grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.2.0:1 — upgrade to Next.js 15 / React 19
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details

Browse Source 
Closes the remaining P1: move off Next 14 onto the CVE-patched Next 15
line (15.5.x), eliminating the framework's RSC DoS/source-exposure
advisories and the middleware-auth-bypass class that applied to the 14.x
auth gate. App Router on Next 15 requires React 19, so react/react-dom
move to 19.x in lockstep; lucide-react and next-themes bump to their
React-19-compatible releases.

The code surface was the Next 15 async-request-API change: params and
searchParams are now Promises. All [id] route handlers (10 files) and the
four server pages that read them now await the resolved value, using a
uniform re-derive idiom that leaves handler bodies untouched. cookies()/
headers() were already awaited, so no other request-API changes were
needed; all routes stay dynamic, so the uncached-by-default change is a
no-op. next.config.js (static CSP) and the middleware matcher are
unchanged. No schema, no API contract change, no data migration.

Verified: tsc + lint clean, 209 tests pass, next build succeeds with the
standalone bundle tracing the Prisma engine.
This commit is contained in:
Keysat
2026-06-13 00:29:47 -05:00
parent 96d8431de9
commit f487204b73
23 changed files with 776 additions and 628 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start9/0.4/startos/versions/index.ts
+7 -1
View File
@@ -15,12 +15,14 @@ import { v_1_1_0_6 } from './v1.1.0.6'
import { v_1_1_0_7 } from './v1.1.0.7'
import { v_1_1_0_8 } from './v1.1.0.8'
import { v_1_1_0_9 } from './v1.1.0.9'
import { v_1_2_0_1 } from './v1.2.0.1'
/**
* Version graph for the `proof-of-work` package.
*
* 1.0.0 line — feature-complete logger + multi-user + library curation.
* 1.1.0 line — Programs (manual + AI) + AI integration.
* 1.2.0 line — platform upgrade (Next.js 15 / React 19).
*
* v1.0.0:1 — initial release, seeded cutover.
* v1.0.0:2 — CSP fix.
@@ -56,9 +58,12 @@ import { v_1_1_0_9 } from './v1.1.0.9'
* v1.1.0:9 — P2 hardening: malformed-body/invalid-date/bad-pagination ->
* 400 (not 500); POST /api/auth rate-limited; rate-limiter XFF
* anti-spoof (rightmost entry); container drops root via su-exec.
* v1.2.0:1 — Next.js 14 -> 15 / React 18 -> 19 upgrade. Closes the Next
* framework RSC + middleware-bypass CVEs; async-params migration
* across all [id] routes + server pages. No schema/data change.
*/
export const versionGraph = VersionGraph.of({
current: v_1_1_0_9,
current: v_1_2_0_1,
other: [
v_1_0_0_1,
v_1_0_0_2,
@@ -75,5 +80,6 @@ export const versionGraph = VersionGraph.of({
v_1_1_0_6,
v_1_1_0_7,
v_1_1_0_8,
v_1_1_0_9,
],
})
start9/0.4/startos/versions/v1.2.0.1.ts
+34
View File
@@ -0,0 +1,34 @@
import { IMPOSSIBLE, VersionInfo } from '@start9labs/start-sdk'
/**
* v1.2.0:1 — Next.js 14 -> 15 / React 18 -> 19 upgrade (2026-06-13).
*
* The remaining P1 from the full-eval queue: move off Next.js 14 onto the
* CVE-patched Next 15 line (15.5.x), closing the framework's RSC
* DoS/source-exposure advisories and the middleware-auth-bypass class that
* applied to the 14.x `middleware.ts` auth gate. App Router on Next 15
* requires React 19, so react/react-dom move to 19.x in lockstep
* (lucide-react + next-themes bumped to their React-19-compatible releases).
*
* Code surface was the Next 15 async-request-API change: `params` and
* `searchParams` are now Promises. All `[id]` route handlers (10 files) and
* the four server pages that read them now `await` the resolved value;
* `cookies()`/`headers()` were already awaited from the earlier auth work, so
* no other request-API changes were needed. All routes remain dynamic, so the
* Next 15 "uncached by default" change is a no-op here. next.config.js (static
* CSP) and the middleware matcher are unchanged.
*
* App-code + dependency upgrade only — no schema, no API contract change, no
* data migration. Existing /data survives untouched.
*/
export const v_1_2_0_1 = VersionInfo.of({
version: '1.2.0:1',
releaseNotes: {
en_US:
'Platform upgrade: the app now runs on Next.js 15 and React 19, picking up the framework security patches and a more current runtime. No new features and no data changes — this is a maintenance release, and your existing data is untouched.',
},
migrations: {
up: async () => {},
down: IMPOSSIBLE,
},
})