chore!: remove the legacy @cipherstash/drizzle package#667
Conversation
@cipherstash/protect is sunsetting at Stack 1.0, and this package — its Drizzle integration, a ~645-line-diverged fork of what became @cipherstash/stack-drizzle — has been in maintenance-by-attrition since the adapter split. Keeping it on the release train meant republishing known-buggy code every rc (#426 rides along unreviewed at 3.0.4-rc.1) and, worse, leaving a plausible-looking `npm install @cipherstash/drizzle` that silently binds new users (and LLM assistants) to the predecessor SDK at exactly the moment 1.0 makes @cipherstash/stack-drizzle the real name — the same stale-package hazard class as #661. Removal scope: - delete packages/drizzle (git history preserves the source for emergency maintenance of already-published versions; npm keeps 3.0.3 installable) - drop it from the changesets pre-release state (pre.json initialVersions + consumed-changeset entry) and delete the pending changeset that only targeted it, so `changeset version` keeps working - remove its CI steps (tests.yml .env scaffolds ×2, Bun test-loop entry), the rebuild-docs tag trigger, and the e2e workspace dep - keep the meta files honest (AGENTS.md layout, SECURITY.md package table) - state the deprecation explicitly in the stash-drizzle skill and the stack-drizzle README so nobody installs the legacy package by mistake npm-side deprecation (`npm deprecate @cipherstash/drizzle ...`) is a registry operation done separately by an owner. Claude-Session: https://claude.ai/code/session_01MxTTPaPP16m6br7Hoab94w
🦋 Changeset detectedLatest commit: c6915f0 The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (36)
📝 WalkthroughWalkthroughThe legacy ChangesLegacy Drizzle retirement
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…e runner matrix The package-managers suite iterates a BIN map that still listed packages/drizzle's generate-eql-migration.js — removed with the package in the previous commit, so its 4 per-pm help-text tests failed on Cannot find module. Delete the map entry (the suite derives its tests from the map, so the tests go with it). Claude-Session: https://claude.ai/code/session_01MxTTPaPP16m6br7Hoab94w
There was a problem hiding this comment.
Pull request overview
This PR removes the legacy @cipherstash/drizzle (Protect.js / EQL v2) package from the monorepo and release train to reduce maintenance cost and avoid the “wrong package name” hazard, while updating documentation, CI, e2e scaffolding, and Changesets/pre-release metadata to match.
Changes:
- Deleted
packages/drizzle(package sources, tests, bin, and docs) and removed its workspace dependency usage. - Updated user-facing guidance (
stash-drizzleskill +@cipherstash/stack-drizzleREADME), plus meta/security docs, to steer users away from the legacy package. - Adjusted CI/workflows, e2e package deps, lockfile, and
.changeset/pre.jsonto keep release/CI consistent after removal.
Reviewed changes
Copilot reviewed 34 out of 37 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/stash-drizzle/SKILL.md | Adds explicit deprecation guidance for the legacy Drizzle package. |
| SECURITY.md | Removes legacy package from “Supported Packages” list. |
| pnpm-lock.yaml | Regenerates lockfile after removing the workspace package and deps. |
| packages/stack-drizzle/README.md | Adds deprecation guidance to prevent installing the legacy package. |
| packages/drizzle/vitest.config.ts | Deleted as part of removing the legacy package. |
| packages/drizzle/tsup.config.ts | Deleted as part of removing the legacy package. |
| packages/drizzle/tsconfig.json | Deleted as part of removing the legacy package. |
| packages/drizzle/src/pg/schema-extraction.ts | Deleted legacy schema extraction implementation. |
| packages/drizzle/src/pg/operators.ts | Deleted legacy Protect-aware Drizzle operators implementation. |
| packages/drizzle/src/pg/index.ts | Deleted legacy Drizzle integration entrypoint. |
| packages/drizzle/src/bin/runner.ts | Deleted legacy CLI runner-detection helper. |
| packages/drizzle/src/bin/generate-eql-migration.ts | Deleted legacy generate-eql-migration bin implementation. |
| packages/drizzle/README.md | Deleted legacy package README. |
| packages/drizzle/package.json | Deleted legacy package manifest / publish config. |
| packages/drizzle/GENERATE_EQL_MIGRATION_CLI.md | Deleted legacy CLI docs. |
| packages/drizzle/CHANGELOG.md | Deleted legacy package changelog. |
| packages/drizzle/.npmignore | Deleted legacy npmignore. |
| packages/drizzle/tests/utils/markdown-parser.ts | Deleted legacy package test utility. |
| packages/drizzle/tests/utils/markdown-parser.test.ts | Deleted legacy package tests. |
| packages/drizzle/tests/utils/code-executor.ts | Deleted legacy package test utility. |
| packages/drizzle/tests/utils/code-executor.test.ts | Deleted legacy package tests. |
| packages/drizzle/tests/test-utils.ts | Deleted legacy package tests helpers. |
| packages/drizzle/tests/schema-extraction.test.ts | Deleted legacy schema extraction tests. |
| packages/drizzle/tests/operators.test.ts | Deleted legacy operators tests. |
| packages/drizzle/tests/operators-jsonb.test.ts | Deleted legacy JSONB operator tests. |
| packages/drizzle/tests/integration-test-helpers.ts | Deleted legacy integration test helpers. |
| packages/drizzle/tests/fixtures/user-seed-data.ts | Deleted legacy fixture data. |
| packages/drizzle/tests/fixtures/doc-seed-data.ts | Deleted legacy fixture data. |
| packages/drizzle/tests/drizzle.test.ts | Deleted legacy DB integration test suite. |
| e2e/tests/package-managers.e2e.test.ts | Removes references to the deleted legacy generate-eql-migration bin. |
| e2e/package.json | Drops workspace dependency on @cipherstash/drizzle. |
| AGENTS.md | Updates repo layout to remove packages/drizzle. |
| .github/workflows/tests.yml | Removes packages/drizzle env scaffolding and Bun test-loop entry. |
| .github/workflows/rebuild-docs.yml | Removes tag trigger for @cipherstash/drizzle@*. |
| .changeset/remove-legacy-drizzle-package.md | Adds a Changeset documenting removal/deprecation guidance updates. |
| .changeset/pre.json | Removes @cipherstash/drizzle pre-release metadata/consumed entry. |
| .changeset/drizzle-legacy-readme-pointer.md | Deletes a pending changeset that only targeted the removed package. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Why
@cipherstash/protectis sunsetting at Stack 1.0 (confirmed), and@cipherstash/drizzleis its Drizzle integration — a ~645-line-diverged fork of what became@cipherstash/stack-drizzle, in maintenance-by-attrition since the adapter split. Keeping it on the release train has two live costs:3.0.4-rc.1just shipped with perf: legacy @cipherstash/drizzle has the same bare-equality bug as @cipherstash/stack/drizzle #426 (bare-equality bypasses hmac functional indexes) still open against it.npm install @cipherstash/drizzlelooks like the obvious command, works, and silently binds new users (and LLM assistants) to the predecessor SDK. It currently out-downloads its successor (~341/wk vs ~204/wk forstack-drizzle). Same stale-package hazard class as npm dist-tags deliver broken/stale packages: adapters' latest=0.0.0, stack latest=0.19.0; stash init installs unpinned #661, which the skilltester evals demonstrated end-to-end.What
packages/drizzle. Git history is the maintenance branch if an already-published version ever needs an emergency patch; npm keeps3.0.3installable forever.pre.jsoninitialVersions+ consumed-changeset entries and deleted the pending changeset that only targeted it;pnpm changeset statusverified clean, so the rc.2Version Packagesrun won't trip on a missing package.tests.yml.envscaffold steps, the Bun test-loop entry, and therebuild-docs.ymltag trigger (the@cipherstash/protect@*trigger stays while protect is still published).workspace:*dep; lockfile regenerated.AGENTS.mdRepository Layout and theSECURITY.mdpackage table updated.skills/stash-drizzle/SKILL.mdand the@cipherstash/stack-drizzleREADME now say the legacy package is deprecated and not to install it. Changeset:stash+@cipherstash/stack-drizzlepatch (both ship these docs).Verified
pnpm installclean;pnpm changeset statusresolves (stash, stack-drizzle + internal-dep patches);@cipherstash/stack-drizzlebuilds.pnpm run code:checkreports 4 pre-existing errors on main (inexamples/prisma/e2e/tests, all biome-FIXABLE) — reproduced identically with this diff stashed, so not from this PR; flagging for a separate quick fix.After merge (registry ops, npm owner)
npm deprecate @cipherstash/drizzle "Deprecated: @cipherstash/protect is sunsetting at Stack 1.0. Use @cipherstash/stack-drizzle with @cipherstash/stack."https://claude.ai/code/session_01MxTTPaPP16m6br7Hoab94w
Summary by CodeRabbit
@cipherstash/drizzlepackage and its migration CLI.@cipherstash/stack-drizzle/v3for new projects.