Since protobufjs 7.5.9, the @protobufjs/inquire utility is no longer
called with dynamic module names (replaced by bundler-safe lookups in
protobufjs/protobuf.js#2254). However, webpack/rspack still statically
analyzes the inquire source and emits a "Critical dependency" warning
for its require(moduleName) pattern. This is a false positive — the
code path is dead in practice.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
Encapsulate the config-loading and embedded-postgres decision inside
`startEmbeddedDb` so that `runBackend` only needs to pass through the
raw `configPaths` and `targetDir`. This simplifies the interface between
the two modules and keeps all embedded-postgres concerns in one place.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
The readDatabaseConfig function would crash when trying to read
sub-keys of backend.database.connection when the value is a plain
string (e.g. ':memory:' for better-sqlite3). Guard by checking the
raw value type before attempting to read structured connection keys.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
When using the embedded-postgres database client, user-provided
connection config (host, port, user, password) is now forwarded to
the embedded Postgres instance. Only values that the user hasn't
configured are filled in with defaults and injected into the app
config, preserving existing behavior when no config is provided.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Resolve config paths relative to the target package directory instead
of the workspace root in readDatabaseClient, matching the behavior of
the rest of the config loading system.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
The PID file was written to the database directory before
`pg.initialise()`, which prevented initialization from succeeding.
Moved the PID file write to just after initialization but before
starting the database.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Uses a PID file to track which process owns each temp directory, so
concurrent instances from different projects are not affected.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
- Close embedded DB on shutdown to avoid leaking the Postgres process
and temp directory
- Use fs.remove instead of deprecated fs.rmdir with recursive option
- Guard against absolute config paths in readDatabaseClient
- Forward embedded-postgres error logs to console.error
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
The 18.x version ships its own .d.ts files that TypeScript resolves
correctly, so the custom module declaration is no longer needed.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Fix implicit any types in startEmbeddedDb callbacks, replace the
re-export type declaration with an inline type definition for the
embedded-postgres module, and update runBackend tests to mock the
config loading and use async timer advancement.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Rather than requiring the `EXPERIMENTAL_DEV_DB` environment variable,
the embedded postgres server is now started automatically when
`backend.database.client` is set to `embedded-postgres` in the app
config. The CLI reads the config before spawning the backend and
injects the actual pg connection details via env override.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Glob v13 treats backslashes as escape characters by default, unlike v7
which treated them as path separators on Windows. This broke Windows CI
where path.join/resolve produce backslash paths.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
When passing --always-yarn-pack, we previously
packed all packages in parallel. Since
package.json files are rewritten during packing,
this could cause intermittent "No local workspace
found for this range" failures.
To fix this, we now pack packages in batches,
starting with the ones that have no workspace
dependencies and expanding out to include packages
whose dependencies have already been packed.
Signed-off-by: MT Lewis <mtlewis@users.noreply.github.com>
When the transform tests were moved from @backstage/cli to
@backstage/cli-module-build, the coveragePathIgnorePatterns config
was not carried over. This caused test failures in CI when running
with --coverage, as Jest tried to instrument the fixture files
containing fake node_modules packages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
github-actions[bot]