fix!: require @workos-inc/node >=10.4.0 (eventemitter3 Vite dev crash #106)#107
Conversation
…106) @workos-inc/node 8.11.1-10.3.x bundles eventemitter3, whose CJS module breaks Vite's dev server when @workos-inc/node is served as raw ESM: the browser throws "does not provide an export named 'default'" (#106). @workos-inc/node@10.4.0 dropped eventemitter3 for an internal emitter. Pin the transitive peer floor so consumers can't resolve a eventemitter3-carrying version. Intersects with authkit-session's `^8 || ^9 || ^10` peer to an effective `>=10.4.0 <11`. engines.node bumped to >=22.11 to match @workos-inc/node 10's requirement. BREAKING CHANGE: requires @workos-inc/node >=10.4.0 and Node >=22.11.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Greptile Summary
Confidence Score: 4/5The dependency floor addresses the Vite dev crash, but the unbounded WorkOS peer range leaves installs open to unsupported future major versions. The change is small and localized to package metadata and lockfile updates, and the dependency-range issue is specific and reproducible from declared package contracts. package.json
 T-Rex LogsWhat T-Rex did
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
package.json:73
**Cap WorkOS major**
This package relies on `@workos/authkit-session@0.6.0`, whose peer contract only supports `@workos-inc/node` through major 10. The new `>=10.4.0` peer range also accepts future major versions, so a consumer can install a version that satisfies this package while violating the downstream session package's supported API range, causing peer conflicts or an unsupported dependency pair once v11 exists. Encoding the intended intersection keeps installs on the tested `>=10.4.0 <11` range.
Reviews (1): Last reviewed commit: "chore: pnpm-lock" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "peerDependencies": { | ||
| "@tanstack/react-router": ">=1.0.0", | ||
| "@tanstack/react-start": ">=1.168.25", | ||
| "@workos-inc/node": ">=10.4.0", |
There was a problem hiding this comment.
This package relies on @workos/authkit-session@0.6.0, whose peer contract only supports @workos-inc/node through major 10. The new >=10.4.0 peer range also accepts future major versions, so a consumer can install a version that satisfies this package while violating the downstream session package's supported API range, causing peer conflicts or an unsupported dependency pair once v11 exists. Encoding the intended intersection keeps installs on the tested >=10.4.0 <11 range.
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 73
Comment:
**Cap WorkOS major**
This package relies on `@workos/authkit-session@0.6.0`, whose peer contract only supports `@workos-inc/node` through major 10. The new `>=10.4.0` peer range also accepts future major versions, so a consumer can install a version that satisfies this package while violating the downstream session package's supported API range, causing peer conflicts or an unsupported dependency pair once v11 exists. Encoding the intended intersection keeps installs on the tested `>=10.4.0 <11` range.
How can I resolve this? If you propose a fix, please make it concise.
gjtorikian
left a comment
gjtorikian
left a comment
There was a problem hiding this comment.
Because of fix!, we should double check if this will promote from 0.9 -> 0.10 or 0.9 -> 1.0, the latter of which is undesirable.
According to semver, breaking changes before a 1.0.0 release do not require a major version bump.
2 participants
Summary
Fixes #106. Pins the transitive
@workos-inc/nodepeer floor to>=10.4.0, the version that removedeventemitter3.Root cause
The TanStack Start client hydration entry imports the app's
src/start.ts, which importsauthkitMiddlewarefrom this package's main entry. In Vite dev there's no tree-shaking, so the whole server barrel — including its transitive@workos/authkit-session→@workos-inc/nodechain — is eagerly evaluated in the browser.@workos-inc/node8.11.1–10.3.xbundledeventemitter3, whose CJSindex.js(default-imported by its ownindex.mjs) cannot be served as raw ESM by Vite, so the browser throws:@workos-inc/node@10.4.0replacedeventemitter3with an internal emitter, removing the landmine at the source.Why this fix
@workos-inc/node >= 10.4.0.@workos-inc/nodedirectly (it's@workos/authkit-session's peer), so we declare the floor as a peer here to enforce it for consumers. It intersects with authkit-session's^8 || ^9 || ^10to an effective>=10.4.0 <11.engines.nodebumped to>=22.11.0to match what@workos-inc/node@10requires (it dropped Node 20 in v9).Why this never reproduced in
example/example/consumes the SDK via aworkspace:*symlink whose real path is outsidenode_modules, so Vite pre-bundles@workos/authkit-sessionwith esbuild and fixes the CJS interop — masking the crash. A real install (npm/pnpm/bun) serves it raw and crashes. (The productionbuild-based leak check can't catch this either — Rollup tree-shakes the prod bundle clean.)Breaking change
@workos-inc/node >= 10.4.0.>= 22.11.Consumers on an older
@workos-inc/node/ Node 20 will get a peer/engine warning prompting the upgrade.Test plan
pnpm build(typecheck + emit) — passespnpm test— 234 passing (incl.exports.spec.ts; error classes still exported from the main entry)cd example && pnpm build— passespnpm run build:check— no server fingerprints in the client bundle@workos-inc/node< 10.4.0, and confirmed>= 10.4.0removeseventemitter3from the client module graph