Weekly GitHub Report for Meteor

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

No recent version releases were found.

1.2 Version Information:

Please provide the version release information you would like me to analyze and summarize.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [Security vulnerability] Upgrade qs dependency to 6.14.1 in meteor-node-stubs: This issue reports a high severity security vulnerability in the qs dependency bundled within the meteor-node-stubs package, specifically version 6.14.0, which needs to be upgraded to 6.14.1 to fix the problem. The user cannot update qs directly due to it being a bundled sub-dependency and requests the maintainers to upgrade the bundled version to resolve the security risk.

   • The comments confirm the vulnerability and explain that qs is a sub-dependency of the url package bundled in meteor-node-stubs, with attempts to fix it via npm audit fix failing due to bundling restrictions. A manual update of qs resolves the vulnerability locally, but there is uncertainty about potential breakage, and a proposed fix has been submitted in a related pull request.
   • Number of comments this week: 3

2. [SEVERITY:HAS-WORKAROUND] [HACKTOBERFEST] [IDLE] Infinite loop when setting __meteor_runtime_config__.DDP_DEFAULT_CONNECTION_URL: This issue describes a problem where setting the __meteor_runtime_config__.DDP_DEFAULT_CONNECTION_URL before Meteor scripts run causes an infinite reload loop, preventing a standalone client from connecting to the server. The reporter also notes that setting the URL with a path segment avoids the loop but introduces CORS issues that block socket connections, and they reference related issues for context.

   • The comments provide a detailed workaround involving removing the meteor-base package and manually adding dependencies to avoid the infinite reload, allowing static websites to connect to the Meteor backend without using DDP.connect(). Additional comments inquire about updates and mention a new package created to address the issue for Meteor apps with remote servers.
   • Number of comments this week: 2

3. [IN-DISCUSSION] [MODERN-BUILD-STACK] 3.4 modern build rspack doesn’t support symlinked source files: This issue reports that the 3.4 modern build of rspack does not correctly support symlinked source files as expected in Unix environments, causing module resolution errors when using symlinks in a monorepo setup. Despite setting resolve.symlinks: false in the rspack configuration, the build crashes because rspack resolves imports from the real path rather than the symlink location, and this behavior differs when rspack is invoked directly versus through Meteor's build environment, suggesting a potential bug in rspack or its interaction with Meteor or SWC.

   • The comments reveal that a standalone rspack project correctly respects the resolve.symlinks: false setting, while the Meteor project does not, indicating the issue may stem from how rspack is invoked or integrated in Meteor. Further investigation points to a possible bug in SWC, with suggestions to confirm and report it upstream, but no report to SWC has been filed yet.
   • Number of comments this week: 2

4. [PROJECT:ACCOUNTS:PASSWORD] [GOOD FIRST ISSUE] passwordValidator ignores passwordMaxLength due to operator precedence bug: This issue describes a bug in the passwordValidator of the Meteor accounts-password package where an operator precedence mistake causes the password length validation to always pass, ignoring the configured maximum password length. This results in passwords of any length being accepted, potentially leading to denial-of-service risks and policy bypasses.

   • The comments show a user requesting assignment to fix the issue, another user confirming they have fixed it and asking for a review, and a third user explaining they lack permissions to assign the issue.
   • Number of comments this week: 2

Since there were fewer than 5 open issues, all of the open issues have been listed above.

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

1. [PROJECT:MONGO DRIVER] [IDLE] Release 3.1 this._makeNewID is not a function when calling insertAsync on startup: This issue describes a problem in Meteor version 3.1 where calling the insertAsync method on a Mongo collection during startup results in a TypeError indicating that this._makeNewID is not a function, which prevents the application from starting properly. The error does not occur in the previous release 3.0.4, suggesting a regression or breaking change introduced in the newer version.

2. [PROJECT:MINIMONGO] [HACKTOBERFEST] [IDLE] Minimongo does not support "." in the key names, v3.04: This issue addresses the lack of support in Minimongo for keys containing the "." character, which has become supported in recent MongoDB versions and is essential for handling data structures like OpenAPI specifications. The reporter encounters errors when subscribing to Mongo collections with such keys and seeks clarification on whether there is a plan to update Minimongo to accommodate this feature, as simply changing the validation regex may not be sufficient.

3. [PROJECT:NPM] [IDLE] 3.1 - Linux - @react-icons/all-files installed as a tgz causes dev and production to crash: This issue describes a problem where installing the @react-icons/all-files package as a tgz file on Linux causes both development and production environments to crash with an error stating that the "version" argument is required. The user reports that since the latest version of react-icons/all-files is not published on npm, they have to install it directly from a GitHub release URL, which leads to this error when running the program.

4. [PROJECT:ISOBUILD:COMPILERS] [HACKTOBERFEST] [IDLE] Compiler packages with no runtime files are needlessly put into the bundle: This issue reports that compiler packages without any runtime files are unnecessarily included in the final bundle, which increases the bundle size without providing any benefit. The reporter suggests that the bundler should skip packages that do not register any files in their Package.onUse section, particularly for compiler packages, to optimize the bundle size.

5. [HACKTOBERFEST] [PROJECT:ACCOUNTS:OAUTH] [IDLE] oAuth flow not reporting errors to the client: This issue addresses a problem in the OAuth flow where errors returned by the identity provider, such as access denial, are not properly communicated back to the client application, preventing the user interface from displaying relevant warnings. The reporter proposes enhancing error handling by passing error parameters through the login response and storing them in localStorage, enabling developers to detect and respond to these errors within the client UI.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 0

Summarized Issues:

As of our latest update, there are no open issues for the project this week.

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 0

Summarized Issues:

As of our latest update, there were no issues closed in the project this week.

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

As of our last update, there are no open or closed issues with discussions going on within the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 2

Key Open Pull Requests

1. fix(accounts-password): fix operator precedence bug in passwordValidator: This pull request fixes an operator precedence bug in the passwordValidator function within the accounts-password package that caused password length validation to always pass by adding parentheses to ensure correct evaluation order, thereby enforcing configured maximum password length settings and preventing potential denial-of-service attacks.

• URL: pull/14075

• Associated Commits: d037f

2. chore(deps): Update qs bundled dep in meteor-node-stubs package: This pull request updates the bundled dependency 'qs' in the meteor-node-stubs package from version 6.14.0 to 6.14.1 to fix a security vulnerability as described in issue #14074 and the related GitHub advisory GHSA-6rw7-vpxm-498p, and requests an updated release of the meteor-node-stubs package to npm once merged.

• URL: pull/14078

• Associated Commits: 18e3e

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 4

Key Closed Pull Requests

1. Support Rspack 1.7.x (lazyCompilation disabled by default): This pull request updates the Meteor-Rspack integration to support Rspack version 1.7.x by disabling the newly enabled-by-default lazyCompilation feature to prevent automatic build failures, sets Rspack 1.7.x as the minimum required version, and includes warnings about potential issues with lazyCompilation for Meteor 3.4.x series and later.

• URL: pull/14077

• Associated Commits: e9771, 2101b, b390f, b98e0

• Associated Commits: e9771, 2101b, b390f, b98e0

2. FEATURE: use builtin typescript instead of package in skeleton: This pull request proposes replacing the external TypeScript package with the built-in TypeScript in the project skeleton to better manage and indicate the TypeScript version used by the application.

• URL: pull/14073

• Associated Commits: 74df5

• Associated Commits: 74df5

3. Fix React Skeleton and E2E test: This pull request fixes issues with the React skeleton by modifying how URLs are imported to simplify configuration and updates the end-to-end test to correctly verify the newly loaded styles on the body element.

• URL: pull/14076

• Associated Commits: 716ca

• Associated Commits: 716ca

Other Closed Pull Requests

• Watchman RootResolveError Fixes: This pull request addresses the Watchman RootResolveError that occurs in Meteor 3.3+ projects on Ubuntu with symlinked package directories. It modifies the watcher error handling to detect and gracefully handle these errors by ignoring affected paths, logging warnings, and falling back to polling, which prevents startup failures and maintains normal file watching functionality.
• pull/14045

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.