[codex] Update Medusa to 2.17.1#78
Conversation
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 7 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (11)
WalkthroughThis PR adds ESLint flat configs, upgrades Medusa and storefront dependencies, migrates Medusa imports to ChangesRepository tooling, Medusa upgrade, and storefront typing
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c0f5a446c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "@medusajs/workflow-engine-inmemory": "2.17.1", | ||
| "@medusajs/workflow-engine-redis": "2.17.1", | ||
| "@medusajs/workflows-sdk": "2.17.1", | ||
| "zod": "4.2.0", |
There was a problem hiding this comment.
Keep Zod on v3 until the resolvers support v4
This root resolution forces every workspace and transitive package onto Zod 4.2.0, but the lockfile still uses @hookform/resolvers 3.x (for example through @lambdacurry/forms and Medusa dashboard). Those resolver versions detect Zod validation failures via the removed ZodError.errors property; with Zod 4 the property is issues, so any invalid form using zodResolver (e.g. the add-to-cart action importing createLineItemSchema) throws an uncaught ZodError instead of returning field errors/400s. Either keep the Zod resolution at 3.25.76 or upgrade all resolver/form packages to Zod-4-compatible versions together.
Useful? React with 👍 / 👎.
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/medusa/medusa-config.ts`:
- Around line 51-52: The Medusa auth secrets are being passed through directly
from process.env without validation, so add startup validation in
medusa-config.ts before constructing the config that rejects missing, empty, or
default placeholder values for JWT_SECRET and COOKIE_SECRET. Use the existing
config setup around the jwtSecret and cookieSecret fields to locate the change,
and make sure the app fails fast with a clear error instead of handing unsafe
secrets to Medusa.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f4c1fc99-5030-4c09-988d-23b19fcae8c7
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (14)
apps/medusa/eslint.config.tsapps/medusa/medusa-config.tsapps/medusa/package.jsonapps/medusa/src/api/store/custom/route.tsapps/medusa/src/scripts/seed.tsapps/medusa/src/scripts/seed/products.tsapps/medusa/tsconfig.jsonapps/storefront/app/components/common/remix-hook-form/forms/fields/ProductOptionSelectorSelect.tsxapps/storefront/app/components/product/ProductOptionSelectorSelect.tsxapps/storefront/app/routes/api.cart.line-items.create.tsapps/storefront/app/templates/ProductTemplate.tsxapps/storefront/package.jsoneslint.config.tspackage.json
💤 Files with no reviewable changes (3)
- apps/storefront/app/templates/ProductTemplate.tsx
- apps/storefront/app/components/common/remix-hook-form/forms/fields/ProductOptionSelectorSelect.tsx
- apps/storefront/app/components/product/ProductOptionSelectorSelect.tsx
| jwtSecret: process.env.JWT_SECRET, | ||
| cookieSecret: process.env.COOKIE_SECRET, |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether JWT_SECRET/COOKIE_SECRET are validated and whether placeholder values remain documented.
rg -n -C3 'JWT_SECRET|COOKIE_SECRET|supersecret|safeParse|parse\\(' apps/medusaRepository: lambda-curry/medusa2-starter
Length of output: 327
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- apps/medusa/medusa-config.ts (around relevant lines) ---'
cat -n apps/medusa/medusa-config.ts | sed -n '1,180p'
echo
echo '--- apps/medusa/.env.template ---'
cat -n apps/medusa/.env.template | sed -n '1,200p'
echo
echo '--- repo search: JWT_SECRET / COOKIE_SECRET / validation helpers ---'
rg -n -C 3 -F 'JWT_SECRET' apps/medusa || true
echo '---'
rg -n -C 3 -F 'COOKIE_SECRET' apps/medusa || true
echo '---'
rg -n -C 3 -F 'supersecret' apps/medusa || true
echo '---'
rg -n -C 3 'safeParse|\.parse\(|z\.object|zod|env\.' apps/medusa || trueRepository: lambda-curry/medusa2-starter
Length of output: 8916
Fail fast on missing auth secrets. apps/medusa/medusa-config.ts still reads JWT_SECRET and COOKIE_SECRET directly from process.env, and apps/medusa/.env.template documents supersecret for both. Validate both at startup and reject empty/default values before passing them to Medusa.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@apps/medusa/medusa-config.ts` around lines 51 - 52, The Medusa auth secrets
are being passed through directly from process.env without validation, so add
startup validation in medusa-config.ts before constructing the config that
rejects missing, empty, or default placeholder values for JWT_SECRET and
COOKIE_SECRET. Use the existing config setup around the jwtSecret and
cookieSecret fields to locate the change, and make sure the app fails fast with
a clear error instead of handing unsafe secrets to Medusa.
Source: Coding guidelines
There was a problem hiding this comment.
🧹 Nitpick comments (1)
apps/storefront/app/components/checkout/CheckoutAccountDetails.tsx (1)
61-61: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low valueDrop the redundant
as MedusaAddresscast.selectInitialShippingAddressalready returnsStoreCartAddress | null, andmedusaAddressToAddressaccepts that union, so the assertion adds no safety and only obscures the actual type.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/storefront/app/components/checkout/CheckoutAccountDetails.tsx` at line 61, Remove the redundant type assertion in CheckoutAccountDetails by updating the defaultShippingAddress assignment to pass initialShippingAddress directly into medusaAddressToAddress. The selectInitialShippingAddress result already matches the accepted StoreCartAddress | null input, so eliminate the unnecessary “as MedusaAddress” cast and keep the typing aligned with the existing medusaAddressToAddress and selectInitialShippingAddress symbols.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@apps/storefront/app/components/checkout/CheckoutAccountDetails.tsx`:
- Line 61: Remove the redundant type assertion in CheckoutAccountDetails by
updating the defaultShippingAddress assignment to pass initialShippingAddress
directly into medusaAddressToAddress. The selectInitialShippingAddress result
already matches the accepted StoreCartAddress | null input, so eliminate the
unnecessary “as MedusaAddress” cast and keep the typing aligned with the
existing medusaAddressToAddress and selectInitialShippingAddress symbols.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4ac8ec79-0a82-42a9-8526-97d8096122b5
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (7)
apps/storefront/app/components/checkout/CheckoutAccountDetails.tsxapps/storefront/app/components/reviews/ProductReviewForm.tsxapps/storefront/app/routes/api.cart.line-items.create.tsapps/storefront/app/routes/api.cart.line-items.update.tsapps/storefront/app/routes/api.checkout.express.tsapps/storefront/package.jsonpackage.json
✅ Files skipped from review due to trivial changes (1)
- apps/storefront/app/routes/api.cart.line-items.update.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- apps/storefront/app/routes/api.cart.line-items.create.ts
- package.json
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
apps/storefront/package.json (1)
123-123: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRemove the deprecated
remixpackage if this workspace no longer imports it directly.npm marks
remixas deprecated, says it is no longer used for Remix modules, and explicitly recommends removing it from project dependencies. If nothing inapps/storefrontstill imports it or shells out to it, dropping it will reduce dependency surface without changing the React Router 7 toolchain. (npmjs.com)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/storefront/package.json` at line 123, The storefront workspace still declares the deprecated remix dependency, so remove it from the apps/storefront package manifest if nothing in that workspace imports or invokes it directly. Check the app’s usage around Remix entry points and tooling, and keep only the React Router 7 packages used by the storefront so the dependency surface is reduced without changing behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 25: The root package.json engines.node constraint is too high and
conflicts with the supported runtime range. Update the root manifest’s Node
engine requirement to stay on the supported 24.x LTS line and align any related
workspace manifests accordingly, using the package.json engines block as the
place to fix this.
---
Nitpick comments:
In `@apps/storefront/package.json`:
- Line 123: The storefront workspace still declares the deprecated remix
dependency, so remove it from the apps/storefront package manifest if nothing in
that workspace imports or invokes it directly. Check the app’s usage around
Remix entry points and tooling, and keep only the React Router 7 packages used
by the storefront so the dependency surface is reduced without changing
behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cd5213c7-7d9b-4477-9f1d-ffc9cbce5ab5
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (10)
.github/workflows/barrio.yaml.nvmrcapps/medusa/Dockerfileapps/medusa/package.jsonapps/storefront/Dockerfileapps/storefront/app/components/common/buttons/ButtonBase.tsxapps/storefront/app/components/common/menu/MenuItem.tsxapps/storefront/package.jsonapps/storefront/vite.config.tspackage.json
✅ Files skipped from review due to trivial changes (4)
- .github/workflows/barrio.yaml
- apps/storefront/app/components/common/menu/MenuItem.tsx
- apps/storefront/vite.config.ts
- apps/storefront/app/components/common/buttons/ButtonBase.tsx
🚧 Files skipped from review as they are similar to previous changes (1)
- apps/medusa/package.json
| }, | ||
| "engines": { | ||
| "node": ">=20" | ||
| "node": ">=26" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Medusa docs Node 24 25 storefront build Node 24 LTS Node 26 support site:docs.medusajs.com
💡 Result:
As of June 30, 2026, the official Medusa documentation specifies the following Node.js requirements [1]: For Medusa applications (including the server), the requirement is Node.js v20 or higher, specifically LTS (Long Term Support) versions [1]. For users installing the Next.js Starter Storefront, the documentation explicitly recommends using Node.js v24 LTS or lower [1]. There are known compatibility issues when using the Next.js Starter Storefront with Node.js v25 or newer [2]. In summary, while Medusa supports newer LTS releases of Node.js for its core application [1], the Next.js Starter Storefront currently has a constrained compatibility limit at Node.js v24 LTS [1]. Users should avoid Node.js v25 and v26 for storefront builds until further updates are provided by Medusa [1][2].
Citations:
- 1: https://docs.medusajs.com/learn/installation/index.html.md
- 2: https://docs.medusajs.com/resources/troubleshooting/nextjs-node-25
🌐 Web query:
Node.js 26 release schedule current LTS October 2026 official
💡 Result:
As of June 30, 2026, Node.js 26 is in the Current release phase [1][2]. It is scheduled to transition to Active Long-Term Support (LTS) on October 28, 2026 [3][4][5]. The Node.js release schedule defines three primary phases for a major version: Current, Active LTS, and Maintenance LTS [3][4]. Node.js 26 was initially released on May 5, 2026 [1][6], and will remain the Current version until its promotion to LTS in October 2026 [1][6]. Following its transition to LTS, it is scheduled to remain in active support until October 20, 2027, before entering the maintenance phase [3][4][5]. Note that the Node.js project has announced changes to its release cycle starting with version 27.x, which will transition to an annual release cadence [7][8]. Under this new plan, future major versions will move to LTS after a six-month Alpha phase followed by a six-month Current phase [7][8]. However, Node.js 26 follows the established biennial release pattern where even-numbered versions (like 24 and 26) are promoted to LTS after their initial Current phase [3][4][5].
Citations:
- 1: https://nodejs.org/en/blog/release/v26.0.0
- 2: https://nodejs.org/en/blog/release/v26.4.0
- 3: https://github.com/nodejs/Release?hss_channel=tw-91985735
- 4: https://github.com/nodejs/LTS/blob/master/README.md
- 5: https://raw.githubusercontent.com/nodejs/Release/refs/heads/main/README.md
- 6: https://github.com/nodejs/node/releases/tag/v26.0.0
- 7: https://nodejs.org/en/blog/announcements/evolving-the-nodejs-release-schedule
- 8: https://nodejs.org/en/about/previous-releases
Keep engines.node below Node 26 at the repo root. package.json:25 sets "node": ">=26", but Medusa still documents LTS Node versions for the app and only supports the Next.js Starter Storefront on Node 24 LTS or lower; Node 25+ is called out as incompatible. This can break supported storefront installs, so keep the root and workspace manifests aligned on the supported 24.x line.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 25, The root package.json engines.node constraint is
too high and conflicts with the supported runtime range. Update the root
manifest’s Node engine requirement to stay on the supported 24.x LTS line and
align any related workspace manifests accordingly, using the package.json
engines block as the place to fix this.
61dc5d8 to
c06744d
Compare
Summary
Updates the Medusa package set from
2.13.1to2.17.1, with the lockfile refreshed via Yarn 4.I reviewed the upstream Medusa GitHub release notes for the intervening releases:
v2.14.0: Zod v4, React 19 icon package support, HTTP type alignmentv2.15.0: product/variant dimension attributes aligned to floatv2.16.0: Medusa ESLint plugin, auth verification changes, removed default JWT/cookie secrets, MikroORM 6.6.14v2.17.0: global product options and auth verification provider changes; noted the worker regression warningv2.17.1: worker startup regression fix for Redis Event BusChanges
@medusajs/*dependencies and root resolutions to2.17.1.@medusajs/uito4.1.18and root Zod resolution to4.2.0.medusa lintscript.supersecretfallback fromjwtSecretandcookieSecret; production now requiresJWT_SECRETandCOOKIE_SECRETfrom the environment.z.recordusage in the storefront add-to-cart schema.product_idusage.Validation
corepack yarn workspace medusa typecheckcorepack yarn workspace medusa lintcorepack yarn workspace medusa buildcorepack yarn workspace storefront typecheckcorepack yarn typecheckcorepack yarn buildDeployment note
Before deploying this branch, ensure production environments set strong
JWT_SECRETandCOOKIE_SECRETvalues. Medusa 2.16+ no longer relies on the previous default secret fallback in production.Summary by CodeRabbit
New Features
Bug Fixes
Chores