Skip to content

chore: update @arcjet/* to 1.8.0#191

Merged
qw-in merged 3 commits into
mainfrom
quinn/arcjet-js-1.7.0-rc
Jul 7, 2026
Merged

chore: update @arcjet/* to 1.8.0#191
qw-in merged 3 commits into
mainfrom
quinn/arcjet-js-1.7.0-rc

Conversation

@qw-in

@qw-in qw-in commented Jul 4, 2026

Copy link
Copy Markdown
Member

Dogfoods the arcjet-js build-tooling modernization (arcjet/arcjet-js#6093: rollup→tsdown, dist-only packaging with exports maps, TypeScript 6 declarations) across every example before it ships as stable. Now on 1.7.0-rc.1, which fixes both issues rc.0 dogfooding surfaced:

  • the widened @nosecone/next CSP defaults type — the three Next.js examples that extend the defaults in proxy.ts build again, so @nosecone/next is now on the rc too (previously held at 1.6.1)
  • the unreplaced __ARCJET_SDK_VERSION__ placeholder in the sdkVersion request field

The Deno example's source now imports through the deno.json import map (bare specifiers) instead of unversioned npm: specifiers, which had been resolving to latest and silently ignoring the pinned versions.

Validated locally per example on rc.1: npm install + build for the 13 buildable JS examples, tsc for firebase-functions, and deno check with a regenerated lockfile — all passing.

🤖 Generated with Claude Code

Dogfoods the arcjet-js build-tooling modernization (arcjet/arcjet-js#6093:
rollup->tsdown, dist-only packaging with exports maps, TypeScript 6
declarations) across every example before it ships as stable.

@nosecone/next stays at 1.6.1 in the three Next.js examples that use it:
the rc widens the published type of its CSP defaults, which breaks the
extend-the-defaults pattern in their proxy.ts; the fix is on the arcjet-js
branch and those bumps follow with the next rc.

The Deno example's source now imports through the deno.json import map
(bare specifiers) instead of unversioned npm: specifiers, which had been
resolving to latest and ignoring the pinned versions.

Validated per example: npm install + build (astro, expressjs, fastify,
nestjs, all five nextjs variants, nuxt, react-router, sveltekit,
tanstack-start), tsc for firebase-functions, and deno check with a
regenerated lockfile for deno.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qw-in qw-in self-assigned this Jul 4, 2026
@socket-security

socket-security Bot commented Jul 4, 2026

Copy link
Copy Markdown

@qw-in
qw-in marked this pull request as ready for review July 4, 2026 00:05

@arcjet-review arcjet-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arcjet Review — 🟡 Medium Risk

Decision: Reviewers Assigned

Rationale: This PR updates many @arcjet/* dependencies across examples from stable releases to the 1.7.0-rc.0 pre-release and adjusts Deno imports to use the import map. The changes are small and scoped to examples, but they affect security-related middleware/bot-protection packages and introduce pre-release packages, so automated review cannot fully validate compatibility or supply-chain risk. No specific escalation reviewers are configured.

Summary of Changes

Updates Arcjet dependencies in multiple example apps to 1.7.0-rc.0 and changes the Deno example source imports to use deno.json import aliases instead of direct npm: specifiers.

Escalation Triggers

  • Dependency Changes: Multiple package.json files update @arcjet/* dependencies to the 1.7.0-rc.0 pre-release.

Review Focus Areas

Notes

No hardcoded secrets or direct injection issues were visible in the diff. Primary concern is dependency and compatibility risk from moving security-related packages to a release candidate.

Path filtering: 15 files excluded by ignore paths. 16 of 31 files included in review.

Review: c4ebeb0b | Model: openai/gpt-5.5 | Powered by Arcjet Review

@qw-in

qw-in commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

This doesn't really need to merge - CI going green is really the only signal I need here!

@davidmytton davidmytton left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Up to you if you want to merge or close.

@qw-in
qw-in added this pull request to the merge queue Jul 4, 2026
@davidmytton
davidmytton removed this pull request from the merge queue due to a manual request Jul 4, 2026
rc.1 fixes both issues rc.0 dogfooding found: the widened @nosecone/next
CSP defaults type (the three Next.js examples that extend the defaults
in proxy.ts build again, so their hold at 1.6.1 is lifted) and the
unreplaced __ARCJET_SDK_VERSION__ placeholder in the sdkVersion request
field.

Validated per example as before: npm install + build for the buildable
JS examples, tsc for firebase-functions, deno check with a regenerated
lockfile for deno.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qw-in qw-in changed the title chore: update @arcjet/* to 1.7.0-rc.0 pre-release chore: update @arcjet/* to 1.7.0-rc.1 pre-release Jul 6, 2026
Bumps from the 1.7.0-rc.1 pre-release to the real 1.8.0 stable release
(build-tooling modernization, arcjet/arcjet-js#6093, plus the
preflight-gated publish workflow, arcjet/arcjet-js#6130), now published
to latest on npm. @nosecone/next moves with it — no more version holds
needed since the CSP defaults type fix landed inside #6093 before it
merged.

Validated per example as before: npm install + build for the buildable
JS examples, tsc for firebase-functions, deno check with a regenerated
lockfile for deno.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@qw-in qw-in changed the title chore: update @arcjet/* to 1.7.0-rc.1 pre-release chore: update @arcjet/* to 1.8.0 Jul 7, 2026
@qw-in
qw-in added this pull request to the merge queue Jul 7, 2026
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Environment variable access: npm @arcjet/astro

Location: Package overview

From: examples/astro/package-lock.jsonnpm/@arcjet/astro@1.8.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/astro@1.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Merged via the queue into main with commit 9579e3a Jul 7, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants