnpm install.

The current package/lockfile context already resolves undici to 8.3.0 via pnpm.overrides, so this reads as if the repo itself still ships the 5.29.0 chain. Please explicitly say this is the registry-resolved path seen by consuming npm projects.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/dependencies.md` around lines 5 - 19, Update the paragraph to explicitly
state that the `undici@5.29.0` path is what npm consumers may see during their
registry resolution (via `@connectrpc/connect-node@1.7.0`), and that this repo
itself uses `pnpm.overrides` to resolve `undici` to `8.3.0`; reference the
symbols `@connectrpc/connect-node`, `undici@5.29.0`, `undici@8.3.0`, and
`pnpm.overrides` so readers understand the distinction between consuming
projects (npm resolution) and this repository’s pnpm install.

Comment thread docs/dependencies.md
Comment on lines +39 to +44
Treat this as a consumer workaround, not the upstream package fix. Moving the
plugin itself to Connect 2.x is a source migration, not a one-line dependency
bump: Connect 2 removes the current `createPromiseClient` API, protobuf 2 removes
the current `PartialMessage` export used by this codebase, and transport options
changed. The durable upstream fix needs the plugin and generated contracts to
migrate across that API boundary together.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n '\bcreatePromiseClient\b|\bPartialMessage\b' .

Repository: xDarkicex/openclaw-memory-libravdb

Length of output: 3453


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show relevant doc context
sed -n '1,120p' docs/dependencies.md | nl -ba | sed -n '30,70p'
# Check current dependency versions
ls -la
if [ -f package.json ]; then
  sed -n '1,200p' package.json | nl -ba
fi
# Also check for lockfile to infer installed versions
ls -ლა package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null || true

Repository: xDarkicex/openclaw-memory-libravdb

Length of output: 121


🌐 Web query:

Connectrpc Connect 2 removes createPromiseClient API

💡 Result:

Yes, the createPromiseClient API has been removed in ConnectRPC version 2.0.0 [1]. In Connect v2, promise-based clients are now the default [2][3]. To migrate from createPromiseClient, you should replace it with the createClient function [2][3]. Example migration: Before: import { createPromiseClient } from "@connectrpc/connect-node"; createPromiseClient(ElizaService, transport); After: import { createClient } from "@connectrpc/connect-node"; createClient(ElizaService, transport); The library provides a migration tool, @connectrpc/connect-migrate, which can automatically handle this update in your codebase [2][4]. You can run it in your project root using the command: npx @connectrpc/connect-migrate

Citations:


🌐 Web query:

bufbuild protobuf v2 PartialMessage export removed

💡 Result:

In version 2.0 of Protobuf-ES (@bufbuild/protobuf), the export PartialMessage was removed as part of a significant architectural shift [1][2]. In v1, PartialMessage was used to define types for constructing messages with optional fields [3][4]. With the release of v2.0, the library moved away from generating classes for Protobuf messages in favor of generating schema objects and standard TypeScript type definitions [2][5]. Because v2 no longer generates message classes that require the complex PartialMessage utility for instantiation, the type itself is no longer part of the public API [1][2]. If you are migrating to v2.0, note the following changes: - Constructors are no longer used [2][5]. Instead, you use helper functions (such as create()) that work directly with the generated schema objects and TypeScript types [5]. - The library now generates "plain" message objects, simplifying the API compared to v1 [6][2]. - Other types, such as Well-Known Types (e.g., Timestamp), have been moved to subpath exports (e.g., @bufbuild/protobuf/wkt) [1][6]. For further guidance, consult the official Protobuf-ES v2 migration guide [6].

Citations:


🌐 Web query:

connectrpc Connect 2 transport options changed createPromiseClient replacement

💡 Result:

In Connect-ES version 2.0 and later, the createPromiseClient function has been removed [1][2]. It has been replaced by createClient, which now serves as the default method for creating clients [1][3]. Migration guidance: - You should update all call sites from createPromiseClient to createClient [1][3]. - The library provides a migration tool, npx @connectrpc/connect-migrate``, which can automatically refactor your code to use createClient [1][4]. Additionally, version 2.0 introduced changes to transport options: - The `credentials` option has been removed from transports [1][2]. - To achieve similar functionality (such as setting the `credentials` fetch option), you must now provide a `fetch` override in the transport configuration [1][3]. Example of updating the `credentials` option: // Before (v1.x) createConnectTransport({ baseUrl: "/", credentials: "include", }); // After (v2.x) createConnectTransport({ baseUrl: "/", fetch: (input, init) => fetch(input, {...init, credentials: "include" }), }); These changes are documented in the official Connect-ES migration guide [1].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show relevant doc context
sed -n '1,120p' docs/dependencies.md | nl -ba | sed -n '30,70p'
# Check current dependency versions
ls -la
if [ -f package.json ]; then
  sed -n '1,200p' package.json | nl -ba
fi
# Also check for lockfile to infer installed versions
ls -la package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null || true

Repository: xDarkicex/openclaw-memory-libravdb

Length of output: 121


🌐 Web query:

Connectrpc Connect 2 removes createPromiseClient API

💡 Result:

Yes, ConnectRPC v2.0.0 removed the createPromiseClient API [1][2]. In ConnectRPC, promise-based clients are now the default, rendering the specific createPromiseClient function unnecessary [1][3]. As part of the transition to v2.0.0, the library was refactored to streamline client creation [2]. To migrate your codebase: 1. Replace all instances of createPromiseClient with createClient [1][4]. 2. Update your imports accordingly (e.g., from @connectrpc/connect-node or other ConnectRPC packages) [1][4]. Example migration: - import { createPromiseClient } from "@connectrpc/connect-node"; + import { createClient } from "@connectrpc/connect-node"; - createPromiseClient(ElizaService, transport); + createClient(ElizaService, transport); The ConnectRPC team provided an automated migration tool, connect-migrate, which can handle these updates for you automatically [1][5]. You can run it using: npx @connectrpc/connect-migrate [5]

Citations:


🌐 Web query:

@bufbuild/protobuf protobuf v2 PartialMessage export removed

💡 Result:

In @bufbuild/protobuf version 2.0.0 and later, the PartialMessage type export was removed from the main entry point as part of a significant architectural shift that moved away from class-based message generation [1][2][3]. In version 2, Protobuf-ES no longer generates classes for messages, instead providing schema objects and simple TypeScript types [1][3]. Because of this change, several internal types and APIs were reorganized. If you are encountering issues with missing exports like PartialMessage after upgrading to v2, note the following: 1. Relocation: While PartialMessage remains a critical type for working with generated messages, you should ensure your project structure and imports align with the v2 patterns. For some users, the transition has required adjusting how they handle message types, as the library now emphasizes generated types and schema-based functions (e.g., create(UserSchema, { ... })) [1][3]. 2. Migration Guidance: The official Protobuf-ES migration guide provides detailed steps for transitioning from v1 to v2 [4][5]. Because v2 is a major breaking change, it is recommended to review the migration documentation thoroughly, as it covers the removal of classes and the new API surface [4][1]. 3. Well-Known Types: Note that other types, such as Well-Known Types (e.g., Timestamp), have also been moved to specific subpath exports (e.g., @bufbuild/protobuf/wkt) [4][2]. If you are maintaining a project that relies on older patterns or requires interoperability with both versions during a transition, consider using package aliasing in your package.json to run v1 and v2 dependencies in parallel while migrating your codebase incrementally [5].

Citations:


🌐 Web query:

connectrpc Connect 2 transport options changed createPromiseClient replacement

💡 Result:

In ConnectRPC Connect-ES v2, the key changes related to transport options and client creation are: 1) createPromiseClient was removed; use createClient instead - The Connect-ES v2 migration guide states that “createPromiseClient is removed” and that call sites should be updated to use createClient (example diff provided). [1] - The v1.6.0 discussion (which introduced/managed the rename) says promises are now default and the function was renamed from createPromiseClient to the more succinct createClient. [2] 2) Transport options changed: credentials option removed; use fetch override instead - The Connect-ES v2 MIGRATING.md says the transport option credentials (and the interceptors init option) were removed because they were used to customize fetch. It provides a replacement pattern: pass a fetch override that sets credentials. [1] 3) gRPC transport HTTP/2 requirement (Connect-ES v2) - The Connect-ES compare page highlights that “gRPC transport requires HTTP/2”. [3] - The v2.0.0 release page also notes requiring HTTP/2 for the gRPC transport. [4] What this means practically (common migration pattern) - Replace: - import { createPromiseClient } … - createPromiseClient(Service, transport) with: - import { createClient } … - createClient(Service, transport) (per the v2 migration guide). [1] - Replace transport credentials usage: - Old: createConnectTransport({ credentials: "include",... }) - New: createConnectTransport({ fetch: (input, init) => fetch(input, {...init, credentials: "include" }),... }) (per MIGRATING.md). [1] If you want, tell me which packages/transport you’re using (connect-node / connect-web / grpc / connect / grpc-web) and your current code snippet, and I’ll map it line-by-line to the v2 equivalents.

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show the exact docs section (with line numbers via awk, since nl isn't available)
awk 'NR>=30 && NR<=60 {printf "%d:%s\n", NR, $0}' docs/dependencies.md

# Inspect dependency versions
if [ -f package.json ]; then
  echo "---- package.json deps ----"
  cat package.json
fi

# If a lockfile exists, list it and extract likely version hints
for f in package-lock.json pnpm-lock.yaml yarn.lock; do
  if [ -f "$f" ]; then
    echo "---- $f (top 200 lines) ----"
    sed -n '1,200p' "$f" | head -n 200
  fi
done

Repository: xDarkicex/openclaw-memory-libravdb

Length of output: 13236


Add concrete upstream citations for the Connect/Protobuf v2 breaking-change rationale

docs/dependencies.md (39-44) aligns with the current codebase and upstream breaking changes: the repo imports/uses createPromiseClient and PartialMessage, and Connect-ES v2 removes createPromiseClient (use createClient) while Protobuf-ES v2 removes the PartialMessage export; Connect-ES v2 transport config also changes (e.g., credentials removed in favor of a fetch override). Add links/citations for these claims and replace the vague “transport options changed” wording with the specific breaking change(s) from the Connect-ES MIGRATING guide.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/dependencies.md` around lines 39 - 44, Update docs/dependencies.md to
cite upstream migration docs and specify exact breaking changes: mention that
Connect-ES v2 replaces createPromiseClient with createClient and that
Protobuf-ES v2 removes the PartialMessage export, and replace “transport options
changed” with the specific transport change (e.g., removal of credentials in
favor of a fetch override) with links to the Connect-ES MIGRATING guide and
Protobuf-ES v2 release/migration notes; reference the symbols
createPromiseClient, createClient, PartialMessage, and credentials/fetch in the
updated text so readers can correlate to the codebase imports and generated
contracts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

npm audit flags undici via @connectrpc/connect-node in latest plugin

1 participant