Cherry pick changes up til before-breaking for v4.1#400
Open
Cherry pick changes up til before-breaking for v4.1#400
Conversation
A module-descriptor's `name` field is normally populated by the `description` value from `package.json`. That field may be empty, which some unscrupulous tools may not expect, leading to an NPE. This PR supplies the module-name in place of the description to guarantee a non-empty value is always present. Refs STCLI-272
switched to using `fs.globSync` and canned the dep on `fast-glob`.
* When generating a strict module descriptor, copy remaining properties from `stripes` into `metadata.stripes`. * `mod descriptor` accepts `--single` to unwrap the array from its output when only a single descriptor is present. Many UI modules contain a `build-mod-descriptor` command defined as ````stripes mod descriptor --full --strict | jq '.[]' > module-descriptor.json```` This allows that hidden `jq` dependency to be omitted: ````stripes mod descriptor --full --strict --single > module-descriptor.json```` Refs [STCLI-274](https://folio-org.atlassian.net/browse/STCLI-274)
Bump the `webpack` dependency to `^5.104.1`, meeting the minimum `^5.103` requirement of STRWEB-144 where we want to use `webpack.ManifestPlugin`. Refs STCLI-275, STRWEB-144
With this update, we shift the POC code to conform to current `stripes-cli` API. The `build` commands build to an `output` directory by default. ### At the workspace level with `stripes-core`, `stripes-connect`, `stripes-components`: (assuming that's where the config file is) Build a module-federation host app: ``` yarn stripes build --federate stripes.config.js ``` Serve the host app (dev mode) ``` yarn stripes serve --federate stripes.config.js ``` At the ui-module level (Builds module bundle for static hosting) ``` yarn stripes build --federate ``` Serving the federated ui-module (dev mode) ``` yarn stripes serve --federate ``` Some `server` features have been updated for sake of serving the host app so that it can further be loaded into a separately hosted 'hub'. --------- Co-authored-by: Michal Kuklis <michal.kuklis@gmail.com> Co-authored-by: Zak Burke <zburke@ebsco.com>
https://folio-org.atlassian.net/browse/STCLI-278 stripes-cli uses fast-xml-parser ^4.2.4: https://github.com/folio-org/stripes-cli/blob/v4.0.1/package.json#L35 4 is end-of-life and unsupported. Upgrade to 5.5.8. Co-authored-by: Julian Ladisch <julianladisch@users.noreply.github.com>
https://folio-org.atlassian.net/browse/STCLI-280 Bumping @octokit/rest from 19.0.3 to ^22.0.1 fixes these ReDoS vulnerabilities: * CVE-2025-25288 - @octokit/plugin-paginate-rest – GHSA-h5c3-5r3r-rr8q * CVE-2025-25289 - @octokit/request-error – GHSA-xx4v-prfh-6cgc Breaking changes in @octokit/rest (see release notes): 20.0.0: * Drop support for NodeJS v14, v16 * Remove previews support for the REST API * remove agent option from octokit.request() 21.0.0: * package is now ESM 22.0.0: * deps: Drop support for NodeJS v18 * deps: Remove deprecated Projects endpoints * deps: Remove deprecated Copilot usage metrics endpoints Co-authored-by: Julian Ladisch <julianladisch@users.noreply.github.com>
This PR removes the warnings about building/serving without a config file if the `--federate` command is used, where configs are optional. It also adds some more context-specific messaging about where the command is executed - in the ui-module or host app space.
Refs STCLI-281, STRIPES-790
Octokit is now an ESM module as of v21.0.0. stripes-cli has updated to v22 as of [this PR](#395) Brings the import into ESM patterns
|
zburke
reviewed
Apr 17, 2026
Member
zburke
left a comment
There was a problem hiding this comment.
Rather than cherry-picking a bunch of things off main and merging them into b4.0, I expected to just see a new b4.1 branch split from 1e7445a, the final commit before the breaking change in 96f7875.
What do you think about that approach? It'll keep the b4.0 branch clean if we need to publish v4.0.2 there, and it'll mean less duplication of commits across branches.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR collects all of the changes that were available in the 3.x release up to the point of breakage with 4 so that ui-modules that have not yet migrated to v4.x of stripes-cli can still have the benefit of the added features.
Including:
namefield with module-name ifdescriptionis missing. Refs STCLI-272.translate compile. Refs STCLI-273.metadatafield with remainingstripesproperties. Refs STCLI-274.webpack^5.103to providewebpack.ManifestPluginfor STRWEB-144. Refs STCLI-275.--federateflag onbuildandservecommand. Refs STRIPES-861.yarn.lockto avoid future supply chain attacks. Refs STCLI-281.import()compat for node v20.