Skip to content

Upgrade safe dependencies: bcryptjs 3.0.3, @vercel/node 5.x, @types/node 25.x#4

Merged
coder11125 merged 1 commit into
mainfrom
devin/1778157593-upgrade-safe-dependencies
May 7, 2026
Merged

Upgrade safe dependencies: bcryptjs 3.0.3, @vercel/node 5.x, @types/node 25.x#4
coder11125 merged 1 commit into
mainfrom
devin/1778157593-upgrade-safe-dependencies

Conversation

@devin-ai-integration

Copy link
Copy Markdown
Contributor

Summary

Upgrades three dependencies that can be safely updated, and removes one that is no longer needed:

Package From To Why
bcryptjs 2.4.3 3.0.3 Modern ESM, built-in types, $2b$ hash default
@vercel/node ^3.0.0 ^5.7.15 Security fixes in transitive deps (undici, path-to-regexp, tar)
@types/node ^20.0.0 ^25.6.0 Up-to-date Node.js type definitions
@types/bcryptjs ^2.4.6 (removed) bcryptjs 3.0 ships its own TypeScript types

Not upgraded (intentionally skipped):

  • mongoose 8→9: Extensive breaking changes (driver v7, type overhaul, removed next() in middleware)
  • typescript 5→6: Bridge release for TS 7.0 Go rewrite; changes tsconfig defaults with no functional benefit while Vercel's builder still uses TS 5.9.3

No source code changes — only package.json and package-lock.json are modified.

Review & Testing Checklist for Human

  • Verify existing $2a$ password hashes still verify correctly with bcryptjs 3.0. The library claims bcrypt.compare() handles both $2a$ and $2b$ prefixes, but this is the highest-risk change — test by logging into an existing account after deploying.
  • Verify @vercel/node v5 handler API is compatible. The VercelRequest/VercelResponse types are used across all API routes. Deploy a preview and confirm all API endpoints (auth, data save/load, chats, folders) still function.
  • Confirm bcryptjs 3.0's built-in types match project usage. @types/bcryptjs was removed — check that import bcrypt from 'bcryptjs' still resolves hash() and compare() correctly in your IDE/build.
  • Deploy to Vercel preview and test the full auth flow (register a new account, log out, log back in) to validate both new $2b$ hash generation and the updated @vercel/node runtime.

Notes

  • npm audit may still report vulnerabilities after this upgrade — these are in transitive dependencies within @vercel/node's own tree and must be fixed upstream.
  • Typecheck (npx tsc -p Tsconfig.json --noEmit) passes cleanly after the upgrade.

Link to Devin session: https://app.devin.ai/sessions/7baffc795f3548ad908b161f4f5535a9
Requested by: @coder11125

…ode 25.x

- bcryptjs 2.4.3 -> 3.0.3: Ships built-in types, modern ESM, b hashes (backward compatible)
- @vercel/node ^3.0.0 -> ^5.7.15: Security fixes for undici, path-to-regexp, tar, esbuild, ajv
- @types/node ^20.0.0 -> ^25.6.0: Up-to-date Node.js type definitions
- Remove @types/bcryptjs: No longer needed, bcryptjs 3.0 ships its own types

Co-Authored-By: Shashvath Puppala <shashvathpuppala.21cmis0265@meruinternationalschool.com>
@vercel

vercel Bot commented May 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
quasar-ai Ready Ready Preview, Comment May 7, 2026 0:41am

@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@coder11125

Copy link
Copy Markdown
Owner

@claude, is this dependency update safe?

@claude

claude Bot commented May 7, 2026

Copy link
Copy Markdown

Claude encountered an error —— View job


I'll analyze this and get back to you.

@coder11125 coder11125 merged commit d8382fb into main May 7, 2026
2 of 3 checks passed
@coder11125 coder11125 deleted the devin/1778157593-upgrade-safe-dependencies branch May 7, 2026 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant