Skip to content

website - chore: upgrade docula to 2 (breaking)#1676

Merged
jaredwray merged 1 commit into
mainfrom
claude/cacheable-dependency-management-d6gb1r
Jul 6, 2026
Merged

website - chore: upgrade docula to 2 (breaking)#1676
jaredwray merged 1 commit into
mainfrom
claude/cacheable-dependency-management-d6gb1r

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Please check if the PR fulfills these requirements

  • Followed the Contributing guidelines and Code of Conduct
  • Tests for the changes have been added (for bug fixes/features) with 100% code coverage. — N/A: dependency-only upgrade with no source changes.

What kind of change does this PR introduce?

Maintenance (chore) — major upgrade of docula, the @cacheable/website docs-site generator. Website-only devDependency; no impact on the published @cacheable/* packages. Marked (breaking) because the major version changed, though no migration was needed (see below).

Versions

  • docula ^1.14.0^2.1.0 (@cacheable/website, dev)

Breaking notes

  • No config or code changes were required. The existing site/docula.config.ts (DoculaOptions: githubPath, siteTitle, siteDescription, siteUrl, themeMode) is accepted unchanged by docula 2.

Verification

  • pnpm website:build completes successfully on docula 2 — builds the pages, docs for all packages, sitemap.xml, robots.txt, feed.xml, llms.txt / llms-full.txt, and the search index (✔ Build completed).
  • pnpm build + node scripts/test-build.mjs pass for all published packages, and pnpm test stays at 100% coverage — confirming the shared lockfile change doesn't affect anything outside the website.

Note: the website is not part of pnpm build/pnpm test and deploy-website.yml only runs on the release event, so this PR's CI doesn't build the site. The docula upgrade was therefore verified with a local pnpm website:build (exit 0) rather than by PR CI.


Generated by Claude Code

docula ^1.14.0 -> ^2.1.0 (major; @cacheable/website devDep, docs-site
generator).

No config or code changes required: the existing site/docula.config.ts
schema is accepted by docula 2, and `pnpm website:build` completes
successfully (pages, docs, sitemap, llms.txt, and search index all built).
Website-only; no impact on the published @cacheable/* packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P1TBuMiXotBjpNHYcbwvqf

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the devDependency docula from ^1.14.0 to ^2.1.0 in packages/website/package.json and updates the lockfile pnpm-lock.yaml to reflect this upgrade along with several other dependency updates, including zod, react, and html-react-parser. No review comments were provided, and I have no feedback to offer.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addeddocula@​2.1.07910010094100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm chrono-node is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/docula@2.1.0npm/chrono-node@2.9.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chrono-node@2.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (d681aff) to head (37a6101).

Additional details and impacted files
@@            Coverage Diff            @@
##              main     #1676   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           29        29           
  Lines         3504      3504           
  Branches       808       795   -13     
=========================================
  Hits          3504      3504           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link
Copy Markdown
Owner Author

Re: Socket "Obfuscated code" alert on chrono-node@2.9.1 — reviewed, no action needed on the code.

  • chrono-node is a legitimate, widely-used natural-language date parser. The "90% likely obfuscated" flag is a known heuristic false positive on its large generated parser tables, not malicious obfuscation.
  • It only reaches the tree as a dev/website-only transitive dependency via docula's templating stack: docula → ecto → @jaredwray/fumanchu → chrono-node. docula is a devDependency of @cacheable/website, so chrono-node is not a dependency of any published @cacheable/* package.
  • It was already present on main at chrono-node@2.9.0 (via docula 1.14's ecto/fumanchu chain). This PR only moves it 2.9.0 → 2.9.1 (a patch) as a side effect of the docula 1→2 bump — it isn't newly introduced.

The "Socket Security: Pull Request Alerts" check is a Warn-level advisory. As before, I've not self-issued a @SocketSecurity ignore since suppressing it is a maintainer triage decision — happy to add it if you'd prefer.


Generated by Claude Code

@jaredwray jaredwray merged commit 4afc587 into main Jul 6, 2026
12 checks passed
@jaredwray jaredwray deleted the claude/cacheable-dependency-management-d6gb1r branch July 6, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants