Skip to content

Pack up removal and replacement #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jhoward1994 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Pack up removal and replacement #103

jhoward1994 wants to merge 1 commit into from

Conversation

@jhoward1994
Copy link
Contributor

@jhoward1994 jhoward1994 commented Dec 9, 2025
edited
Loading

What does it do?

This PR implements the gradual removal of @strapi/pack-up from the SDK Plugin
as outlined in the RFC.

Notion search "RFC-Remove-strapi-pack-up..."

Current Progress:

  • Phase 0: Test Infrastructure (feature flags)
  • Phase 1: Verify Command
  • Phase 2: Init Command
  • Phase 3: Build Command (Vite migration)
  • Phase 4: Watch Command (Vite watch mode)

Key Changes:

  • Feature flag system for safe rollback (USE_LEGACY_PACKUP_* env vars)
  • Native package.json validation replacing pack-up's check
  • Native plugin scaffolding generation replacing pack-up's init
  • Comparison tool to validate migration parity - ⚠️ to be removed before merging

Why is it needed?

Pack-up has a security vulnerability in its Vite dependency (CVE).
SDK Plugin and Design System are the only remaining Strapi projects using pack-up.

This migration will:

  • Eliminate the security risk
  • Remove the last use of pack-up
  • Remove unnecessary build abstraction
  • Gives us direct control over the build process

How to test it?

1. Run the comparison tool:

pnpm run compare

Expected output: Both verify and init commands should show ✅ PASS

2. Test with feature flags (legacy mode):
# Use legacy pack-up implementation
USE_LEGACY_PACKUP_CHECK=true pnpm run verify
USE_LEGACY_PACKUP_INIT=true pnpm run init my-plugin --silent

3. Test new implementation (default):
# Uses new native implementation
pnpm run verify
pnpm run init my-plugin --silent

4. Run unit tests:
pnpm run test:unit

Related issue(s)/PR(s)

Notion search "RFC-Remove-strapi-pack-up..."
DX-2163

@changeset-bot
Copy link

changeset-bot bot commented Dec 9, 2025

⚠️ No Changeset found

Latest commit: d6615bd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 9, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots
22.5% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@jhoward1994 jhoward1994 self-assigned this Dec 9, 2025
@jhoward1994 jhoward1994 changed the title feat: wip pack up removal and replacement Pack up removal and replacement Dec 9, 2025
@jhoward1994
Copy link
Contributor Author

jhoward1994 commented Dec 9, 2025

This is work in progress but can be reviewed in comparison to the RFC and for the first three phases listed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boazpoolman boazpoolman Awaiting requested review from boazpoolman

At least 1 approving review is required to merge this pull request.

Assignees

@jhoward1994 jhoward1994

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhoward1994