Skip to content

more upgrades: fetch migration, vitest 4, socketcluster v20#204

Merged
JoshuaVSherman merged 4 commits intodevfrom
more-upgrades
May 1, 2026
Merged

more upgrades: fetch migration, vitest 4, socketcluster v20#204
JoshuaVSherman merged 4 commits intodevfrom
more-upgrades

Conversation

@JoshuaVSherman
Copy link
Copy Markdown
Contributor

@JoshuaVSherman JoshuaVSherman commented May 1, 2026
edited
Loading

Summary

Continues the more-upgrades track from the prior PR (#202, node-24-esm). Brings the runtime/test/socketcluster stacks current, drops superagent for native fetch, and aligns with web-jam-back PRs from yesterday.

Major bumps

Package From To Notes
node engine 22.13.1 24.15.0 .nvmrc
express 4.21.2 5.2.1 catch-all SPA route changed '*' -> '/*splat' (path-to-regexp 8 dropped bare *)
@types/express 4 5 aligned with express 5; moved to devDependencies
mongoose 8.9.5 9.6.1
socketcluster-server 17.4.1 20.0.0 aligned with socketcluster-client@20 (already on dev)
@types/socketcluster-server 17.3.0 20.0.0
eetase 5 7 socketcluster ecosystem
consumable-stream 2 3 socketcluster ecosystem
sc-errors 2 3 socketcluster ecosystem
vitest 3.2.4 4.1.5 poolOptions.forks -> top-level forks (vitest 4 flattened)
@vitest/coverage-v8 3.2.4 4.1.5
cross-env 7 10
supports-color 9 10
serve-static 1 2

Code changes

  • src/AgController/index.ts - dropped superagent import + field; backend user lookup now uses Node 24 native fetch with Accept / Authorization headers, manual res.ok check, and JSON parse. Response shape changed user.body.userType -> user.userType. Mirrors web-jam-back#742.
  • test/AgController/index.spec.ts - three newTour tests now stub the global fetch via vi.stubGlobal (with afterEach vi.unstubAllGlobals) instead of patching agController.superagent.get chained .set().set().
  • src/lib/routeUtils.ts - express 5 catch-all wildcard syntax: app.get('*', ...) -> app.get('/*splat', ...).
  • vitest.config.ts - moved poolOptions.forks to top-level forks (deprecation in vitest 4).
  • package.json - removed superagent and @types/superagent.
  • README.md - added a "Local smoke testing" section documenting the two-terminal workflow (web-jam-back + WebJamSocketCluster) for pre-merge verification, since there's no hosted dev env.

Verification

  • npm test (eslint + vitest): 66 passed / 66.
  • npm run test:prod (clean install --omit=dev + smoke-start.mjs): OK - server stayed up 5s on port 8888.
  • npx tsc --noEmit: clean.

Known issues / intentionally skipped

  • 3 moderate npm audit vulns chain through socketcluster-client@20 -> uuid@8.3.2. socketcluster-client@20 is the latest release and no version pulls uuid >= 14, so this is not actionable from our side - the audit's recommended downgrade to client@9 would be a regression. (A scheduled remote agent will recheck in 30 days.)
  • @types/node 25 skipped - engine pins Node 24, so 24.x types are correct.
  • Pre-existing mongoose deprecation warning (findOneAndUpdate({ new: true }) -> { returnDocument: 'after' }) - not introduced here, cosmetic; could be cleaned up in a separate PR.

Test plan

  • CircleCI passes (lint, unit, smoke-start).
  • Local two-terminal smoke before merging to master (see README "Local smoke testing").

Generated with Claude Code

JoshuaVSherman and others added 4 commits April 30, 2026 19:14
@JoshuaVSherman
apply upgrades that are breaking
a379413
@JoshuaVSherman @claude
P0: replace superagent with native fetch, fix express 5 wildcard route
6e2e734 
- src/AgController/index.ts: drop superagent import + field; call backend
  user lookup via Node 24 fetch with Accept/Authorization headers; check
  res.ok and parse JSON. user.body.userType -> user.userType.
- test/AgController/index.spec.ts: stub global fetch via vi.stubGlobal
  (with afterEach unstubAllGlobals) instead of patching agController
  .superagent.get chained .set().set() in three newTour tests.
- src/lib/routeUtils.ts: express 5 / path-to-regexp 8 dropped bare '*';
  catch-all SPA route is now '/*splat'.
- package.json: bump @types/express ^4 -> ^5 to match express ^5.2.1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@JoshuaVSherman @claude
P1: bump vitest 3 -> 4 and migrate poolOptions
f150611 
- vitest 3.2.4 -> 4.1.5, @vitest/coverage-v8 3.2.4 -> 4.1.5
- vitest.config.ts: pool 'forks' kept, but poolOptions.forks moved to
  top-level 'forks' (vitest 4 flattened poolOptions; old key emits a
  deprecation warning).

All 66 tests pass. The 3 moderate npm-audit vulns still chain through
socketcluster-client -> uuid; they will resolve in P2 once
socketcluster-server is aligned to 20.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@JoshuaVSherman @claude
P2: bump CLI deps and align socketcluster ecosystem to v20
22e8fb0 
CLI / utility deps:
- cross-env 7 -> 10
- supports-color 9 -> 10
- serve-static 1 -> 2

SocketCluster ecosystem (aligning server with already-bumped client@20):
- socketcluster-server 17 -> 20
- @types/socketcluster-server 17 -> 20
- eetase 5 -> 7
- consumable-stream 2 -> 3
- sc-errors 2 -> 3

Verified: 66 unit tests pass, prod smoke (test:prod) passes (server up
5s on port 8888). Skipped @types/node 25 since engine pins Node 24.

Known: 3 moderate npm-audit vulns persist via socketcluster-client@20
-> uuid@8.3.2. socketcluster-client@20 is the latest release; no
upstream version pulls uuid >=14, so this is not actionable from our
side (the audit's recommended downgrade to client@9 would be a
regression).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@JoshuaVSherman JoshuaVSherman merged commit 6790738 into dev May 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JoshuaVSherman