chore(deps): upgrade node from 22.16.0 to 22.22.2#40332
Closed
cardoso wants to merge 3 commits into
Closed
Conversation
Contributor
|
Looks like this PR is ready to merge! 🎉 |
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (15)
✅ Files skipped from review due to trivial changes (13)
🚧 Files skipped from review as they are similar to previous changes (2)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
WalkthroughThis PR uniformly bumps Node.js versions and related TypeScript node typings: Docker base images and GitHub Actions now target Node 22.22.2, various Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Warning Review ran into problems🔥 ProblemsErrors were encountered while retrieving linked issues. Errors (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.Comment |
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #40332 +/- ##
===========================================
+ Coverage 69.97% 70.04% +0.07%
===========================================
Files 3301 3301
Lines 120443 120443
Branches 21559 21591 +32
===========================================
+ Hits 84281 84367 +86
+ Misses 32862 32794 -68
+ Partials 3300 3282 -18
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/meteor/.docker-mongo/Dockerfile (1)
23-26:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRun the container as the non-root user you already create.
rocketchatis created, but runtime never switches from root, soENTRYPOINTexecutes as root.🔧 Suggested fix
RUN chmod +x /app/bundle/entrypoint.sh +USER rocketchat ENTRYPOINT /app/bundle/entrypoint.shAlso applies to: 64-66
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/meteor/.docker-mongo/Dockerfile` around lines 23 - 26, The Dockerfile creates the rocketchat group/user (groupadd/useradd) and sets ownership on /app/uploads but never switches from root at runtime, so the ENTRYPOINT runs as root; update the Dockerfile to set the default runtime user by adding a USER rocketchat directive after the filesystem setup (and after any remaining chown/chmod lines), ensuring ENTRYPOINT runs as the non-root rocketchat user; apply the same USER change for the analogous block referenced in lines 64-66.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/meteor/ee/server/services/Dockerfile`:
- Line 31: The final Dockerfile stage runs as root; create and switch to a
non-root runtime user in that stage: add an unprivileged group/user (e.g., RUN
addgroup -S app && adduser -S -G app app), ensure application directories are
owned by that user (chown -R app:app /app or similar), and set USER app (or USER
app:app) before the final CMD/ENTRYPOINT so the container no longer runs as
root; apply the same change to the other final stage(s) referenced around the
83-87 area.
- Line 1: The Dockerfile's build stage uses an Alpine base ("FROM
node:22.22.2-alpine3.22") but runs apt-get; replace any apt-get update/apt-get
install -y invocations with Alpine-appropriate apk commands (e.g., use "apk add
--no-cache" and the correct package names), remove apt-get-specific flags, and
ensure cleanup is done via apk semantics in the build stage so package
installation succeeds on the Alpine image.
---
Outside diff comments:
In `@apps/meteor/.docker-mongo/Dockerfile`:
- Around line 23-26: The Dockerfile creates the rocketchat group/user
(groupadd/useradd) and sets ownership on /app/uploads but never switches from
root at runtime, so the ENTRYPOINT runs as root; update the Dockerfile to set
the default runtime user by adding a USER rocketchat directive after the
filesystem setup (and after any remaining chown/chmod lines), ensuring
ENTRYPOINT runs as the non-root rocketchat user; apply the same USER change for
the analogous block referenced in lines 64-66.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 45b14dae-4b17-4c51-bd90-102097393e69
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (31)
.github/workflows/update-version-durability.ymlapps/meteor/.docker-mongo/Dockerfileapps/meteor/.docker/Dockerfile.alpineapps/meteor/.docker/Dockerfile.debianapps/meteor/ee/server/services/Dockerfileapps/meteor/ee/server/services/package.jsonapps/meteor/package.jsonee/apps/account-service/Dockerfileee/apps/account-service/package.jsonee/apps/authorization-service/Dockerfileee/apps/authorization-service/package.jsonee/apps/ddp-streamer/Dockerfileee/apps/ddp-streamer/package.jsonee/apps/omnichannel-transcript/Dockerfileee/apps/omnichannel-transcript/package.jsonee/apps/presence-service/Dockerfileee/apps/presence-service/package.jsonee/apps/queue-worker/Dockerfileee/apps/queue-worker/package.jsonee/packages/abac/package.jsonee/packages/federation-matrix/package.jsonee/packages/network-broker/package.jsonee/packages/omnichannel-services/package.jsonee/packages/presence/package.jsonpackage.jsonpackages/apps-engine/package.jsonpackages/message-parser/jest.config.tspackages/message-parser/package.jsonpackages/peggy-loader/package.jsonpackages/release-action/package.jsonpackages/release-changelog/package.json
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
packages/message-parser/jest.config.ts
🧠 Learnings (14)
📓 Common learnings
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.
Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.
📚 Learning: 2026-03-16T21:50:42.118Z
Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:42.118Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs, removing endpoint types and validators from `rocket.chat/rest-typings` (e.g., `UserRegisterParamsPOST`, `/v1/users.register` entry) is the *required* migration pattern per RocketChat/Rocket.Chat-Open-API#150 Rule 7 ("No More rest-typings or Manual Typings"). The endpoint type is re-exposed via a module augmentation `.d.ts` file in the consuming package (e.g., `packages/web-ui-registration/src/users-register.d.ts`). This is NOT a breaking change — the correct changeset bump for `rocket.chat/rest-typings` in this scenario is `minor`, not `major`. Do not flag this as a breaking change during OpenAPI migration reviews.
Applied to files:
ee/apps/account-service/package.jsonapps/meteor/ee/server/services/package.jsonee/packages/omnichannel-services/package.jsonee/apps/authorization-service/package.jsonee/apps/queue-worker/package.jsonee/apps/ddp-streamer/package.jsonee/packages/federation-matrix/package.jsonapps/meteor/package.jsonee/apps/omnichannel-transcript/package.jsonpackages/release-action/package.jsonee/packages/presence/package.jsonpackages/release-changelog/package.jsonpackages/message-parser/package.jsonpackages/apps-engine/package.jsonee/apps/presence-service/package.json
📚 Learning: 2026-02-24T19:05:56.710Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.
Applied to files:
ee/apps/account-service/package.jsonee/packages/omnichannel-services/package.jsonee/apps/authorization-service/package.jsonee/apps/queue-worker/package.jsonee/apps/ddp-streamer/package.jsonee/packages/federation-matrix/package.jsonee/apps/omnichannel-transcript/package.jsonee/packages/network-broker/package.jsonee/packages/presence/package.jsonpackages/peggy-loader/package.jsonpackages/message-parser/package.jsonpackage.jsonee/packages/abac/package.jsonee/apps/presence-service/package.json
📚 Learning: 2026-02-25T20:10:16.987Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.
Applied to files:
ee/apps/account-service/package.jsonapps/meteor/ee/server/services/package.jsonee/packages/omnichannel-services/package.jsonee/apps/authorization-service/package.jsonee/apps/queue-worker/package.jsonee/apps/ddp-streamer/package.jsonee/packages/federation-matrix/package.jsonapps/meteor/package.jsonee/packages/presence/package.jsonee/packages/abac/package.jsonee/apps/presence-service/package.json
📚 Learning: 2025-12-10T21:00:54.909Z
Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.
Applied to files:
ee/apps/ddp-streamer/package.jsonee/packages/federation-matrix/package.jsonee/packages/network-broker/package.jsonpackages/message-parser/jest.config.tspackages/message-parser/package.jsonee/packages/abac/package.json
📚 Learning: 2026-04-16T14:31:16.307Z
Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 40128
File: apps/meteor/.docker/Dockerfile.debian:42-42
Timestamp: 2026-04-16T14:31:16.307Z
Learning: When reviewing Dockerfiles/scripts, treat `npm cache clear` as a valid alias of `npm cache clean` (and also accept `npm cache rm`). Do not flag uses of `npm cache clear --force` as an invalid/unknown npm subcommand (e.g., avoid false-positive warnings like `Unknown command: clear`)—even if the alias was removed from npm docs in npm v7+.
Applied to files:
apps/meteor/.docker/Dockerfile.debian
📚 Learning: 2025-12-16T17:29:45.163Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 37834
File: apps/meteor/tests/e2e/page-objects/fragments/admin-flextab-emoji.ts:12-22
Timestamp: 2025-12-16T17:29:45.163Z
Learning: In page object files under `apps/meteor/tests/e2e/page-objects/`, always import `expect` from `../../utils/test` (Playwright's async expect), not from Jest. Jest's `expect` has a synchronous signature and will cause TypeScript errors when used with web-first assertions like `toBeVisible()`.
Applied to files:
packages/message-parser/jest.config.ts
📚 Learning: 2025-11-24T17:08:17.065Z
Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files
Applied to files:
packages/message-parser/jest.config.ts
📚 Learning: 2026-04-27T16:19:02.889Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40324
File: apps/meteor/client/providers/ServerProvider.tsx:20-20
Timestamp: 2026-04-27T16:19:02.889Z
Learning: In RocketChat/Rocket.Chat, `ServerContextValue.absoluteUrl` in `packages/ui-contexts/src/ServerContext.ts` intentionally keeps the more restrictive signature `(path: string) => string`, even though the underlying `absoluteUrl` helper in `apps/meteor/client/lib/absoluteUrl.ts` accepts optional `path` and `options` parameters. Do not suggest widening the context type to match the helper's full signature.
Applied to files:
packages/message-parser/jest.config.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.
Applied to files:
packages/message-parser/jest.config.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.
Applied to files:
packages/message-parser/jest.config.ts
📚 Learning: 2026-02-24T19:09:09.561Z
Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.
Applied to files:
apps/meteor/.docker/Dockerfile.alpine
📚 Learning: 2026-03-17T16:08:37.572Z
Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 39690
File: packages/ui-voip/package.json:11-11
Timestamp: 2026-03-17T16:08:37.572Z
Learning: In `packages/ui-voip/package.json` (RocketChat/Rocket.Chat), the team deliberately chose to use `rm -rf dist` directly in the `"build"` script instead of `rimraf`, as they decided against introducing the `rimraf` dependency for this package. Do not flag `rm -rf dist` in the ui-voip build script as a cross-platform issue requiring rimraf.
Applied to files:
apps/meteor/.docker/Dockerfile.alpine
📚 Learning: 2026-03-06T18:09:17.867Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/elements/Timestamp/DateTimeFormats.spec.tsx:20-23
Timestamp: 2026-03-06T18:09:17.867Z
Learning: In the RocketChat/Rocket.Chat gazzodown package (`packages/gazzodown`), tests are intended to run under the UTC timezone, but as of PR `#39397` this is NOT yet explicitly enforced in `jest.config.ts` or the `package.json` test scripts (which just run `jest` without `TZ=UTC`). To make timezone-sensitive snapshot tests reliable across all environments, `TZ=UTC` should be added to the test scripts in `package.json` or to `jest.config.ts` via `testEnvironmentOptions.timezone`. Without explicit UTC enforcement, snapshot tests involving date-fns formatted output or `toLocaleString()` will fail for contributors in non-UTC timezones.
Applied to files:
ee/packages/abac/package.json
🪛 Trivy (0.69.3)
apps/meteor/ee/server/services/Dockerfile
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
apps/meteor/.docker-mongo/Dockerfile
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🔇 Additional comments (22)
packages/peggy-loader/package.json (1)
37-37: Node typings bump is consistent with the runtime/toolchain upgrade.This manifest-only change looks correct and aligned with the PR scope.
packages/release-action/package.json (1)
24-24: Typings update is scoped and appropriate.No concerns with this
@types/nodealignment change.packages/release-changelog/package.json (1)
16-16: Looks good — dependency bump matches repo-wide Node typings sync.packages/apps-engine/package.json (1)
97-97: Scoped typings bump is correct for this package.packages/message-parser/jest.config.ts (1)
1-2: ESM-safe path resolution change is solid.Using
dirname(fileURLToPath(import.meta.url))here is the right approach and keeps transformer resolution intact.Also applies to: 7-7, 12-12
packages/message-parser/package.json (1)
53-53: Version alignment here matches the stated upgrade plan.Both the typings bump and
engines.nodeupdate are consistent with the PR’s Node 22.22.2 migration.Also applies to: 70-70
apps/meteor/ee/server/services/package.json (1)
56-56:@types/nodeupdate is clean and in-scope.ee/packages/presence/package.json (1)
27-27: No issues here — dependency bump is consistent with the rest of the PR..github/workflows/update-version-durability.yml (1)
26-26: Node version bump is correctly applied in workflow.This aligns CI runtime with the PR’s target Node upgrade.
ee/packages/federation-matrix/package.json (1)
46-46:@types/nodeupdate looks good for this package.Keeps local TS typings aligned with the repo-wide Node upgrade effort.
ee/packages/network-broker/package.json (1)
28-28:@types/nodebump is consistent and safe here.ee/apps/omnichannel-transcript/package.json (1)
35-35: Type definition version update is aligned with the rest of the PR.ee/apps/account-service/package.json (1)
33-33:@types/nodeupdate is good and consistent with the Node upgrade track.ee/apps/presence-service/package.json (1)
32-32: Looks good — this keeps typings aligned with the broader Node version upgrade.ee/apps/queue-worker/package.json (1)
31-31:@types/nodebump is clean and in-scope for this PR.ee/apps/ddp-streamer/Dockerfile (1)
1-1: Builder and runtime image tags are consistently upgraded.Good to see both stages pinned to the same Node release line.
Also applies to: 94-94
apps/meteor/.docker/Dockerfile.alpine (1)
1-1: Version bump is consistent across build and runtime stages.Good update to keep both
FROMstages aligned on Node22.22.2-alpine3.22.Also applies to: 23-23
ee/apps/queue-worker/Dockerfile (1)
1-1: LGTM on the Node image upgrade.Both stages are updated coherently to
22.22.2-alpine3.22.Also applies to: 104-104
package.json (1)
105-105: Toolchain alignment looks good.
@types/node,engines.node, andvolta.nodeare updated consistently for the Node22.22.2bump.Also applies to: 114-114, 118-118
apps/meteor/package.json (1)
381-381: Scoped typings bump is good.This
@types/nodeupdate matches the repository-wide Node/tooling upgrade.ee/apps/omnichannel-transcript/Dockerfile (1)
1-1: Node base-image update is clean and consistent.Both builder and runtime stages are aligned on
22.22.2-alpine3.22.Also applies to: 104-104
apps/meteor/.docker/Dockerfile.debian (1)
5-5: Debian Node image bump looks good.The upgrade to
22.22.2-bullseye-slimis scoped and consistent with the PR objective.
Member
Author
|
/jira FIPS-22 |
KevLehman
approved these changes
Apr 30, 2026
KevLehman
left a comment
Member
There was a problem hiding this comment.
I leave my symbolic approval
julio-rocketchat
approved these changes
May 1, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use an up-to-date LTS version of node that is supported by fips base images. Currently that version is 22.22.2.
Task: FIPS-23
Summary by CodeRabbit
Release Notes
Chores
Bug Fixes