Update dependency @redwoodjs/api to v2 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@redwoodjs/api (source)	0.47.1 -> 2.2.5

GitHub Vulnerability Alerts

GHSA-3qmc-2r76-4rqp

Impact

What kind of vulnerability is it? Who is impacted?

This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:

• only projects with the dbAuth "forgot password" feature are affected
• this vulnerability was introduced in v0.38.0

User Accounts are Vulnerable to Takeover (Hijacking)

A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.

How to Determine if Projects have been Attacked

To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.

If you have question or concerns, reach out via the "For More Information" section below.

Patch Releases Available

The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:

Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()

Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning

handler: (user) => {
  // your code to notify/email user of the link to reset their password...

  const = { resetToken, resetTokenExpiresAt, ...rest }

  return rest
}

Use yarn patch to manually apply the fix

Users on v3 and v2 can use [yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.

Disable the forgot password flow entirely v3 only

Users on v3 can disable the forgot password flow entirely.

---

Release Notes

redwoodjs/redwood (@​redwoodjs/api)

v2.2.5

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.5

v2.2.4

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.4

v2.2.3

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.3

v2.2.2

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.2

v2.2.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.1

v2.2.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.2.0

v2.1.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.1.1

v2.1.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.1.0

v2.0.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v2.0.0 for the release notes and upgrade guide

v1.5.2

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.5.2

v1.5.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.5.1

v1.5.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.5.0

v1.4.3

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.4.3

v1.4.2

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.4.2

v1.4.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.4.1

v1.4.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.4.0

v1.3.3

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.3.3

v1.3.2

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.3.2

v1.3.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.3.1

v1.3.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.3.0

v1.2.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.2.1

v1.2.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.2.0

v1.1.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.1.1

v1.1.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.1.0

v1.0.2

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.0.2

v1.0.1

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.0.1

v1.0.0

Compare Source

• See https://github.com/redwoodjs/redwood/releases/tag/v1.0.0-rc.final.1

v0.50.0

Compare Source

⚠️ This release removes prior Deprecations and includes Code Modifications

Changelog

Unique contributors: 19

PRs merged: 76

Features

• allow Redirect to use navigate options.replace #​4704 by @​odjhey
• Use GraphQL Yoga #​4712 by @​ardatan
• Send a 'ready' message to parent process if api server was spawned #​4744 by @​cannikin
• Adds baremetal deploy strategy #​4750 by @​cannikin
• Add yarn 3 to create redwood app template #​4761 by @​jtoar
• Auth Provider: Update Nhost to V2 #​4770 by @​nunopato
  • See Code Modification section below
• Add flightcontrol deploy command #​4788 by @​beerose
• Add Layer0 deploy command to CLI and docs #​4886 by @​tristanlee85
• Cleanup deprecated features #​4856 by @​callingmedic911
  • DEPRECATION: see section below
• Sets Secure cookie attribute in config template to be dependent on NODE_ENV #​4722 by @​cannikin
  • BREAKING: see sections below
• Pretty print query in DevFatalErrorPage for better DX and readability #​4696 by @​dthyresson
  • BREAKING: see sections below
• Update private routes and Set to use roles vs role #​4681 by @​dthyresson
  • BREAKING: see sections below
• netlify build with rw record #​4618 by @​aguscha333
  • RW Record is an experimental package. This release requires a Code Modification to deploy on Netlify

Fixed

• Catch getToken error and set token to null #​4669 by @​kengreeff
• Fix react/prop-types lint warnings #​4674 by @​callingmedic911
• fix(auth): hasRole handles when currentUser.roles is a string #​4678 by @​dac09
• Allow requireAuth directive to be used with a string or array of strings #​4680 by @​dthyresson
• Allow the number 0 for numericality validation values #​4700 by @​kwstewar
• Fix failing codemod test for RedwoodDevFatalErrorPage #​4723 by @​dthyresson
• Check for gql documents before running codegen #​4728 by @​Tobbe
• Serverles api template: Fix spelling #​4736 by @​Tobbe
• graphql-server types: Fix/format jsdocs #​4737 by @​Tobbe
• dbAuth: Prevent futureExpiresDate from changing when referenced in tests #​4742 by @​cannikin
• Service Validations - Adds error message for FormError fields #​4756 by @​dthyresson
• feat: only wrap affected resolver functions by using the 'onSchemaChange' hook with 'mapSchema' instead of the 'onResolverCalled' hook. #​4760 by @​n1ru4l
• When mocking a cell, set the id value as a String or Number based on the type of primary key #​4778 by @​dthyresson
• Always generate 200.html as part of web build | Change #​4782 by @​dac09
• Generate CRUD by default for SDL and Services to mitigate issues in GraphQL used in cells #​4785 by @​dthyresson
• Service Validations: Returns error message as an array in faked extensions #​4792 by @​cannikin
• Copy fix from learn PR #​222 #​4803 by @​jtoar
• Copy fix from learn PR #​221 #​4804 by @​jtoar
• Copy fix from learn PR #​218 #​4805 by @​jtoar
• Reverse logic in smoke test for setting yarn 1 #​4806 by @​jtoar
• Copy fix from learn PR #​217 #​4807 by @​jtoar
• Copy fix from learn PR #​213 #​4808 by @​jtoar
• Copy fix from learn PR #​207 #​4809 by @​jtoar
• Copy fix from learn PR #​198 #​4810 by @​jtoar
• Fix import in tutorial #​4838 by @​jtoar
• change flightcontrol setup to use yarn v3 and change cookie config #​4843 by @​flybayer
• Update algolia config #​4851 by @​jtoar
• Fix URL of all tutorial path #​4852 by @​simoncrypta
• Fix linting warnings on new gql function #​4859 by @​dac09
• Handle case when requestContext is undefined getting protocol #​4864 by @​dthyresson
• Make doc links to relative file paths #​4866 by @​jtoar
• Fix Request object passed to Yoga #​4870 by @​ardatan
• Fix favicon on docs site #​4874 by @​jtoar
• Fix favicon for docs site (continued) #​4875 by @​jtoar
• Try using URL for favicon #​4876 by @​jtoar
• event.requestContext can be optional for domain name #​4877 by @​dthyresson
• GraphQL Yoga / Rework multi and non-multi query string param handling when building request #​4883 by @​dthyresson
• add rw-server bin to core bins #​4889 by @​thedavidprice
• Fallback to localhost for hostname correctly and respect base64 encoded event bodies #​4891 by @​ardatan
• Use Node's Buffer.from to decode base64 instead of atob #​4892 by @​ardatan
• Fix link to docs/contributing #​4893 by @​jtoar

Chore

• Auth smoke tests #​4673 by @​dac09
• Remove supertokens-node from packages/api dependencies #​4715 by @​dthyresson
• jwtVerifier: Remove unreachable code #​4734 by @​Tobbe
• useRequireAuth: Refactor to make it easier to read #​4738 by @​Tobbe
• Move tutorial and docs into main repo #​4749 by @​jtoar
• [Renovate] Ignore @​types/lru-cache #​4759 by @​jtoar
• (docs) update link to Tutorial forms section #​4771 by @​thedavidprice
• Update links and codeblocks in tutorial #​4781 by @​jtoar
• Documents how to regenerate just SDL #​4787 by @​dthyresson
• Skip v44.x updateJestConfig codemod test #​4789 by @​dac09
• Reorg codemod for dev fatal error page #​4790 by @​dac09
• Chore: Change yarn cache key, to bust invalid cache #​4791 by @​dac09
• Updates Saving Data section with Service Validations #​4796 by @​cannikin
• Consider not running CI on changes to docs #​4816 by @​jtoar
• Copy content and fixes from redwoodjs.com #​4819 by @​jtoar
• (docs) add Flightcontrol.dev Deploy #​4826 by @​thedavidprice
• Minor tweaks to the "regenerate" docs #​4841 by @​Tobbe
• Reorgnize tutorial into chapters #​4855 by @​cannikin
• Change reference link to the docs #​4845 by @​joriswill
• Remove pre-v1 warning #​4865 by @​thedavidprice
• Restore some redwood-iness to the docs styles #​4881 by @​jtoar

Package Dependencies

View all Dependency Version Upgrades

• fix(deps): update dependency msw to v0.39.2 #​4685 by @​renovate
• Update dependency @​supabase/supabase-js to v1.31.1 #​4690 by @​renovate
• Update dependency css-loader to v6.7.1 #​4691 by @​renovate
• Update dependency graphql-helix to v1.12.0 #​4692 by @​renovate
• Update dependency webpack-manifest-plugin to v5 #​4693 by @​renovate
• Update dependency fastify to v3.27.4 #​4702 by @​renovate
• Update dependency pino to v7.8.1 #​4703 by @​renovate
• Update dependency @​clerk/clerk-js to v2.17.3 #​4706 by @​renovate
• Update dependency @​clerk/clerk-sdk-node to v2.9.8 #​4707 by @​renovate
• Update dependency @​clerk/types to v1.28.3 #​4708 by @​renovate
• Update dependency @​testing-library/react to v12.1.4 #​4709 by @​renovate
• Update dependency @​types/react to v17.0.40 #​4711 by @​renovate
• Update graphqlcodegenerator monorepo #​4714 by @​renovate
• Update dependency systeminformation to v5.11.7 #​4716 by @​renovate
• Update dependency @​clerk/clerk-js to v2.17.4 #​4719 by @​renovate
• Update dependency @​clerk/clerk-sdk-node to v2.9.9 #​4720 by @​renovate
• chore(deps): update dependency @​clerk/types to v1.29.0 #​4721 by @​renovate
• Update dependency systeminformation to v5.11.8 #​4726 by @​renovate
• Update dependency eslint to v8.11.0 #​4727 by @​renovate
• fix(deps): update dependency mime-types to v2.1.35 #​4733 by @​renovate
• fix(deps): update dependency react-hook-form to v7.28.0 #​4740 by @​renovate
• fix(deps): update dependency eslint-plugin-react to v7.29.4 #​4745 by @​renovate
• chore(deps): update dependency @​clerk/clerk-sdk-node to v2.9.10 #​4746 by @​renovate
• fix(deps): update dependency esbuild to v0.14.26 #​4747 by @​renovate
• chore(deps): update dependency @​types/lodash to v4.14.180 #​4751 by @​renovate
• fix(deps): update typescript-eslint monorepo to v5.15.0 #​4752 by @​renovate
• chore(deps): update dependency cypress to v9.5.2 #​4754 by @​renovate
• fix(deps): update dependency esbuild to v0.14.27 #​4755 by @​renovate
• chore(deps): update dependency @​playwright/test to v1.20.0 #​4757 by @​renovate
• chore(deps): update dependency zx to v5.3.0 #​4758 by @​renovate
• fix(deps): update prisma monorepo to v3.11.0 #​4763 by @​renovate
• chore(deps): update dependency zx to v6 #​4768 by @​renovate
• chore(deps): update dependency zx to v6.0.1 #​4769 by @​renovate
• fix(deps): update graphql-tools monorepo #​4777 by @​renovate
• fix(deps): update dependency @​graphql-codegen/typescript-resolvers to v2.6.0 #​4779 by @​renovate
• chore(deps): update dependency @​clerk/clerk-js to v2.17.6 #​4783 by @​renovate
• chore(deps): update dependency @​clerk/types to v1.29.2 #​4784 by @​renovate
• chore(deps): update dependency @​actions/exec to v1.1.1 #​4794 by @​renovate
• chore(deps): update dependency firebase to v9.6.9 #​4795 by @​renovate
• chore(deps): update dependency zx to v6.0.3 #​4797 by @​renovate
• fix(deps): update dependency node-ssh to v12.0.4 #​4798 by @​renovate
• fix(deps): update graphqlcodegenerator monorepo #​4799 by @​renovate
• fix(deps): update dependency fastify-static to v4.6.0 #​4800 by @​renovate
• fix(deps): update dependency pino to v7.9.1 #​4801 by @​renovate
• fix(deps): update dependency fastify-static to v4.6.1 #​4814 by @​renovate
• chore(deps): update dependency zx to v6.0.6 #​4821 by @​renovate
• chore(deps): update dependency @​types/react-dom to v17.0.14 #​4829 by @​renovate
• chore(deps): update dependency @​types/babel__core to v7.1.19 #​4839 by @​renovate
• fix(deps): update dependency react-hook-form to v7.28.1 #​4840 by @​renovate
• fix(deps): update dependency systeminformation to v5.11.9 #​4844 by @​renovate
• chore(deps): update actions/cache action to v3 #​4847 by @​renovate
• fix(deps): update dependency @​graphql-yoga/common to v0.1.0-canary-bfd2627.0 #​4857 by @​renovate
• fix(deps): update dependency cross-undici-fetch to v0.1.27 #​4858 by @​renovate
• chore(deps): update dependency zx to v6.0.7 #​4861 by @​renovate
• fix(deps): update typescript-eslint monorepo to v5.16.0 #​4862 by @​renovate
• chore(deps): update peter-evans/create-or-update-comment action to v2 #​4867 by @​renovate
• chore(deps): update peter-evans/find-comment action to v2 #​4868 by @​renovate
• chore(deps): update dependency @​clerk/clerk-js to v2.17.7 #​4871 by @​renovate
• chore(deps): update dependency @​clerk/types to v1.29.3 #​4872 by @​renovate
• fix(deps): update graphql-tools monorepo #​4878 by @​renovate
• chore(deps): update dependency @​clerk/clerk-sdk-node to v2.10.0 #​4879 by @​renovate
• fix(deps): update dependency pino to v7.9.2 #​4884 by @​renovate
• chore(deps): update dependency @​supabase/supabase-js to v1.31.2 #​4887 by @​renovate
• fix(deps): update graphql-tools monorepo #​4888 by @​renovate
• fix(deps): update dependency graphql-scalars to v1.16.0 #​4890 by @​renovate

Removed Deprecations and Breaking Changes

This release removes prior deprecations and has breaking changes.

Removed binary rw-api-server; replaced with rw-server [side]

This bin is used for running the Fastify server, which is called when you run yarn rw serve.

Projects should use yarn rw-server api. Also takes web positional (or both).

dbAuth: removed COOKIE_META cookies

PR #​4722 dbAuth cookie config has moved to api/src/function/auth.js for better customization. See:

• https://redwoodjs.com/docs/authentication#cookie-config

Refer to Code Modification below to update.

DevFatalErrorPage now pretty prints query

PR #​4696 updates src/components/FatalErrorPage.tsx

Refer to Code Modification below to update.

Private routes and Set now use roles (instead of role)

PR #​4681 Changes the use of Router role to be replaced by roles plural.

Projects using role for RBAC will need to make a Code Modification

Code Modifications

Update DevFatalErrorPage

We've made a small change to FatalErrorPage make sure your bundle sizes are as small as possible! If you only have the default FatalErrorPage, you can run our automatic codemod to pull in the latest changes.

npx @​redwoodjs/codemods@canary update-dev-fatal-error-page

If you've customised your error page, just a small tweak is needed:

// src/components/FatalErrorPage.tsx
if (process.env.NODE_ENV === 'development') {
-  RedwoodDevFatalErrorPage = require('@​redwoodjs/web').DevFatalErrorPage
+  RedwoodDevFatalErrorPage = require('@​redwoodjs/web/dist/components/DevFatalErrorPage').DevFatalErrorPage
}

Update roles for role in Private routes and Sets

Projects using roles and RBAC will need to change any prop in Routes.ts|js named role to roles. The value can be a string or array of strings, which is consistent with previous behavior.

Example:

- <Private unauthenicated="home" role="admin">
+ <Private unauthenicated="home" roles="admin">

Netlify Deploy: Update .toml

PR #​4782 improves prerender performance on Jamstack deploy providers. For most cases, the changes are automatic.

It is recommended that projects deploying to Netlify should update netlify.toml:

[[redirects]]
   from = "/*"
-  to = "/index.html"
+  to = "/200.html"
   status = 200
 `

Nhost Auth: Upgrade to v2

PR #​4770 updates Nhost Auth provider to use Nhost v2.

Existing projects using Nhost need to use the new Nhost SDK. Make the following changes to Auth.ts|js:

- import { createClient } from 'nhost-js-sdk'
+ import { NhostClient } from '@​nhost/nhost-js'

- const nhostClient = createClient({
-  baseUrl: 'url'
+ const nhostClient = new NhostClient({
+  backendUrl: 'url' 
})

dbAuth: Set Secure Cookie Attribute in Config Template

If you're using dbAuth with the new cookie config that we added to api/src/functions/auth.js in the last release, you'll need to make a change if you use Safari as your dev browser, or if you access your dev server at a host other than localhost (you may have noticed that you can't stay logged in).

Change the Secure config to this:

cookie: {
  HttpOnly: true,
  Path: '/',
  SameSite: 'Strict',
- Secure: true,
+ Secure: process.env.NODE_ENV !== 'development' ? true : false,
},

This will set the cookie to not secure when in a development environment, but otherwise true everywhere else (like in production). Chrome has an exception that you can set a secure cookie over HTTP, but only if the domain is localhost. Safari does not have this exception!

Deploy Redwood Record on Netlify (experimental)

See #​4618

Redwood Record datamodel file In order to fix the Netlify deploy when using Redwood Record the datamodel.json generated by running yarn rw record init was moved and will now be tracked under git.

How to Update If you are using the RedwoodRecord lib the only thing you have to do is run yarn rw record init again and you'll be good to go.

v0.49.1

Compare Source

Patch Release

This release includes the following fixes:

• [Yarn 3] Add bin proxy for rw-log-formatter #​4695 by @​jtoar
• fix storybook DX by removing default type check config #​4699 by @​thedavidprice

v0.49.0

Compare Source

🎬 Call for Redwood product and startup demos Redwood 1.0.0 will arrive within the month. We’re planning the first RedwoodJS Startup Showcase, full of demos and panels, highlighting the amazing people and projects using Redwood. Want to demo? Let's talk! Just take a look at this forum post and complete the submission form.

🔬Help QA the new Redwood Tutorials Both Tutorials I and II have been re-written for v1. We need your help making sure that every "i" is dotted and "t" is crossed. If you're interested in helping, check out the details here.

Changelog

Unique contributors: 4

PRs merged: 7

Features

• Implement dbAuth CORS support + Add cookie options to auth handler #​4150 by @​dac09
  • DEPRECATION Warning: see "dbAuth Cookie Configuration" section below
• Codemod for webhook verifier option renaming #​4675 by @​Tobbe

Fixed

• jscodeshift and webhook verifier doc updates #​4658 by @​Tobbe
• Make upgrade-yarn codemod more robust by preparing yarn version #​4662 by @​jtoar
• Clear up dev log in error page #​4671 by @​callingmedic911

Chore

• Remove yarn 3 project deps script #​4637 by @​jtoar
• Mod upgrade yarn codemod to handle CI #​4659 by @​jtoar

Package Dependencies

View all Dependency Version Upgrades

• Update dependency esbuild to v0.14.25 #​4657 by @​renovate
• Update dependency @​clerk/clerk-js to v2.17.0 #​4660 by @​renovate
• Update dependency @​clerk/types to v1.28.0 #​4661 by @​renovate
• Update dependency css-loader to v6.7.0 #​4663 by @​renovate
• Update dependency @​clerk/clerk-js to v2.17.1 #​4664 by @​renovate
• Update dependency @​clerk/clerk-sdk-node to v2.9.5 #​4665 by @​renovate
• Update dependency @​clerk/types to v1.28.1 #​4666 by @​renovate
• Update dependency @​clerk/clerk-sdk-node to v2.9.6 #​4667 by @​renovate
• Update dependency firebase to v9.6.8 #​4668 by @​renovate
• Update dependency @​supabase/supabase-js to v1.31.0 #​4677 by @​renovate
• Update dependency @​auth0/auth0-spa-js to v1.20.1 #​4682 by @​renovate
• Update dependency fastify to v3.27.3 #​4683 by @​renovate
• Update dependency magic-sdk to v8.1.0 #​4684 by @​renovate
• Update dependency @​azure/msal-browser to v2.22.1 #​4686 by @​renovate
• Update typescript-eslint monorepo to v5.14.0 #​4687 by @​renovate

Recommended Code Modification

dbAuth Cookie Configuration

If you are using dbAuth, we've moved the configuration for the dbAuth cookie alongside the rest of the configuration in api/src/functions/auth.js. The original configuration, which was internal to Redwood itself, is now deprecated. If you do not add this cookie config to auth.js your app will continue to work for now, but will show a deprecation notice in your api logs. The old behavior will be removed in a future version of Redwood.

To preserve the existing cookie settings, add the cookie property to the options sent into new DbAuthHandler():

const authHandler = new DbAuthHandler(event, context, {
  db: db,
  authModelAccessor: 'user',
  authFields: {
    id: 'id',
    username: 'email',
    hashedPassword: 'hashedPassword',
    salt: 'salt',
    resetToken: 'resetToken',
    resetTokenExpiresAt: 'resetTokenExpiresAt',
  },
  forgotPassword: forgotPasswordOptions,
  login: loginOptions,
  resetPassword: resetPasswordOptions,
  signup: signupOptions,

+ cookie: {
+  HttpOnly: true,
+  Path: '/',
+  SameSite: 'Strict',
+  Secure: true,
+  // Domain: 'example.com',
+  },

})

The cookie Domain is now set here instead of in an ENV var. When do you need to set Domain? If your web side and api side are served from different domains (such as www.example.com and api.example.com). To read more about Domain config: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

v0.48.0

Compare Source

Highlight: 🧶 Yarn 3 (Preview)

This release adds preview support for using Yarn v3 with Redwood projects. Why would you want to bump from Yarn v1 to v3? Because it's amazingly superior. And it's SuperEasy™ to upgrade and try it out. Just run the codemod:

npx @​redwoodjs/codemods@canary upgrade-yarn

Let us know how it goes!

Known Gotchas Upgrading to Yarn 3 requires corepack. If you're on a Node.js version less than v14.19, you need to install it manually via npm i -g corepack

Code Modification: Webhook timestamp verifiers

This is a required modification for projects using the the timestamp webhook verifier option.

PR #​4608 introduces a new option called eventTimestamp. Together with the existing tolerance option it's possible to add timestamp diff checks to all verifiers. But do note that all webhook events won't have the needed timestamp info to implement. That's up to the vendor you're integrating with to include or not include. Currently we know Svix, Clerk and Stripe have the required info.

🚨This PR renames the timestamp webhook verifier option to currentTimestampOverride.

To automatically update your code, simply run this code modification in your Redwood project:

npx @​redwoodjs/codemods@canary rename-verifier-timestamp

Manual Upgrade Step Only necessary if you do not use the automated code mod above.

1. For any webhook verifier you have a customized timestamp value, you'll need to rename the timestamp object key to currentTimestampOverride. A simple find and replace should do the trick!

Changelog

Unique contributors: 9

PRs merged: 22

Features

• Enable yarn 3 for Redwood projects #​4444 by @​jtoar
• Webhook verifiers: Add Base64Sha256 version for Svix webhooks used by Clerk auth #​4598 by @​Tobbe
• feat(exec): Allow listing of scripts with rw exec to improve dx #​4600 by @​dac09
• Webhook verifiers: Make them all support timestamp diff check #​4608 by @​Tobbe
  • BREAKING: see "Code Modifications"

Fixed

• Checking jest config web api #​4529 by @​josemasar
• Tailwind: Generate prettier-approved code #​4541 by @​Tobbe
• Update seed.ts to reflect correct input type #​4560 by @​martinjuhasz
• remove --schema option from rw prisma migrate diff #​4590 by @​thedavidprice

Chore

• Revamp Readme for 1.0 #​4398 by @​mojombo
• improve rebuildFixture ts-to-js logic #​4574 by @​thedavidprice
• use rebuildFixture without passing dir, fix test-project tailwind deps installation #​4576 by @​thedavidprice
• Add Codemod to Update Fatal Error Page to support Development version #​4577 by @​dthyresson
• updates the release script used to bump package versions #​4612 by @​thedavidprice
• remove Redwood extension from CRWA VS Code extension list #​4613 by @​thedavidprice
• Add custom log payload support to logFormatter #​4619 by @​dthyresson
• (fixture chore) move tailwind devDeps into root package.json #​4623 by @​thedavidprice
• part II of #4623 #​4626 by @​thedavidprice
• [CI] E2E wait for server start and Test move setTimeout outside test block #​4638 by @​jtoar
• [Codemod] Handle node versions that don't bundle corepack #​4645 by @​jtoar
• fix dbAuth Auth template roles logic and types, run type-check on Smoke-test CI, and resolve TS errors #​4566 by @​thedavidprice

Package Dependencies

View all Dependency Version Upgrades

• Update prisma monorepo to v3.10.0 #​4551 by @​renovate
• Update graphql-tools monorepo #​4568 by @​renovate
• Update dependency @​clerk/clerk-sdk-node to v2.9.4 #​4570 by @​renovate
• Update dependency @​clerk/types to v1.25.4 #​4571 by @​renovate
• Update dependency @​playwright/test to v1.19.2 #​4572 by @​renovate
• Update dependency @​types/node to v16.11.26 #​4573 by @​renovate
• Update dependency @​clerk/clerk-js to v2.14.3 #​4575 by @​renovate
• Update dependency eslint-plugin-react to v7.29.1 #​4579 by @​renovate
• Update actions/setup-node action to v3 #​4580 by @​renovate
• Update dependency @​types/lodash to v4.14.179 #​4582 by @​renovate
• Update dependency eslint to v8.10.0 #​4583 by @​renovate
• Update dependency eslint-plugin-react to v7.29.2 #​4586 by @​renovate
• Update dependency systeminformation to v5.11.5 #​4587 by @​renovate
• Update dependency @​supabase/supabase-js to v1.30.7 #​4589 by @​renovate
• Update dependency yargs-parser to v21.0.1 #​4595 by @​renovate
• Update dependency zx to v5.2.0 #​4596 by @​renovate
• Update typescript-eslint monorepo to v5.13.0 #​4601 by @​renovate
• Update dependency cypress to v9.5.1 #​4602 by @​renovate
• Update dependency typescript to v4.6.2 #​4603 by @​renovate
• Update dependency @​clerk/clerk-js to v2.15.0 #​4606 by @​renovate
• Update dependency @​clerk/types to v1.26.0 #​4607 by @​renovate
• Update dependency @​apollo/client to v3.5.10 #​4609 by @​renovate
• Update actions/checkout action to v3 #​4610 by @​renovate
• Update dependency systeminformation to v5.11.6 #​4611 by @​renovate
• Update dependency @​types/aws-lambda to v8.10.93 #​4620 by @​renovate
• Update dependency @​types/react-dom to v17.0.12 #​4621 by @​renovate
• Update dependency @​types/testing-library__jest-dom to v5.14.3 #​4624 by @​renovate
• Update dependency @​clerk/clerk-js to v2.16.0 #​4627 by @​renovate
• Update dependency @​clerk/types to v1.27.0 #​4628 by @​renovate
• Update dependency @​types/react-dom to v17.0.13 #​4629 by @​renovate
• Update dependency msw to v0.38.2 #​4630 by @​renovate
• Update dependency eslint-config-prettier to v8.5.0 #​4631 by @​renovate
• Update dependency esbuild to v0.14.24 #​4635 by @​renovate
• Update dependency graphql-scalars to v1.15.0 #​4636 by @​renovate
• Update dependency @​clerk/clerk-js to v2.16.1 #​4639 by @​renovate
• Update dependency @​clerk/types to v1.27.1 #​4640 by @​renovate
• Update dependency supertokens-auth-react to v0.19.0 #​4641 by @​renovate
• Update dependency webpack to v5.70.0 #​4642 by @​renovate
• Update dependency @​envelop/core to v2.1.0 #​4643 by @​renovate
• Update dependency @​envelop/depth-limit to v1.3.0 #​4644 by @​renovate
• Update dependency @​envelop/disable-introspection to v3.1.0 #​4646 by @​renovate
• Update dependency @​envelop/filter-operation-type to v3.1.0 #​4647 by @​renovate
• Update dependency @​envelop/parser-cache to v4.1.0 #​4648 by @​renovate
• Update dependency @​envelop/testing to v4.1.0 #​4649 by @​renovate
• Update dependency eslint-plugin-react to v7.29.3 #​4650 by @​renovate
• Update dependency @​envelop/validation-cache to v4.1.0 #​4651 by @​renovate
• Update dependency @​types/vscode to v1.65.0 #​4652 by @​renovate
• Update dependency mini-css-extract-plugin to v2.6.0 #​4653 by @​renovate
• Update actions/upload-artifact action to v3 #​4654 by @​renovate
• Update dependency npm-packlist to v4 #​4655 by @​renovate
• Update dependency ts-morph to v14 #​4656 by @​renovate
• Bump url-parse from 1.5.7 to 1.5.10 in /__fixtures__/example-todo-main-with-errors #​4584 by @​dependabot
• Bump url-parse from 1.5.7 to 1.5.10 in /__fixtures__/example-todo-main #​4585 by @​dependabot

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.