chore(deps): bump several dependencies (elliptic, pbkdf2, fast-xml-parser etc) and replace twit

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/SB-987

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes

  • Corrected Twitter integration error messaging and improved reliability of Twitter sign-in.

• Chores

  • Updated Twitter identity verification infrastructure.
  • Refreshed dependency overrides to improve security and stability.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2bac378

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6afb9b8b-7654-49b9-a9d8-4ecaf439c070

📥 Commits

Reviewing files that changed from the base of the PR and between fe51e35 and 2bac378.

📒 Files selected for processing (1)

• apps/meteor/app/lib/server/oauth/twitter.js

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🔨 Test Unit / Unit Tests
• GitHub Check: 🔎 Code Check / Code Lint
• GitHub Check: 🔨 Test Storybook / Test Storybook
• GitHub Check: 🔎 Code Check / TypeScript
• GitHub Check: 📦 Meteor Build (coverage)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/oauth/twitter.js

🧠 Learnings (3)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

📚 Learning: 2026-04-23T18:10:55.887Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/api/server/middlewares/metrics.ts:25-57
Timestamp: 2026-04-23T18:10:55.887Z
Learning: In RocketChat/Rocket.Chat, the route handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892) contains a `catch` block that intercepts all route-handler errors and converts them into proper HTTP API response objects (e.g., `api.failure`, `api.unauthorized`, `api.tooManyRequests`). As a result, `next()` in Hono middleware (such as `metricsMiddleware` in `apps/meteor/app/api/server/middlewares/metrics.ts`) will never throw. Do not flag missing try/finally guards around `await next()` calls in this middleware for gauge/counter decrement safety, as the execution flow is never disrupted by route-level errors.

Applied to files:

• apps/meteor/app/lib/server/oauth/twitter.js

📚 Learning: 2026-04-20T17:11:59.452Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40225
File: apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts:55-71
Timestamp: 2026-04-20T17:11:59.452Z
Learning: In `apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts`, the concern about an empty `?appId=` query param bypassing the truthy check and overriding the path `appId` in the `makeAppLogsQuery` spread is not relevant. The AJV query schema (`isAppLogsProps`) validates and rejects invalid/empty `appId` values before the action handler is reached, making the in-handler guard sufficient as-is. Do not flag this pattern as a vulnerability in future reviews of this file.

Applied to files:

• apps/meteor/app/lib/server/oauth/twitter.js

🪛 Biome (2.4.12)

apps/meteor/app/lib/server/oauth/twitter.js

[error] 2-2: Illegal use of an import declaration outside of a module

(parse)

---

[error] 3-3: Illegal use of an import declaration outside of a module

(parse)

---

[error] 5-5: Illegal use of an import declaration outside of a module

(parse)

🔇 Additional comments (1)

apps/meteor/app/lib/server/oauth/twitter.js (1)

9-23: LGTM on the twit → twitter-api-v2 migration.

Constructor options (appKey, appSecret, accessToken, accessSecret) match the library's expected shape, await on verifyCredentials is now in place so the catch block is reachable, and the error metadata now prefers the parsed err.data payload with a fallback. The downstream _.pick(identity, whitelistedFields) on line 44 continues to work since v1.verifyCredentials({ include_email: true }) returns the same snake_case v1.1 user fields (id, name, description, profile_image_url[_https], email) the previous twit response provided.

Worth a quick smoke test against a real Twitter/X app to confirm the identity payload still populates email (requires the Twitter app to have the "Request email from users" permission enabled) and that serviceData ends up with the expected fields after _.pick.

---

Walkthrough

The Twitter OAuth integration is migrated from twit to twitter-api-v2, updating client initialization and credential verification. Root package.json resolutions are adjusted to pin crypto-related packages and modify fast-xml-parser overrides.

Changes

Cohort / File(s)	Summary
Twitter OAuth Library Migration apps/meteor/app/lib/server/oauth/twitter.js, apps/meteor/package.json	Replaces twit with twitter-api-v2; constructs TwitterApi with OAuth creds and calls client.v1.verifyCredentials({ include_email: true }); returns identity payload and fixes error message typo and error metadata field.
Dependency Resolution Updates package.json	Updates resolutions: pins pbkdf2 and elliptic versions and adjusts fast-xml-parser overrides for is-svg and webdav to 5.5.11, removing prior ^4.x range redirects.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: chore, area: authentication

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: dependency bumps (elliptic, pbkdf2, fast-xml-parser) and replacing the twit package with twitter-api-v2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• SB-987: Request failed with status code 401
• DEPS-2: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/lib/server/oauth/twitter.js`:
- Around line 16-22: The try/catch in getIdentity is ineffective because
client.v1.verifyCredentials is returned without awaiting it; change the code in
getIdentity to await client.v1.verifyCredentials(...) inside the try so
rejections are caught, and when rethrowing wrap the error with a new
Error("Failed to fetch identity from Twitter. ...") that includes both
err.message and propagate the Twitter error payload by attaching err.data
(fallback to err.response if data is missing) to the thrown object so callers
get the wrapped message and the parsed Twitter error data.

In `@package.json`:
- Around line 42-45: The package override pins "browserify-sign/elliptic" and
"create-ecdh/elliptic" to elliptic@6.6.1 which is vulnerable to CVE-2025-14505;
update package.json to remove or replace these elliptic overrides and migrate
any code paths using the elliptic API (e.g., browserify-sign integration or
createECDH usage) to a maintained library such as noble-curves (or another
vetted ECDSA/ECDH implementation). Locate uses of elliptic-based APIs in your
codebase (areas that call ECDSA signing/verification or createECDH flows) and
refactor them to the chosen library’s APIs, update tests, and then update
package.json dependency entries (or lockfile overrides) to reference the new
library instead of "browserify-sign/elliptic" and "create-ecdh/elliptic". Ensure
all signature generation/verification and key derivation code paths are covered
by tests before removing the elliptic overrides.
- Around line 48-50: The package.json override for "fast-xml-parser@npm:5.3.6":
"^5.5.7" is resolving to 5.6.0 in the lockfile—confirm whether 5.6.0 is
acceptable and either tighten the override to a specific patch (e.g., 5.5.7) or
update it to explicitly allow 5.6.x; also update the accompanying note about API
compatibility to reflect that fast-xml-parser v5 keeps XMLParser
backward-compatible with v4 (the breaking change was splitting XMLBuilder into a
separate package in v5.4.0+), and mention that is-svg and webdav use XMLParser
so they do not require migration (refer to the override keys
"fast-xml-parser@npm:5.3.6": "^5.5.7", "is-svg/fast-xml-parser", and
"webdav/fast-xml-parser" when making the change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b2719237-0aa1-4c3c-bad7-aa8faa2bd31d

📥 Commits

Reviewing files that changed from the base of the PR and between 6f55701 and fe51e35.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• apps/meteor/app/lib/server/oauth/twitter.js
• apps/meteor/package.json
• package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/oauth/twitter.js

🧠 Learnings (5)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/package.json

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• apps/meteor/package.json

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Applied to files:

• package.json

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

• package.json

🪛 Biome (2.4.12)

apps/meteor/app/lib/server/oauth/twitter.js

[error] 2-2: Illegal use of an import declaration outside of a module

(parse)

---

[error] 3-3: Illegal use of an import declaration outside of a module

(parse)

---

[error] 5-5: Illegal use of an import declaration outside of a module

(parse)

🔇 Additional comments (2)

apps/meteor/package.json (1)

302-302: LGTM — dependency swap aligns with the OAuth implementation change.

twit has been deprecated/unmaintained for years; moving to twitter-api-v2 is a good call. The addition matches the only remaining consumer at apps/meteor/app/lib/server/oauth/twitter.js.

apps/meteor/app/lib/server/oauth/twitter.js (1)

9-15: Field mapping and return type usage are correct.

The accessSecret field name is correct for the TwitterApi constructor (mapping from the accessTokenSecret parameter), and client.v1.verifyCredentials() returns the user object directly as expected for the downstream usage at lines 44 and 51.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.80%. Comparing base (6f55701) to head (2bac378).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40294      +/-   ##
===========================================
- Coverage    69.82%   69.80%   -0.03%     
===========================================
  Files         3296     3296              
  Lines       119173   119173              
  Branches     21516    21454      -62     
===========================================
- Hits         83213    83188      -25     
- Misses       32662    32674      +12     
- Partials      3298     3311      +13     

Flag	Coverage Δ
e2e	59.68% <ø> (-0.12%)	⬇️
e2e-api	46.23% <ø> (+0.01%)	⬆️
unit	70.57% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.4.1-40294
git cherry-pick 72fb0bd6a69760570dfe65f381659bad864e7ada
// solve the conflict
git push

after that just run /backport 8.4.1 again

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Pull request #40371 added to Project: "Patch 8.4.1"

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.3.3-40294
git cherry-pick 72fb0bd6a69760570dfe65f381659bad864e7ada
// solve the conflict
git push

after that just run /backport 8.3.3 again

[julio-rocketchat]

/backport 8.3.3

[dionisio-bot]

Pull request #40386 added to Project: "Patch 8.3.3"