Skip to content

Bump bcryptjs from 2.4.3 to 3.0.3#1960

Open
rugpanov wants to merge 2 commits into
mainfrom
deps/bcryptjs-3
Open

Bump bcryptjs from 2.4.3 to 3.0.3#1960
rugpanov wants to merge 2 commits into
mainfrom
deps/bcryptjs-3

Conversation

@rugpanov

@rugpanov rugpanov commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Why

Replaces Dependabot's #1937, which bumped package.json without regenerating the lockfile (Yarn Berry YN0028 failure). bcryptjs is used at runtime in telemetry (src/telemetry/index.ts) to hash the username into user.hashedUserName, so the critical requirement is that v3 produces the same hash as v2 for a given (input, salt) — otherwise telemetry identity would silently change.

What

  • Bump bcryptjs^3.0.3 via yarn up; regenerated yarn.lock.
  • Remove the now-redundant @types/bcryptjs devDependency — bcryptjs 3 ships its own type definitions (umd/index.d.ts), so the separate @types package is obsolete. Build type-checks cleanly on the bundled types.

Verification

  • Hash stability confirmed: bcrypt.hash("testuser@example.com", "$2b$07$" + salt) produces the byte-identical output under v2 and v3.
  • Telemetry unit test passessrc/telemetry/index.test.ts asserts an exact hardcoded user.hashedUserName bcrypt hash; full unit suite green (274 passing).
  • require("bcryptjs") resolves fine — v3 is ESM-only but ships a UMD entry, so the esbuild CJS bundle is unaffected.
  • yarn install --immutable, yarn run build, and eslint all pass.

Backward compatibility: hash output is identical to v2, so existing user.hashedUserName telemetry values remain consistent. No API/state/config change.

Closes #1937.

This pull request and its description were written by Isaac.

*Why*
Dependabot's #1937 bumped only package.json without regenerating the lockfile
(Yarn Berry YN0028 failure). This recreates it with a consistent lockfile.
bcryptjs is used at runtime in telemetry (`src/telemetry/index.ts`) to hash the
username into `user.hashedUserName`, so the critical requirement is that v3
produces the SAME hash as v2 for a given (input, salt) — otherwise telemetry
identity would silently change.

*What*
- Bump `bcryptjs` to `^3.0.3` via `yarn up`; regenerated yarn.lock.
- Remove the now-redundant `@types/bcryptjs` devDependency: bcryptjs 3 bundles
  its own type definitions (`umd/index.d.ts`), so the separate @types package is
  obsolete. Build type-checks cleanly on the bundled types.

*Verification*
- **Hash stability confirmed**: `bcrypt.hash("testuser@example.com", "$2b$07$"+salt)`
  produces the identical output under v2 and v3.
- **Telemetry unit test passes** — `index.test.ts` asserts an exact hardcoded
  `user.hashedUserName` bcrypt hash; full unit suite green (274 passing).
- `require("bcryptjs")` resolves fine (v3 is ESM-only but ships a UMD entry, so
  the esbuild CJS bundle is unaffected).
- `yarn install --immutable`, `yarn run build`, and `eslint` all pass.

Backward compatibility: hash output is byte-identical to v2, so existing
`user.hashedUserName` telemetry values remain consistent. No API/state/config change.

Closes #1937.

Co-authored-by: Isaac
@rugpanov rugpanov temporarily deployed to test-trigger-is July 3, 2026 13:08 — with GitHub Actions Inactive
@rugpanov

rugpanov commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Integration tests ❌ 7 of 35 test jobs failed for 765e0b1c (28 passed).
View run

@rugpanov rugpanov temporarily deployed to test-trigger-is July 3, 2026 14:53 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/vscode

Inputs:

  • PR number: 1960
  • Commit SHA: 5e0c0eb0276fab4f1bf3114c6ed06192525bb275

Checks will be approved automatically on success.

@rugpanov

rugpanov commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Integration tests ❌ 5 of 35 test jobs failed for 5e0c0eb0 (30 passed).
View run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants