refactor(app): collapse *WithDeps injection pattern#51
Merged
Conversation
The `overrides.next.postcss` rule was correct, but the old lockfile retained a nested `node_modules/next/node_modules/postcss@8.4.31` because `npm install --package-lock-only` would not drop the cached entry. A clean install hoists postcss to a single `8.5.14` and removes the nested copy. Fixes Scorecard alert #8 / GHSA-qx2v-qp2m-jg93 (PostCSS XSS via unescaped </style> in CSS Stringify Output, <8.5.10). Verified: - npm audit: 0 vulnerabilities - npm ls postcss: no nested copy under node_modules/next/
Audit prep for the public-repo flip: - Remove `GO-LIVE-CHECKLIST.md` from the tree. The file is internal pre-launch working notes (phase plans, decision logs, audit findings with commit SHAs). The local copy is preserved under `.planning/`, which is already gitignored. - Scrub two `CHANGELOG.md` lines that named "internal planning docs" and "internal vision doc" — those phrases advertise the existence of private artifacts the public repo doesn't contain. - Tighten `CLAUDE.md` and `AGENTS.md` so the `.planning/` callout no longer enumerates its contents (was: "vision, roadmap, competitive analysis, threat model"). The directory is still flagged as gitignored-local-only so AI agents know not to commit anything there. No behavior change; documentation hygiene only.
The `docs/` workspace migrated to Fumadocs (`fumadocs-core` / `fumadocs-mdx` / `fumadocs-ui`) some time ago, but four committed files still advertised the old framework: - `README.md` "Built With" badge - `CLAUDE.md` and `AGENTS.md` workspace blurb - `.gitignore` comment explaining the static-export copy step - `docs/globals.d.ts` ambient-CSS comment referencing `nextra-theme-docs` CHANGELOG entries for past releases keep the "Nextra" wording because that was true at the time and the changelog is a historical record. No behavior change.
…ponent The asciinema-based hero demo was superseded by `website/src/components/cli-demo.tsx`, an animated React component that simulates the same CLI output. Removing the now-orphaned script + cast + preview page so nothing in the build references them. - delete `scripts/asciinema-demo.sh` (recording helper for the cast) - delete `website/public/sockguard-demo.cast` (the recorded asciinema cast) - delete `website/public/asciinema-preview.html` (preview surface for the cast) - rephrase the lingering asciinema comment in `cli-demo.tsx`
…kages Replace four injection-struct families with package-level var hooks (filter, testcert, proxy) or direct function parameters (clientacl, ownership): - filter: var regexpCompileHook = regexp.Compile; tests swap via t.Cleanup - testcert: 12 var *Hook vars replacing bundleDeps/certDeps/bundleWriteDeps/writePEMDeps; restoreTestcertHooks(t) helper - proxy/hijack: 5 var *Hook vars + restoreHijackHooks(t) helper - clientacl: middlewareWithDeps takes resolveClient func directly (no struct) - ownership: middlewareWithDeps/allowOwnershipRequest/checkOwnedResource take inspectResource+inspectExec funcs directly - visibility: inline dockerclient call replaces newVisibilityDeps() struct No public API change. All 20 packages pass.
…nels Extract the unix-socket http.Client construction (previously duplicated in ownership, clientacl, and visibility) into internal/dockerclient. Used by the preceding refactor commit that collapsed the *WithDeps pattern.
… git repos When the pre-push hook runs npm test, git commands in the release-next-version integration tests inherit the hook's GIT_DIR env var, causing them to operate on the main repository instead of the isolated temp git repos. This corrupts repository-local config (user.name, user.email) and appends test commits to the current branch. Fix by clearing GIT_DIR and GIT_WORK_TREE from the environment before each git call in the test helper.
…release test Extend the isolation fix to cover spawnSync calls (the script-under-test) in addition to the git() helper. Also switch from delete-after-copy to a filter approach so the env object never contains the stripped keys.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
approved these changes
May 12, 2026
Member
biggest-littlest
left a comment
biggest-littlest
left a comment
There was a problem hiding this comment.
lgtm — batch-merging release-process fix + refactors
This was referenced May 12, 2026
Merged
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ruleDeps,bundleDeps/certDeps/bundleWriteDeps/writePEMDeps,hijackDeps,aclDeps,ownerDeps) with package-levelvar <name>Hook = <realImpl>declarations (filter, testcert, proxy) or direct function parameters (clientacl, ownership, visibility).internal/dockerclientpackage consolidating the unix-socket*http.Clientconstruction that was previously duplicated in three middlewares.release-next-version.test.mjsintegration tests inheritedGIT_DIR/GIT_WORK_TREEfrom the pre-push hook environment, causing git operations to corrupt the host repository instead of running in the isolated temp repos.What changed
internal/filterruleDepsstruct +newRuleDeps()var regexpCompileHook = regexp.Compileinternal/testcertvar *Hookvars;restoreTestcertHooks(t)helperinternal/proxyhijackDepsstruct +newHijackDeps()var *Hookvars;restoreHijackHooks(t)helperinternal/clientaclaclDepsstructresolveClient func(...)direct paraminternal/ownershipownerDepsstructinspectResource+inspectExecdirect paramsinternal/visibilityvisibilityDepsstructdockerclient.New(...)inlineNo public API change. All 20 packages pass
go test ./....Test plan
go test ./...passes (verified locally — all 20 packages)golangci-lint runpasses (verified locally — 0 issues)