Bump bcryptjs from 2.4.3 to 3.0.3#1960
Open
rugpanov wants to merge 2 commits into
Open
Conversation
*Why* Dependabot's #1937 bumped only package.json without regenerating the lockfile (Yarn Berry YN0028 failure). This recreates it with a consistent lockfile. bcryptjs is used at runtime in telemetry (`src/telemetry/index.ts`) to hash the username into `user.hashedUserName`, so the critical requirement is that v3 produces the SAME hash as v2 for a given (input, salt) — otherwise telemetry identity would silently change. *What* - Bump `bcryptjs` to `^3.0.3` via `yarn up`; regenerated yarn.lock. - Remove the now-redundant `@types/bcryptjs` devDependency: bcryptjs 3 bundles its own type definitions (`umd/index.d.ts`), so the separate @types package is obsolete. Build type-checks cleanly on the bundled types. *Verification* - **Hash stability confirmed**: `bcrypt.hash("testuser@example.com", "$2b$07$"+salt)` produces the identical output under v2 and v3. - **Telemetry unit test passes** — `index.test.ts` asserts an exact hardcoded `user.hashedUserName` bcrypt hash; full unit suite green (274 passing). - `require("bcryptjs")` resolves fine (v3 is ESM-only but ships a UMD entry, so the esbuild CJS bundle is unaffected). - `yarn install --immutable`, `yarn run build`, and `eslint` all pass. Backward compatibility: hash output is byte-identical to v2, so existing `user.hashedUserName` telemetry values remain consistent. No API/state/config change. Closes #1937. Co-authored-by: Isaac
Contributor
Author
|
🤖 Integration tests ❌ 7 of 35 test jobs failed for |
misha-db
approved these changes
Jul 3, 2026
Contributor
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
Contributor
Author
|
🤖 Integration tests ❌ 5 of 35 test jobs failed for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Replaces Dependabot's #1937, which bumped
package.jsonwithout regenerating the lockfile (Yarn BerryYN0028failure). bcryptjs is used at runtime in telemetry (src/telemetry/index.ts) to hash the username intouser.hashedUserName, so the critical requirement is that v3 produces the same hash as v2 for a given(input, salt)— otherwise telemetry identity would silently change.What
bcryptjs→^3.0.3viayarn up; regeneratedyarn.lock.@types/bcryptjsdevDependency — bcryptjs 3 ships its own type definitions (umd/index.d.ts), so the separate@typespackage is obsolete. Build type-checks cleanly on the bundled types.Verification
bcrypt.hash("testuser@example.com", "$2b$07$" + salt)produces the byte-identical output under v2 and v3.src/telemetry/index.test.tsasserts an exact hardcodeduser.hashedUserNamebcrypt hash; full unit suite green (274 passing).require("bcryptjs")resolves fine — v3 is ESM-only but ships a UMD entry, so the esbuild CJS bundle is unaffected.yarn install --immutable,yarn run build, andeslintall pass.Backward compatibility: hash output is identical to v2, so existing
user.hashedUserNametelemetry values remain consistent. No API/state/config change.Closes #1937.
This pull request and its description were written by Isaac.