Skip to content

fix: packaging exports + remove API key from URLs#2

Merged
asachs01 merged 2 commits into
mainfrom
fix/packaging-and-apikey
May 20, 2026
Merged

fix: packaging exports + remove API key from URLs#2
asachs01 merged 2 commits into
mainfrom
fix/packaging-and-apikey

Conversation

@asachs01
Copy link
Copy Markdown
Member

@asachs01 asachs01 commented May 20, 2026

Summary

Two correctness/security fixes plus build-config cleanup.

CRITICAL — Package exports resolve correctly

Added "type": "module" to package.json. Without it, the .cjs / .d.cts
conditional exports do not resolve correctly for consumers, breaking both
CommonJS require() and TypeScript type resolution against the package.

HIGH — API key no longer leaks in URLs

The SDK previously appended api_key as a URL query parameter on every
request, exposing the secret in server access logs, proxy logs, and browser
history. The key is now sent in an Authorization header instead:

  • request() no longer appends api_key to the query string.
  • requestUrl() (pagination) strips any legacy api_key query param.
  • executeRequest() sets Authorization: Bearer <apiKey>.
  • 35 mock handlers updated to assert on the header instead of the query param.

NOTE: the header is Authorization: Bearer <apiKey>. If Syncro's API
expects a different scheme (e.g. a raw token, or an X-Api-Key header),
this is the single spot to adjust — see executeRequest() in src/http.ts.

Other

  • Consistent 5xx retry: server errors now use the same configurable
    max-retries + backoff as 429 responses (previously a single fixed retry).
  • Build target standardized on Node 22 (tsup.config.ts).
  • npm audit fix applied (package-lock.json).

Verification

  • npm run build — green (.cjs, .js, .d.ts, .d.cts all emitted)
  • npm test — 61/61 passing
  • npm run lint — clean

Branch rebased onto latest main (resolved package.json version conflict,
keeping 1.0.1).

asachs01 added 2 commits May 20, 2026 14:19
@asachs01
fix: correct package exports and stop leaking API key in URLs
1389c93 
Add "type": "module" to package.json so tsup emits index.js (ESM) and
index.cjs (CJS), matching the main/exports map. Without it, tsup emitted
index.js/index.mjs and require() of the published package failed.

Send the Syncro API key via the Authorization header instead of an
api_key URL query parameter, which leaked the key into server/proxy logs.
Update MSW mock handlers to assert on the Authorization header.
@asachs01
fix: standardize on Node 22, consistent 5xx retry, audit fixes
7623956 
- Make 5xx retry path use configurable maxRetries/backoff (matches 429)
- Bump @types/node to ^22, tsup target node22, CI matrix to Node 22
- npm audit fix: 23 -> 8 vulnerabilities (remaining 8 need breaking vitest v4)
- Remove unused url declarations in test mock handlers (eslint)
- eslint kept at v8 deliberately (v10 needs flat-config rewrite)
@asachs01 asachs01 merged commit ec25bce into main May 20, 2026
1 check passed
@asachs01 asachs01 deleted the fix/packaging-and-apikey branch May 20, 2026 18:20
github-actions Bot pushed a commit that referenced this pull request May 20, 2026
@semantic-release-bot
chore(release): 1.0.2 [skip ci]
78eeed2 
## [1.0.2](v1.0.1...v1.0.2) (2026-05-20)

### Bug Fixes

* packaging exports + remove API key from URLs ([#2](#2)) ([ec25bce](ec25bce))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asachs01