chore: modernize to Docusaurus 3 (from 2.0.0-beta.20)#15
Conversation
- @docusaurus/core + preset-classic ^2.0.0-beta.20 -> ^3 (builds on 3.10.1); MDX 1 -> 3 - posthog-docusaurus 1 -> 2: config moved from themeConfig.posthog to plugin options - onBrokenMarkdownLinks -> markdown.hooks.onBrokenMarkdownLinks (clears v4 deprecation) - posthog apiKey fallback ' ' -> 'phc_placeholder' so keyless (local/PR) builds succeed - prettier 2 -> 3; npm-run-all -> npm-run-all2; repository object form; pin publish npm@^11 - overrides: serialize-javascript ^7.0.5, uuid ^11.1.1 (clears all 21 build-toolchain vulns) Site builds clean on Docusaurus 3; 0 vulnerabilities; docs content unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Upgrades the documentation site toolchain from Docusaurus 2.0.0-beta.20 to the Docusaurus 3.x line (resolving to 3.10.1 via the lockfile), including associated analytics and tooling adjustments to keep builds/linting and publishing working under the new ecosystem.
Changes:
- Bump Docusaurus, PostHog integration, and Prettier to modern major versions; add targeted
overridesfor known vulnerable transitive deps. - Migrate PostHog configuration from
themeConfig.posthogtoposthog-docusaurusplugin options and moveonBrokenMarkdownLinksinto the new markdown hook location. - Pin the publish workflow’s npm upgrade step to
npm@^11(instead oflatest) for more stable CI behavior.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates deps/scripts for Docusaurus 3 + Prettier 3, adds security overrides, and modernizes metadata. |
| docusaurus.config.js | Migrates PostHog config to plugin options and updates markdown link handling configuration. |
| .github/workflows/publish.yml | Pins npm upgrade step to npm v11 range for CI publishing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "engines": { | ||
| "node": ">=22.0.0" | ||
| }, |
There was a problem hiding this comment.
Good catch on the version math, but I'm keeping engines.node at ">=22.0.0". Two reasons:
- Tightening wouldn't help. npm validates each installed package's
enginesindependently against the running Node — a package's check isn't suppressed by the root project'sengines.node. So on a hypothetical Node 22.0–22.22.1 install,npm-run-all2@9's own^22.22.2check fails regardless of what this repo declares. Raising this repo'sengines.nodewould only add a secondEBADENGINE(the root's own) on that same old Node — strictly worse. - It's the consumer contract, and npm-run-all2 is dev-only.
npm-run-all2is adevDependencyand is excluded from the published tarball by thefileswhitelist, so consumers never install it. Coupling the public Node contract to a private dev-tool's patch-level requirement is the wrong tradeoff.
In practice there's no warning at all: CI's setup-node 22/24 resolve to the latest patch of each line (≥22.22.2 and ≥24.15.0) and local dev is on Node 24.18 — all satisfy npm-run-all2@9.
Upgrades the docs site from Docusaurus 2.0.0-beta.20 → 3.10.1. Fully verified locally on Node 24.18 (
docusaurus buildsucceeds).What changed
@docusaurus/core+@docusaurus/preset-classic^2.0.0-beta.20→^3(resolves 3.10.1). This brings MDX 1 → 3; the docs are plain markdown (no JSX/components), so content builds unchanged.posthog-docusaurus1 → 2 — v2 moved config fromthemeConfig.posthogto plugin options (plugins: [['posthog-docusaurus', { apiKey, appUrl, enableInDevelopment }]]). Migrated.onBrokenMarkdownLinksmoved from top-level tomarkdown.hooks.onBrokenMarkdownLinks(clears the Docusaurus v4 deprecation warning).apiKeyfallback' '→'phc_placeholder'— posthog-docusaurus v2 rejects an empty/space key, which would fail keyless local/PR builds. CI still injects the realPOSTHOG_API_KEYsecret.prettier 2 → 3,npm-run-all → npm-run-all2,repositoryobject form, pinned publishnpm@latest → npm@^11.Security — 0 vulnerabilities (was 21)
The 21 advisories were entirely in Docusaurus 3.10.1's build/dev toolchain (nothing ships — the deployed site is static files and the npm package is an empty
index.js), and all cascaded from just two leaves:serialize-javascript(high, RCE/DoS) anduuid@8. Added minimaloverrides:Both are API-stable in the webpack toolchain; the site still builds clean after the override, and
npm auditis now 0.Verified locally (Node 24.18)
npm install,npm run build→ "Generated static files in build" (index.html + 404.html), no errors, no deprecation warnings.npm run lint(prettier) clean. Docs markdown content is byte-unchanged.Note: the actual gh-pages deploy + npm publish happen in CI; this PR verifies the build. Not merging without your sign-off.