Code maintenance/STC-834: Bump Hocuspocus client & server to v4.2.0 (lockstep)#23754
Open
akabiru wants to merge 2 commits into
Open
Code maintenance/STC-834: Bump Hocuspocus client & server to v4.2.0 (lockstep)#23754akabiru wants to merge 2 commits into
akabiru wants to merge 2 commits into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
f2da4cd to
e728048
Compare
|
Warning Flaky specs
|
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
e728048 to
b9f0dbc
Compare
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
b9f0dbc to
a2d05eb
Compare
akabiru
changed the base branch from
dev
to
dependabot/npm_and_yarn/frontend/dev/hocuspocus/provider-4.0.0
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
a2d05eb to
489b07a
Compare
akabiru
changed the title
|
Warning Flaky specs
|
Contributor
|
@akabiru Looks like upstream is already on 4.2.0, do we want to follow that? (It contains some important-looking fixes.) |
akabiru
changed the title
@hocuspocus/provider from v3.4.4 → v4.0.0
akabiru
changed the title
@hocuspocus/provider from v3.4.4 → v4.0.0@hocuspocus/server from v3.4.4 → v4.0.0
akabiru
changed the title
@hocuspocus/server from v3.4.4 → v4.0.0@hocuspocus/server from v3.4.4 → v4.0.0
Member
Author
Yes, good catch @thykel 👍🏾 |
Base automatically changed from
dependabot/npm_and_yarn/frontend/dev/hocuspocus/provider-4.0.0
to
dev
June 15, 2026 16:29
akabiru
changed the title
@hocuspocus/server from v3.4.4 → v4.0.0@hocuspocus/server from v3.4.4 → v4.2.0
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
489b07a to
bb450fd
Compare
akabiru
changed the title
@hocuspocus/server from v3.4.4 → v4.2.0
Contributor
There was a problem hiding this comment.
Pull request overview
Aligns OpenProject’s collaborative editing stack by bumping both the frontend @hocuspocus/provider and the op-blocknote-hocuspocus server-side packages to Hocuspocus v4.2.0, and adapting the server extension hook payload changes introduced in v4.
Changes:
- Bump
@hocuspocus/providerin the frontend to^4.2.0(with updated lockfile). - Bump
@hocuspocus/serverand@hocuspocus/extension-loggerinop-blocknote-hocuspocusto^4.2.0(with updated lockfile). - Update
OpenProjectApiextension to v4 hook payload shapes (requestHeaders,lastContext,broadcastStateless) and adjust unit tests accordingly.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| frontend/package.json | Bumps @hocuspocus/provider to v4.2.0. |
| frontend/package-lock.json | Updates resolved v4.2.0 provider/common dependencies and lock metadata. |
| extensions/op-blocknote-hocuspocus/src/extensions/openProjectApi.ts | Adapts server extension to Hocuspocus v4 hook payload API changes. |
| extensions/op-blocknote-hocuspocus/test/extensions/openProjectApi.test.ts | Updates unit tests to reflect v4 hook payload changes. |
| extensions/op-blocknote-hocuspocus/package.json | Bumps server-side Hocuspocus dependencies to v4.2.0. |
| extensions/op-blocknote-hocuspocus/package-lock.json | Updates resolved v4.2.0 server/common/logger dependencies and transitive graph. |
Files not reviewed (2)
- extensions/op-blocknote-hocuspocus/package-lock.json: Generated file
- frontend/package-lock.json: Generated file
Comments suppressed due to low confidence (1)
extensions/op-blocknote-hocuspocus/src/extensions/openProjectApi.ts:110
- The warning message still refers to "context", but the hook payload was migrated to
lastContext. This can be confusing when debugging stores (it will look like the old payload shape is still in use).
const { resourceUrl, readonly } = data.lastContext;
if (!resourceUrl) {
console.warn("Missing parameters in context. Skipping store.");
return;
Realigns the collaboration server with the v4 @hocuspocus/provider used on the frontend. v4 moves hook payloads to web-standard Headers and renames the store hook's context, so onAuthenticate reads the origin via requestHeaders and onStoreDocument uses lastContext and Document#broadcastStateless.
Aligns the collaboration client with the server on the same v4 minor so the two halves move in lockstep rather than only sharing a major. Provider v4.2.0 drops its ws dependency (the browser uses the native WebSocket), leaving ws as dev-only tooling.
akabiru
force-pushed
the
chore/hocuspocus-server-v4
branch
from
8ed13d1 to
a12237e
Compare
|
Warning Flaky specs
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket
https://community.openproject.org/wp/STC-834
Server-side follow-up to the
@hocuspocus/providerv4 client bump in #23570.What are you trying to accomplish?
#23570 moves the frontend client
@hocuspocus/providerto v4. The collaboration server inop-blocknote-hocuspocuswas still on v3. The two talk over a versioned wire protocol and ship as independent artifacts — the server is the separately builtopenproject/hocuspocusimage — so a one-major skew is tolerated, but the goal is to bring the server up to v4 as well so both halves run the current major.This PR bumps
@hocuspocus/serverand@hocuspocus/extension-loggerto v4 and applies the API changes the major introduces.What v4 changes, and how it's applied here
v4 is a cross-runtime release that standardizes the server hook payloads on web-standard primitives and restructures a couple of hook shapes (v4.0.0 release notes, full diff). Three of those touch our
OpenProjectApiextension:Request headers are now a web-standard
Headersobject — upgrade guide §2 Request and Headers (Breaking).onAuthenticatepreviously read the request origin off a plain object (data.request.headers.origin). v4 exposes it asHeaders, accessed with.get():This matters beyond a rename: against v4 the old plain-object access would silently return
undefined, quietly weakening the origin check passed todecryptAndValidateToken.The store hook's context is renamed
context→lastContext— upgrade guide §3onStoreDocumentPayload (Breaking).onStoreDocumentreads the resource URL, readonly flag, and token from the snapshot of the last connection context:Broadcasting to connected clients goes through
Document#broadcastStateless. In v4Document.connectionsis aMap<Connection, { clients }>, so the oldconnections.forEach(({ connection }) => connection.sendStateless(...))no longer typechecks.broadcastStatelessis the supported helper for this (CHANGELOG, client-initiated broadcastStateless #1103):The rest of the extension is unchanged:
onTokenSync,connection.close({ code, reason }),connectionConfig.readOnly, and the ad-hoccontextwrites all compile and behave the same under v4.@hocuspocus/commonresolves to v4 transitively;closeEvents.tsalready uses the v4-narrowed{ code, reason }CloseEvent shape (upgrade guide §11CloseEventShape), so no change was needed there.References
A standing assertion of the client/server compatibility, plus a CI guard against future major drift, lands in the follow-up #23755.
Merge checklist