Skip to content

chore(deps): replace git-user-info; upgrade Sanity and TypeScript #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stipsan merged 3 commits into from
Oct 17, 2025
Merged

chore(deps): replace git-user-info; upgrade Sanity and TypeScript #284

stipsan merged 3 commits into from
Oct 17, 2025

Conversation

@rcmaples
Copy link
Contributor

@rcmaples rcmaples commented Sep 18, 2025
edited
Loading

Description

This PR addresses issue #283 by replacing git-user-info and updates Sanity to version 4.9.0.

Changes introduced:

  • Replace vulnerable git-user-info dependency with native Node.js execSync git commands
  • Upgraded sanity to v4.9.0 which required upgrading TypeScript to v5.8.3
  • Upgraded @typescript-eslint from v7.18.0 to v8.26.0 for TypeScript v5.8.3 support
  • Migrate ESLint configuration from legacy .eslintrc.js to modern flat config format
  • Fix test expectations to include tsconfig.tsbuildinfo in build output

Why these changes:

  • Eliminates parse-git-config security vulnerability (parse-git-config issue 14)
  • Brings plugin-kit up to date with other sanity packages (pkg-utils, ui, etc...)

Note: There are still a couple of npm audit warnings due to Tap's bundled dependencies. It looked like there were quite a bit of breaking changes that would need to be addressed to upgrade Tap v16 to versions 18 - 22.

What to review

Key areas to review:

  • src/util/user.ts - New native git config implementation replacing git-user-info
  • eslint.config.mjs - New flat config format with project service enabled
  • package.json - Dependency version updates
  • test/init-verify-build.test.ts - Updated expected build output files

Testing flows:

  • Run npm audit to verify vulnerability resolution
  • Run npm run lint to confirm no TypeScript version warnings
  • Test git user info functionality (plugin initialization with author detection)
  • Verify all existing tests pass

Testing

Automated testing:

  • All existing tests pass including the updated build output expectations
  • ESLint runs successfully on entire codebase without warnings
  • Build process completes without errors

Manual verification:

  • Confirmed npm audit no longer shows parse-git-config vulnerability
  • Verified git user detection works with native implementation
  • Tested lint-staged pre-commit hooks function correctly

No additional automated tests were added as existing test coverage validates the functionality and the changes maintain backward compatibility.

@rcmaples
chore: initial build with passing tests
d80c15b
@rcmaples
chore: updating deps
4c35e23
@rcmaples
fix(deps): upgrade @typescript-eslint to v8.26.0 and migrate to flat …
5bde1e8 
…config

  Resolves TypeScript 5.8.3 compatibility warning by upgrading from v7.18.0.
  Migrates ESLint configuration from legacy .eslintrc.js to modern flat config format.
  Implements project service for improved performance and TypeScript integration.
@rcmaples rcmaples requested a review from a team as a code owner September 18, 2025 22:22
@rcmaples rcmaples changed the title fix(deps): replace git-user-info; upgrade Sanity and TypeScript chore(deps): replace git-user-info; upgrade Sanity and TypeScript Sep 18, 2025
@socket-security
Copy link

socket-security bot commented Sep 18, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​typescript-eslint/​parser@​7.18.0 ⏵ 8.44.010010071 +197100
Updatedeslint-config-prettier@​9.1.0 ⏵ 9.1.21001007287 -3100
Updated@​types/​tap@​15.0.11 ⏵ 15.0.121001007578100
Updated@​types/​inquirer@​9.0.7 ⏵ 9.0.9100 +110077 +284 +1100
Updatedprettier-plugin-packagejson@​2.5.1 ⏵ 2.5.19100 +110077 +287 +1100
Updated@​types/​eslint@​8.56.11 ⏵ 8.56.12100 +110078 +278 +2100
Updated@​typescript-eslint/​eslint-plugin@​7.18.0 ⏵ 8.44.09910080 +197100
Updated@​types/​node@​18.19.31 ⏵ 18.19.127100 +110081 +296 +1100
Updated@​sanity/​ui-workshop@​2.0.16 ⏵ 3.3.284100100 +297100
Addedreact@​19.1.11001008497100
Updatedeslint-config-sanity@​7.1.2 ⏵ 7.1.4901009486100
Updatedstyled-components@​6.1.13 ⏵ 6.1.1994 +1100100 +186100
Updatedtypescript@​5.5.3 ⏵ 5.8.310010090 +1100100
Updatedfs-extra@​11.2.0 ⏵ 11.3.2100 +110010090100
Updatedeslint-plugin-prettier@​5.2.1 ⏵ 5.5.4100 +110010091 -2100
Addedreact-dom@​19.1.11001009297100
Updatedeslint@​8.57.0 ⏵ 8.57.19710010094100
Updated@​sanity/​pkg-utils@​6.12.1 ⏵ 8.1.1296 +1100100100 +1100
Updatedsanity@​3.60.0 ⏵ 4.9.096100100100100

View full report

@socket-security
Copy link

socket-security bot commented Sep 18, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
npm@10.9.3 has Obfuscated code.

Confidence: 0.94

Location: Package overview

From: package-lock.jsonnpm/@sanity/semantic-release-preset@5.0.0npm/npm@10.9.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@10.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@RitaDias RitaDias requested review from snorrees and stipsan October 17, 2025 13:01
stipsan
stipsan approved these changes Oct 17, 2025
View reviewed changes
Copy link
Member

@stipsan stipsan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@stipsan stipsan merged commit 0955c03 into sanity-io:main Oct 17, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stipsan stipsan stipsan approved these changes

@snorrees snorrees Awaiting requested review from snorrees

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rcmaples @stipsan @rexxars @snorrees