v6.5.0

Changelog

Fix

• fix: add custom inspect to work around a Prisma issue that causes console to hang #9623 by @ymc9

  Fixes #8817. (The related Prisma issue: prisma/prisma#18292.) Typing db in the Redwood console (yarn rw console) caused it to hang for ~10 seconds. This PR adds a workaround as suggseted by the Prisma team here: prisma/prisma#19648 (comment).

Core Dependencies

• update prisma to v5.5.2 #9403
• update vite to v4.5.1 #9627
• update @apollo/client to v3.8.8 #9600
• update storybook to v7.6.3 #9628
• update react-hook-form to v7.48.2 #9407
• update webpack to v5.89.0 #9408
• update typescript to 5.3.2 #9589

Docs

• Fix typos in tutorial #9516 by @MatrixFrog
• docs(docker): add troubleshooting section for python #9548 by @jtoar
• fix(docker): correct links, fix typos #9551 by @jtoar
• Docker docs: Typo fixes #9552 by @Tobbe
• add documentation on mocking useParams in component test #9284 by @dustinsgoodman
• chore(private-set): Wrap profile page in <PrivateSet> instead of Private #9575 by @DonsWayo
• Add note about base 64 encoded event body #9595 by @tmikeschu

Dependencies

Click to see all upgraded dependencies

• fix(deps): update dependency graphql-sse to v2.3.0 #9406
• chore(deps): update dependency @clerk/types to v3.58.0 #9431
• chore(deps): update dependency @azure/msal-browser to v2.38.3 #9421
• chore(deps): update dependency graphql-scalars to v1.22.4 #9426
• chore(deps): update dependency @auth0/auth0-spa-js to v2.1.2 #9420
• chore(deps): update dependency @clerk/clerk-react to v4.28.0 #9430
• chore(deps): update dependency @envelop/types to v4.0.1 #9424
• fix(deps): update dependency @graphql-yoga/plugin-defer-stream to v2.0.5 #9439
• fix(deps): update dependency fast-glob to v3.3.2 #9442
• fix(deps): update dependency @graphql-tools/utils to v10.0.8 #9438
• fix(deps): update dependency systeminformation to v5.21.17 #9446
• fix(deps): update dependency jsonwebtoken to v9.0.2 #9443
• fix(deps): update dependency semver to v7.5.4 #9445
• fix(deps): update dependency @envelop/on-resolve to v3.0.3 #9436
• fix(deps): update dependency nodemailer to v6.9.7 #9444
• fix(deps): update dependency @graphql-yoga/plugin-graphql-sse to v2.0.5 #9440
• fix(deps): update dependency @simplewebauthn/browser to v7.4.0 #9454
• chore(deps): update dependency firebase to v10.6.0 #9449
• fix(deps): update dependency firebase-admin to v11.11.0 #9458
• fix(deps): update dependency @testing-library/user-event to v14.5.1 #9455
• chore(deps): update dependency supertokens-node to v15.2.1 #9466
• fix(deps): update dependency jwks-rsa to v3.1.0 #9467
• fix(deps): update opentelemetry-js monorepo #9468
• fix(deps): update typescript-eslint monorepo to v5.62.0 #9469
• chore(deps): update dependency nodemon to v3 #9470
• fix(deps): update dependency @react-email/render to v0.0.9 #9473
• fix(deps): update dependency @whatwg-node/fetch to v0.9.14 #9474
• chore(deps): update dependency @simplewebauthn/server to v7.4.0 #9480
• fix(deps): update dependency uuid to v9.0.1 #9477
• fix(deps): update dependency whatwg-fetch to v3.6.19 #9478
• chore(deps): update dependency @supabase/supabase-js to v2.38.4 #9482
• chore(deps): update dependency @testing-library/react to v14.1.0 #9488
• fix(deps): update dependency ci-info to v3.9.0 #9490
• fix(deps): update dependency smtp-server to v3.13.0 #9494
• fix(deps): update dependency envinfo to v7.11.0 #9491
• fix(deps): update dependency resend to v1.1.0 #9493
• chore(deps): update dependency @testing-library/jest-dom to v5.17.0 #9487
• chore(deps): update dependency autoprefixer to v10.4.16 #9502
• fix(deps): update dependency eslint-plugin-import to v2.29.0 #9499
• fix(deps): update dependency eslint-config-prettier to v8.10.0 #9498
• fix(deps): update dependency eslint to v8.53.0 #9497
• fix(deps): update dependency @types/aws-lambda to v8.10.126 #9503
• fix(deps): update dependency eslint-plugin-jsx-a11y to v6.8.0 #9500
• fix(deps): update dependency eslint-plugin-react to v7.33.2 #9501
• fix(deps): update dependency @clerk/clerk-sdk-node to v4.12.21 #9505
• fix(deps): update dependency @types/node to v18.18.9 #9504
• fix(deps): update dependency @types/jest to v29.5.8 #9508
• fix(deps): update dependency @vscode/ripgrep to v1.15.6 #9538
• chore(deps): update dependency @playwright/test to v1.40.0 #9565
• chore(deps): update dependency @supabase/supabase-js to v2.38.5 #9563
• fix(deps): update dependency core-js to v3.33.3 #9564
• chore(deps): update dependency @testing-library/react to v14.1.2 #9569
• fix(deps): update dependency eslint to v8.54.0 #9571
• chore(deps): update dependency @clerk/clerk-react to v4.28.1 #9598
• fix(deps): update dependency @clerk/clerk-sdk-node to v4.12.22 #9601
• chore(deps): update dependency @supabase/supabase-js to v2.39.0 #9603
• chore(deps): update dependency @playwright/test to v1.40.1 #9599
• fix(deps): update dependency @whatwg-node/server to v0.9.18 #9602
• fix(deps): update docusaurus monorepo to v3.0.1 #9608
• fix(deps): update dependency graphql-sse to v2.4.0 #9607
• fix(deps): update dependency fs-extra to v11.2.0 #9606
• fix(deps): update graphql-tools monorepo #9609
• chore(deps): update dependency nodemon to v3.0.2 #9615
• fix(deps): update dependency @react-email/render to v0.0.10 #9616
• fix(deps): update dependency systeminformation to v5.21.20 #9617
• fix(deps): update dependency eslint to v8.55.0 #9629
• chore(deps): update dependency @clerk/clerk-react to v4.28.2 #9625

v6.4.2

Patch Release

• fix(crwa): pin Node.js version in .nvmrc #9614 by @jtoar

  Netlify deploys were failing on Node.js v20 with the following Prisma error:

  Prisma Client could not locate the Query Engine for runtime "rhel-openssl-3.0.x".
  This happened because Prisma Client was generated for "debian-openssl-1.1.x", 
  but the actual deployment required "rhel-openssl-3.0.x"
  

  Netlify uses the .nvmrc to determine the Node.js version. It takes precedence over other ways of specifying the Node.js version like the NODE_VERISON env var.

  This PR pins the Node.js version to v18 in the .nvmrc. This change only affects for new projects; if you're deploying to Netlify and seeing a similar error, simply replace the version in your .nvmrc with the following:

  v18
  

v6.4.1

Patch Release

• fix(deps): update @types/react to v18.2.37 #9391 by @leahincom

  Fixes the Argument of type 'Element' is not assignable to parameter of type 'ReactNode'.ts(2345) TS error in web/src/entry.client.tsx.

• fix(cli): Remove boxen from default error output #9568 by @Josh-Walker-GM

  There are too many cases where drawing a box around the CLI's default error output causes readability issues. This PR swaps the box for colored horizontal dividers.

• 9316/update mantine setup #9388 by @bnn1

  Fixes #9316. Mantine migrated to using CSS in v7 and now requires additional setup.

• fix: Prevent rw graphiql setup from breaking with encryptSession error #9582 by @staticshock

  Fixes #9581, which was a CLI regression introduced in #9350.

• Tell the shell how to run the rw-vite-xx bins #9576 by @orta

  Adds shebangs to Vite scripts that were missing them.

• Added prompt, if the directory already exists #9362 by @ahaywood

  In yarn create redwood-app, if the user specified a directory that already exists, the app would quit. Now they're presented with an additional prompt.

• 💬 Added details for using GitPod within Create Redwood App #9364 by @ahaywood

  In yarn create redwood-app, if the user encounters an issue with Node or Yarn, they'll see an option for using Gitpod alongside the error.

• Experimental Dockerfile: Fix typo in setup command #9577 by @Tobbe

• fix: Remove "god code" typos from auth READMEs #9583 by @staticshock

v6.4.0

Changelog

Features

• dbAuth: Unique session cookie name per port #9248 by @Tobbe

  Previously, when using dbAuth, you couldn't run two different Redwood apps at the same time on different ports. One app would overwrite the session cookie used by the other, and vice versa. They both used the same cookie name (session), and browsers distinguish cookies by hostname, not port.

  This PR lets users configure the cookie name they want to use by setting cookie.name in their api/src/functions/auth.ts file:

  // api/src/functions/auth.ts
  
  const authHandler = new DbAuthHandler(event, context, {
    // ...
  
    cookie: {
      name: 'session_%port%',
  
      // The cookie's attributes have moved to `cookie.attributes`:
      attributes: {
        // ...
      }
    },
  })

  If that option isn't set, it defaults to the old name (session) for backwards compatibility. In a similar vein, DbAuthHandler still handles all the properties that are now nested in cookie.attributes at the top level.

• <PrivateSet> #9303 by @Tobbe

  Fixes #2562, #9304, and https://community.redwoodjs.com/t/private-route-error-with-7-0-0-canary-347/5337. This PR deprecates the Router's <Private> component and the private prop on the Router's <Set> component. In their place, it introduces a new Router component, <PrivateSet>.

  Starting in this release, you'll see strikethroughs in your IDE when you use <Private> or the private prop on <Set>. They still work just as they did, but they'll be removed in a future major release, and <PrivateSet> is little more than a new name. The reason for the change is that in strict mode, private is a reserved word and there were just some bugs we couldn't fix without changing the name.

• feat(cli): Setup command for mailer #9335 by @Josh-Walker-GM

  This PR adds a setup command for the mailer:

  yarn rw setup mailer
  

  and adds functionality that enables it to conditionally use an in-memory handler for tests and the studio handler for development if those dependencies are available.

  Check out the mailer docs for more: https://redwoodjs.com/docs/mailer.

Fixes

• Fix infinite loops on nested private routes with roles #9204 by @KrisCoulson

  Fixes #9131. This restores the Router's ability to handle multiple nested routes with different levels of authentication and redirect contexts.

• fix(types): Generate maps to allow improved "go to definition" behaviour #9269 by @Josh-Walker-GM

  Fixes #5862 and #2867. Previously, navigating to the definition of cells, components, layouts, pages, etc. would lead to the .d.ts file. This could be pretty frustrating if you're used to flying between definitions. This PR generates basic definition/source mappings for directory-mapped modules, cell mirrors, router pages, and route links.

• Fix Set wrapper type so you can have an array of wrappers #9314 by @Tobbe

  Fixes #9313. This PR lets you do something like this in your web/src/Routes.tsx without type errors (notice the array of wrappers):

  const Routes = () => {
    return (
      <Router>
        <Set wrap={[Wrapper]}>
          <Route path="/" page={HomePage} name="home" />
        </Set>
        {/* ... */}
      </Router>
    )
  }

• Don't remount wrap components when navigating within Set #9312 by @Tobbe

  Fixes #9105. This PR assigns each Set a unique id and uses that id as a key when rendering all the wrapper components.

• preview stats when building storybook for Chromatic "TurboSnap" #9462 by @majimaccho

  yarn rw storybook --build didn't generate a preview-stats.json required for Chromatic's TurboSnap feature.

Core Dependencies

• update storybook monorepo to v7.4.6 #9256
• update prisma monorepo to v5.6.0 #9447
• update babel monorepo to v7.23.3 #9450
• update fastify to v4.24.3 #9457
• update yarn to v3.7.0 #9489
• update vite to v4.5.0 #9328

Docs

• Fix typos, removing erroneous apostrophes from personal possessive pronouns #9216 by @Philzen
• Fix broken link to most recent jest config example #9266 by @Philzen
• Fix TypeScript code highlighting (Chapter 6: Comments – Testing the service) #9267 by @Philzen
• Clarify Auth0 Configuration #9238 by @jdrbc
• docs: add missing await in service validation example #9243 by @G-Rath
• docs: Clarifies the testimonial section of the What is Redwood documentation #9207 by @jdrbc
• fix (docs): use default markdown numbered list #9265 by @esteban-url
• Fix typo in RBAC @requireAuth example #9286 by @Philzen
• Fix links to Prisma n:m relationship docs #9285 by @Philzen
• docs: How to Use Prisma Client Extensions with DB Client and Logging #9283 by @dthyresson
• docs(mailer): Initial mailer docs #9363 by @Josh-Walker-GM
• Added missing type to routing-params.md #9377 by @pr0h0
• Update dbauth-passwordless.md #9357 by @brendandonahue
• docs: Update Deployment Docs to Provide Guidance on Extending the Timeout Duration in Vercel #9370 by @dinakartumu

Experimental features

Note

These features aren't officially released, but are included here for completeness since they're in this version. They're usable, but aren't fully documented and their API may change in future releases.

• feat: add experimental docker setup command #9024 by @jtoar

  This release features the first iteration of Redwood's Dockerfile and compose files. Thanks to everyone who participated in the container working group! Get started with the experimental setup command:

  yarn rw exp setup-docker
  

  And consult the docs here if you have any questions: https://redwoodjs.com/docs/docker. Feedback welcome!

• feat: Support GraphQL Subscriptions in Apollo Client using SSE links #9009 by @dthyresson

  This PR adds support for GraphQL SSE (Server Sent Events) in both Redwood's GraphQL Server and RedwoodApolloProvider if realtime is enabled. For more on the status of realtime, see https://community.redwoodjs.com/t/redwoodjs-realtime/5002.

• feature: Support defer and stream GraphQL Directives in RedwoodRealtime #9235 by @dthyresson

• feat(cli-helpers): Root package install and RWJS env var #9296 by @Josh-Walker-GM

  This PR adds a few helper functions for installing packages in a Redwood app's root workspace and for setting the RWJS_CWD env var correctly.

• feature: Adds utility functions to add envars and update redwood.toml #9324 by @dthyresson

Dependencies

Click to see all upgraded dependencies

• chore(deps): update dependency @clerk/types to v3.52.0 #9213
• fix(deps): update dependency @clerk/clerk-sdk-node to v4.12.6 #9214
• chore(deps): update dependency @clerk/clerk-react to v4.25.1 #9212
• chore(deps): update dependency firebase to v10.4.0 #9203
• chore(deps): update dependency rimraf to v5.0.5 #9360
• fix(deps): update dependency concurrently to v8.2.2 #9361
• chore(deps): update dependency tailwindcss to v3.3.5 #9378
• fix(deps): update dependency msw to v1.3.2 #9379
• fix(deps): update dependency core-js to v3.33.2 #9293
• fix(deps): update apollo graphql packages #9418
• fix(deps): update dependency pino to v8.16.2 #9476
• fix(deps): update dependency prism-react-renderer to v2.2.0 #9492

v6.4.0-rc.98

Changelog

Features

• dbAuth: Unique session cookie name per port #9248 by @Tobbe

  Previously, when using dbAuth, you couldn't run two different Redwood apps at the same time on different ports. One app would overwrite the session cookie used by the other, and vice versa. They both used the same cookie name (session), and browsers distinguish cookies by hostname, not port.

  This PR lets users configure the cookie name they want to use by setting cookie.name in their api/src/functions/auth.ts file:

  // api/src/functions/auth.ts
  
  const authHandler = new DbAuthHandler(event, context, {
    // ...
  
    cookie: {
      name: 'session_%port%',
  
      // The cookie's attributes have moved to `cookie.attributes`:
      attributes: {
        // ...
      }
    },
  })

  If that option isn't set, it defaults to the old session name for backwards compatibility. In a similar vein, DbAuthHandler still handles all the properties that are now nested in cookie.attributes at the top level.

• <PrivateSet> #9303 by @Tobbe

  Fixes #2562, #9304, and https://community.redwoodjs.com/t/private-route-error-with-7-0-0-canary-347/5337. This PR deprecates the Router's <Private> component and the private prop on the Router's <Set> component. In their place, it introduces a new Router component, <PrivateSet>.

  Starting in this release, you'll see strikethroughs in IDE when you use <Private> or the private on <Set>.
  They still work just as they did, but they'll be removed in a future major release, and <PrivateSet> is little more than a new name. The reason for the change is that in strict mode, private is a reserved word and there were just some bugs we couldn't fix without changing the name.

• feat(cli): Setup command for mailer #9335 by @Josh-Walker-GM

  This PR adds a setup command for the mailer:

  yarn rw setup mailer
  

  and adds functionality that enables it to conditionally use an in-memory handler for tests and the studio handler for development if those dependencies are available.

  Check out the mailer docs for more: https://redwoodjs.com/docs/canary/mailer.

Fixes

• Fix infinite loops on nested private routes with roles #9204 by @KrisCoulson

  Fixes #9131. This restores the Router's ability to handle multiple nested routes with different levels of authentication and redirect contexts.

• fix(types): Generate maps to allow improved "go to definition" behaviour #9269 by @Josh-Walker-GM

  Fixes #5862 and #2867. Previously, navigating to the definition of cells, components, layouts, pages, etc. would lead you to the .d.ts file. This could be pretty frustrating if you're used to flying between definitions this way. This PR generates basic definition/source mappings for directory-mapped modules, cell mirrors, router pages, and route links.

• Fix Set wrapper type so you can have an array of wrappers #9314 by @Tobbe

  Fixes #9313. This PR lets you do something like this in your web/src/Routes.tsx without type errors (notice the array of wrappers):

  const Routes = () => {
    return (
      <Router>
        <Set wrap={[Wrapper]}>
          <Route path="/" page={HomePage} name="home" />
        </Set>
        {/* ... */}
      </Router>
    )
  }

• Don't remount wrap components when navigating within Set #9312 by @Tobbe

  Fixes #9105. This PR assigns each Set a unique id and uses that id as a key when rendering all the wrapper components.

Core Dependencies

• fix(deps): update storybook monorepo to v7.4.6 #9256
• fix(deps): update dependency vite to v4.4.11 #9255
• fix(deps): update prisma monorepo to v5.6.0 #9447
• fix(deps): update babel monorepo to v7.23.3 #9450
• fix(deps): update dependency fastify to v4.24.3 #9457
• chore(deps): update yarn to v3.7.0 #9489
• upgrade vite to v4.5.0 #9328

Docs

• Fix typos, removing erroneous apostrophes from personal possessive pronouns #9216 by @Philzen
• Fix broken link to most recent jest config example #9266 by @Philzen
• Fix TypeScript code highlighting (Chapter 6: Comments – Testing the service) #9267 by @Philzen
• Clarify Auth0 Configuration #9238 by @jdrbc
• docs: add missing await in service validation example #9243 by @G-Rath
• docs: Clarifies the testimonial section of the What is Redwood documentation #9207 by @jdrbc
• fix (docs): use default markdown numbered list #9265 by @esteban-url
• Fix typo in RBAC @requireAuth example #9286 by @Philzen
• Fix links to Prisma n:m relationship docs #9285 by @Philzen
• docs: How to Use Prisma Client Extensions with DB Client and Logging #9283 by @dthyresson
• docs(mailer): Initial mailer docs #9363 by @Josh-Walker-GM
• Added missing type to routing-params.md #9377 by @pr0h0
• Update dbauth-passwordless.md #9357 by @brendandonahue
• docs: Update Deployment Docs to Provide Guidance on Extending the Timeout Duration in Vercel #9370 by @dinakartumu

Experimental features

Note

These features aren't officially released, but are included here for completeness since they're in this version. They're usable, but aren't fully documented and their API may change in future releases.

• feat: add experimental docker setup command #9024 by @jtoar

  This release features the first iteration of Redwood's Dockerfile and compose files. Thanks to everyone who participated in the container working group! Get started with the experimental setup command:

  yarn rw exp setup-docker
  

  And consult the docs here if you have any questions: https://redwoodjs.com/docs/canary/docker. Feedback welcome!

• feat: Support GraphQL Subscriptions in Apollo Client using SSE links #9009 by @dthyresson

  This PR adds support for GraphQL SSE (Server Sent Events) in both Redwood's GraphQL Server and RedwoodApolloProvider if realtime is enabled. For more on the status of realtime, see https://community.redwoodjs.com/t/redwoodjs-realtime/5002.

• feature: Support defer and stream GraphQL Directives in RedwoodRealtime #9235 by @dthyresson

• feat(cli-helpers): Root package install and RWJS env var #9296 by @Josh-Walker-GM

  This PR adds a few helper functions for installing packages in a Redwood app's root workspace and for setting the RWJS_CWD env var correctly.

• feature: Adds utility functions to add envars and update redwood.toml #9324 by @dthyresson

Dependencies

Click to see all upgraded dependencies

• chore(deps): update dependency @clerk/types to v3.52.0 #9213
• fix(deps): update dependency @clerk/clerk-sdk-node to v4.12.6 #9214
• chore(deps): update dependency @clerk/clerk-react to v4.25.1 #9212
• chore(deps): update dependency firebase to v10.4.0 #9203
• chore(deps): update dependency rimraf to v5.0.5 #9360
• fix(deps): update dependency concurrently to v8.2.2 #9361
• chore(deps): update dependency tailwindcss to v3.3.5 #9378
• fix(deps): update dependency msw to v1.3.2 #9379
• fix(deps): update dependency core-js to v3.33.2 #9293
• fix(deps): update apollo graphql packages #9418
• fix(deps): update dependency pino to v8.16.2 #9476
• fix(deps): update dependency prism-react-renderer to v2.2.0 #9492

v6.3.3

Patch Release

• Update crypto library, CryptoJS CVE & deprecation #9350 by @cannikin

  See https://community.redwoodjs.com/t/dbauth-security-release/5507.

• Conditionally guarantee cell success data #9037 by @pvenable

  The CellSuccessData type is typed as though all query fields are guaranteed. When there are multiple fields, this typing isn't accurate since there only needs to be one populated field to render Success. We can't know ahead of time that any particular field is guaranteed. This fix continues to guarantee CellSuccessData as before when there's only one field, but now the query data type will be left as-is when there's more than one. This brings the types more in-line with the actual runtime behavior of Cells.

• fix(fastify): Don't fallback to index html if requesting static assets #9272 by @dac09

  If requesting an asset (e.g. .js, .jpeg, .ico) that doesn't exist, the Redwood server's not found handler responded with the index.html file. This response is meant for routes that haven't been prerendered, and is an SPA fallback. Because the 200 response here can get cached, it can lead to problems. The change here makes the server return a 404 instead, mainly to prevent caching.

• fix(babel): Improved message for error relating to multiple files ending in Page.{js,jsx,ts,tsx} in page directories #9329 by @Josh-Walker-GM

  If you had multiple files ending in Page.{...} (like HomePage.tsx, useHomePage.tsx) in a web-side page directory (like web/src/pages/HomePage), the Router tried to import both files as HomePage, basically redeclaring a variable, resulting in a cryptic error. This PR improves the error message by telling you which files the Router tried to import.

• fix(cli): Tailwind setup updates scaffold.css when needed #9290 by @Josh-Walker-GM

  Redwood's scaffold generator detects if you have Tailwind CSS setup and changes the contents of scaffold.css accordingly. But if you generate a scaffold before setting up Tailwind, the yarn rw setup ui tailwind command wasn't smart enough to ask you if you wanted to update the scaffold.css file too. Now it prompts you for you preference.

• fix(babel): Fix opentelemetry api wrapping and allow it to be disabled #9298 by @Josh-Walker-GM

  Some projects fail to build when OpenTelemetry is enabled because the babel plugin which automatically wraps api side functions failed to handle some syntax cases. In those cases the transpiled syntax would be invalid javascript. This fix expands the syntax cases the plugin can handle, and reworks the error handling: we now bail out and do not modify the users source code rather than transpile into nonsense syntax.

• fix(server-file): prefix MODULE_NOT_FOUND with ERR_ #9372 by @jtoar

  The @redwoodjs/graphql-server package takes some cues from the presence of an experimental file, api/src/server.ts. If that file exists, @redwoodjs/graphql-server tries to import the @redwoodjs/realtime package. The import is wrapped in a try-catch because realtime is something you opt into. But there was a bug in the conditional in the try-catch block: if you require a module and it's not found, it'll throw MODULE_NOT_FOUND while await import throws ERR_MODULE_NOT_FOUND. We were checking for the wrong error code.

• Fix suggested code snippet #9288 by @pepicrft

  Redwood's auth setup commands include codeblocks you can copy-paste into your project's redwood.toml file for ease. This one was missing some trailing commas that added friction to copy-pasting.

• Cell generator: Fix formatting in template #9301 by @Tobbe

  A simple formatting fix for Cells so you don't get red squiggles out of the box.

v6.3.3-rc.8

Patch Release

• Update crypto library, CryptoJS CVE & deprecation #9350 by @cannikin

  See https://community.redwoodjs.com/t/dbauth-security-release/5507.

• Conditionally guarantee cell success data #9037 by @pvenable

  The CellSuccessData type is typed as though all query fields are guaranteed. When there are multiple fields, this typing isn't accurate since there only needs to be one populated field to render Success. We can't know ahead of time that any particular field is guaranteed. This fix continues to guarantee CellSuccessData as before when there's only one field, but now the query data type will be left as-is when there's more than one. This brings the types more in-line with the actual runtime behavior of Cells.

• fix(fastify): Don't fallback to index html if requesting static assets #9272 by @dac09

  If requesting an asset (e.g. .js, .jpeg, .ico) that doesn't exist, the Redwood server's not found handler responded with the index.html file. This response is meant for routes that haven't been prerendered, and is an SPA fallback. Because the 200 response here can get cached, it can lead to problems. The change here makes the server return a 404 instead, mainly to prevent caching.

• fix(babel): Improved message for error relating to multiple files ending in Page.{js,jsx,ts,tsx} in page directories #9329 by @Josh-Walker-GM

  If you had multiple files ending in Page.{...} (like HomePage.tsx, useHomePage.tsx) in a web-side page directory (like web/src/pages/HomePage), the Router tried to import both files as HomePage, basically redeclaring a variable, resulting in a cryptic error. This PR improves the error message by telling you which files the Router tried to import.

• fix(cli): Tailwind setup updates scaffold.css when needed #9290 by @Josh-Walker-GM

  Redwood's scaffold generator detects if you have Tailwind CSS setup and changes the contents of scaffold.css accordingly. But if you generate a scaffold before setting up Tailwind, the yarn rw setup ui tailwind command wasn't smart enough to ask you if you wanted to update the scaffold.css file too. Now it prompts you for you preference.

• fix(babel): Fix opentelemetry api wrapping and allow it to be disabled #9298 by @Josh-Walker-GM

  Some projects fail to build when OpenTelemetry is enabled because the babel plugin which automatically wraps api side functions failed to handle some syntax cases. In those cases the transpiled syntax would be invalid javascript. This fix expands the syntax cases the plugin can handle, and reworks the error handling: we now bail out and do not modify the users source code rather than transpile into nonsense syntax.

• fix(server-file): prefix MODULE_NOT_FOUND with ERR_ #9372 by @jtoar

  The @redwoodjs/graphql-server package takes some cues from the presence of an experimental file, api/src/server.ts. If that file exists, @redwoodjs/graphql-server tries to import the @redwoodjs/realtime package. The import is wrapped in a try-catch because realtime is something you opt into. But there was a bug in the conditional in the try-catch block: if you require a module and it's not found, it'll throw MODULE_NOT_FOUND while await import throws ERR_MODULE_NOT_FOUND. We were checking for the wrong error code.

• Fix suggested code snippet #9288 by @pepicrft

  Redwood's auth setup commands include codeblocks you can copy-paste into your project's redwood.toml file for ease. This one was missing some trailing commas that added friction to copy-pasting.

• Cell generator: Fix formatting in template #9301 by @Tobbe

  A simple formatting fix for Cells so you don't get red squiggles out of the box.

v6.3.2

Patch Release

This patch release includes a host of fixes, most notably for the api server. On larger projects (we've only come across one instance so far), in dev mode, there was a race condition between prebuilding and building the api side that sometimes caused the api server to loop. For now we've avoided this by ignoring an extraneous event emitted by chokidar, but in the future we'll consider fixing it in a more robust way by introducing api build caching.

What may be more relevant to most users, this patch release ships with a codemod to apply the type fix in #9251 to TS strict-mode projects: npx @redwoodjs/codemods entry-client-null-check.

Lastly, the postcss security release only affects @redwoodjs/studio, which is a dev-time only package, but if you're using tailwind or another CSS library that uses postcss, you'll want to upgrade it in your project accordingly.

• fix(generate dbAuth): restore one-more-thing formatting #9247 by @Tobbe
• fix: await Promise when seeding #9245 by @G-Rath
• Include @types/react as devDep in projects #9250 by @Tobbe
• fix(api-sever): stop infinite loop on large projects #9270 by @jtoar
• small tweak to Flightcontrol deploy config template #9240 by @flybayer
• fix(crwa): Explicit check for possible null value in entry.client.tsx #9251 by @Josh-Walker-GM
• chore(deps): update dependency postcss to v8.4.31 [security] #9260

v6.3.2-rc.2

Patch Release

• generate dbAuth: fix "one more thing" formatting #9247 by @Tobbe
• fix(crwa): await Promise when seeding #9245 by @G-Rath
• fix(api-sever): stop infinite loop on large projects #9270 by @jtoar

v6.3.1

Security Release: Redwood Dependency Vulnerabilities

Two of Redwood's dependencies, systeminformation and graphql, just released a security release; this patch includes the patched versions of both packages. Here are links to the CVEs for systeminformation and graphql respectively: GHSA-gx6r-qc2v-3p3v, https://nvd.nist.gov/vuln/detail/CVE-2023-26144.

• fix(deps): update dependency systeminformation to v5.21.7 [security] #9218
• fix(deps): update dependency graphql to v16.8.1 [security] #9228