mega spring clean#1897
Merged
Merged
Conversation
ran npm audit fix (no force, semver-safe only) which deduped a lot of the lockfile. added overrides for transitive deps where the direct parent hasn't shipped a fixed version: cookie, ws, nanoid, uuid (allowing v9 or v11), tmp, elliptic, serialize-javascript. takes us from 103 to 56 npm audit vulns. build + unit tests pass.
svelte 5 mounts the new {#key} block element and re-runs the
bind:this effect before the old element's outro fires onoutrostart,
so updateContainerHeight() ran while transitioning was still false
and wrapperHeight snapped to the new value instead of tweening.
set-cookie-parser was bumped 2.7.2 -> 3.1.0 transitively via sveltekit in this PR. its parseString now returns Cookie | null (null on empty / invalid input).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR combines dependency security maintenance (npm audit cleanup) with targeted fixes for Svelte 5.55 behavioral changes that affected step transitions and deferred transaction callbacks in several flow steps.
Changes:
- Added
package.jsonoverridesto force patched versions of vulnerable transitive dependencies. - Updated multiple flow step components to snapshot
$derivedvalues before dispatching transactions, preventing post-unmount inert/sentinel reads. - Adjusted the stepper’s height-transition logic to correctly tween between steps under Svelte 5.55’s
{#key}mount/outro ordering.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/lib/flows/edit-stream-flow/enter-new-details.svelte | Snapshots derived values before dispatch so before: doesn’t read inert $derived values after unmount. |
| src/lib/flows/edit-project-metadata/steps/set-new-metadata.svelte | Snapshots $projectDataWritable value at submit time to avoid post-unmount derived/store access issues. |
| src/lib/flows/create-stream-flow/input-details.svelte | Snapshots derived scheduling/amount values before dispatch to keep before: stable after unmount. |
| src/lib/flows/claim-project-flow/steps/set-splits-and-emit-metadata/set-splits-and-emit-metadata.svelte | Removes a derived capture and reads required context value directly inside the deferred query call. |
| src/lib/components/stepper/stepper.svelte | Prevents wrapper height snapping by detecting step element rebinds and forcing transitioning=true at the right moment. |
| package.json | Adds npm overrides for patched versions of vulnerable transitive dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- star-rating radiogroup needed an explicit tabindex
- tag preview img alt was redundant ('image preview' on an <img>)
- ecosystem graph card has touch handlers but no semantic role; the
div is just a wrapper, suppress with svelte-ignore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
two things in here.
1. npm audit cleanup
ran `npm audit fix` (no `--force`, semver-compatible only) which also did a hefty lockfile dedupe. added an `overrides` block in package.json to force safe versions of transitive deps where the direct parent hasn't shipped a fix yet:
takes `npm audit` from 103 → 51. once dependabot rescans, the remaining alerts on github should be the residual set we'll need to either bump majors for or dismiss as not-applicable (e.g. hardhat tree pulled in by eas-sdk that never runs at runtime, axios via @pinata/sdk which we only call server-side w/ trusted urls).
lockfile shrinks dramatically because old transitive paths (e.g. `@ethersproject/*` v5 packages, jest-related stuff, old @babel syntax plugins) are no longer required by anything in the tree.
2. svelte 5.55 fallout fixes
within-`^` version bumps that npm audit fix took included svelte 5.45.2 → 5.55.5 and bits-ui 2.16.3 → 2.18.0. svelte 5.55 changed two things that we were depending on without realising:
stepper height transition (`stepper.svelte`)
in the new svelte, `{#key}` mounts the new element and re-runs the `bind:this` effect before the old element's `onoutrostart` fires. so `updateContainerHeight()` ran with `transitioning === false` and snapped wrapperHeight instantly instead of tweening. fix: track a `lastStepElement` and flip `transitioning = true` ourselves only when the bound element actually changes (not on every effect re-run, which would loop because `updateContainerHeight` reads `transitioning`).
`$derived` reads from destroyed components
svelte 5.55 returns an inert `Symbol()` sentinel when you read a `$derived` belonging to a now-destroyed effect (with a `derived_inert` warning) — older 5.x versions silently returned the stale cached value. several of our flows had a `$derived` declared at component scope and captured by closure inside a function passed to `makeTransactPayload`'s `before:`, which runs after the step component is unmounted (because `TransactStep` has already replaced it). post-bump those reads return `undefined` and tx flows break (e.g. claim project sent a graphql query without its required `projectUrl` variable).
audited every `*.svelte` under `src/lib/flows/` for the pattern. fixed 4:
testing notes
build + 86 unit tests pass. manual testing on staging confirmed: claim project tx flow works, stepper height transitions correctly between steps and stays static for in-step content height changes.