Conversation
|
Since you're going for dual ESM/CJS, you might want to check "are the types wrong". For example: https://arethetypeswrong.github.io/?p=%40workos-inc%2Fnode%408.0.0-rc.2 |
nicknisi
force-pushed
the
version-8
branch
2 times, most recently
from
19b1829 to
0b00ff0
Compare
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
nicknisi
force-pushed
the
version-8
branch
2 times, most recently
from
131b6a6 to
9bc90ae
Compare
Contributor
|
Too many files changed for review. ( |
Contributor
|
Too many files changed for review. |
3 similar comments
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
3 similar comments
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
Contributor
|
Too many files changed for review. |
…18 (#1371) The jose library is ESM-only and cannot be loaded via require() in Node.js versions before 20.19.0. This adds a dynamic import wrapper that works across all Node.js 20+ versions using import() which is supported in both ESM and CJS. Breaking changes: - UserManagement.jwks getter changed to async UserManagement.getJWKS() method - CookieSession.jwks property removed (uses UserManagement.getJWKS() instead) The wrapper enables: - Lazy loading of jose (only when JWT methods are called) - Support for all Node.js 20.x versions - Smaller bundle size (no jose bundling needed) - Clean migration path when Node 20 reaches EOL (April 2026) Also updates: - Minimum Node version to 20.15.0 (conservative choice within 20.x) - tsup config: removes redundant external arrays (not needed with bundle: false) ## Description ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
This pull request removes the dependency on the external `leb` and `qs` packages by introducing an in-house LEB128 encoding/decoding utility and a custom query string serializer. It updates all relevant imports to use these new utilities, ensuring compatibility and maintainability. Comprehensive unit tests for the new LEB128 implementation are also included. This is to improve cross-runtime compatibility support. **Dependency Removal and Internal Utility Replacement:** * Removed the `leb` and `qs` packages from `package.json` and replaced their usage with internal implementations. (`package.json`, [package.jsonL45-R45](diffhunk://#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L45-R45)) * Replaced all imports of `leb`'s `encodeUInt32`/`decodeUInt32` with internal versions in `src/vault/vault.ts`. * Removed the old `toQueryString` implementation from `src/client/utils.ts` and updated all imports in `src/client/sso.ts` and `src/client/user-management.ts` to use the new internal utility. [[1]](diffhunk://#diff-3973d52ad7d2360214857fd42a183273a2e3904458c1eb573c34b3ec6151ab02L1-L20) [[2]](diffhunk://#diff-aba556dc64a77e993f9ce2de8ffd20b276128d1f6f4ba69bf2967e05dc1f7676L1-R1) [[3]](diffhunk://#diff-b5a04503adce4aaadee02b4511ee9bd11ec26a46927bde7c07d85ad31786e4bbL1-R1) **New Utility Implementations:** * Added `src/common/utils/leb128.ts`: Implements `encodeUInt32` and `decodeUInt32` for LEB128 encoding/decoding of unsigned 32-bit integers, with input validation and error handling. * Added `src/common/utils/query-string.ts`: Implements `toQueryString`, matching the old behavior (RFC1738 encoding, key sorting, array/object handling) without external dependencies. **Testing and Compatibility:** * Added comprehensive unit tests for the new LEB128 implementation in `src/common/utils/leb128.spec.ts`, including boundary values, invalid input handling, and compatibility with the previous `leb` package's output. Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
## Description pretty self explanatory. the current path doesn't exist and gives an error when trying to deploy <img width="1620" height="682" alt="CleanShot 2025-11-15 at 19 38 29@2x" src="https://github.com/user-attachments/assets/dadf41ee-5e53-49a6-a895-860840f2c404" /> ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. - [ ] Yes If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
Replaces Node.js-specific crypto import with globalThis.crypto to ensure compatibility across Node.js 20 and other runtimes. Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
## Summary - Use Jest fake timers instead of real timers in audit log retry tests - Tests now run instantly instead of waiting for actual retry delays - Removes timeout extensions that were needed for slow tests
…#1413) Migrate from tsup to tsdown to fix CI out-of-memory errors during TypeScript declaration generation. The build was hitting `ERR_WORKER_OUT_OF_MEMORY` errors in CI on Node 20 and 22. With 297 source files and tsup's worker-based DTS generation, the memory requirements were too high. Replace tsup with [tsdown](https://tsdown.dev/), a modern bundler powered by Rolldown (Rust-based) and Oxc. Key benefits: - **Faster builds**: Rolldown is significantly faster than esbuild for bundling - **Lower memory usage**: Oxc-based TypeScript declaration generation is more memory-efficient - **Same output structure**: Maintains the existing `lib/esm`, `lib/cjs`, and `lib/types` directory structure - Replaced `tsup` with `tsdown` - Removed `esbuild-fix-imports-plugin` (no longer needed) - Created `tsdown.config.ts` with equivalent configuration - Updated build scripts in `package.json` - 297 ESM files (`.js`) in `lib/esm/` - 297 CJS files (`.cjs`) in `lib/cjs/` - 296 declaration files (`.d.ts`) in `lib/types/` - All tests pass (427 passed) Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
## Description This pull request contains a minor version bump for the package, updating all references from `8.0.0-rc.3` to `8.0.0-rc.4`. * Updated the `version` field in `package.json` to `8.0.0-rc.4`. * Updated the `VERSION` constant in `src/workos.ts` to `8.0.0-rc.4`. ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
- Replaces `iron-session` dependency with direct `iron-webcrypto` v2.0.0 - Creates lightweight `seal.ts` wrapper providing iron-session compatible API - Reduces dependency footprint while maintaining backwards compatibility - Add `src/common/crypto/seal.ts` with `sealData` and `unsealData` functions - Update `package.json` to use `iron-webcrypto` ^2.0.0 - Update `jest.config.cjs` to transform ESM-only `uint8array-extras` dependency - Update imports in session and user-management modules
## Description This pull request updates the package version from `8.0.0-rc.5` to `8.0.0-rc.6` throughout the codebase to ensure consistency. Version bump: * Updated the `version` field in `package.json` to `8.0.0-rc.6`. * Updated the `VERSION` constant in `src/workos.ts` to `8.0.0-rc.6`. ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
Bundle `iron-webcrypto` and `uint8array-extras` into the build output using `noExternal`. These packages are ESM-only and cause `ERR_REQUIRE_ESM` errors for CJS consumers without special Jest/bundler configuration.
…point (#1435) Enable PKCE authentication for both public and confidential clients. - **API key now optional**: Initialize with just `clientId` for PKCE mode: `new WorkOS({ clientId: 'client_...' })` - **New helper method**: `getAuthorizationUrlWithPKCE()` - generates PKCE internally, returns `{ url, state, codeVerifier }` - **Enhanced exchange**: `authenticateWithCode()` auto-detects client mode based on available credentials - **Manual PKCE option**: `workos.pkce.generate()` + `getAuthorizationUrl()` for advanced use cases - **Non-breaking**: Existing `getAuthorizationUrl()` unchanged, still returns URL string Server-side apps can use PKCE alongside the client secret for defense in depth: ```ts const workos = new WorkOS('sk_...'); // With API key const { url, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({ provider: 'authkit', redirectUri: 'https://example.com/callback', clientId: 'client_...', }); // Both client_secret AND code_verifier will be sent const { accessToken } = await workos.userManagement.authenticateWithCode({ code: authorizationCode, codeVerifier, clientId: 'client_...', }); ``` The auto-detection logic: | API Key | codeVerifier | Behavior | |---------|--------------|----------| | ✅ | ✅ | Send both `client_secret` AND `code_verifier` (confidential + PKCE) | | ✅ | ❌ | Send `client_secret` only (traditional confidential client) | | ❌ | ✅ | Send `code_verifier` only (public client) | | ❌ | ❌ | Error | The separate `/client` entry point has been removed. Instead of: ```ts // Old approach - standalone functions import { userManagement } from '@workos-inc/node/client'; const url = userManagement.getAuthorizationUrl({ ... }); ``` Use the standard SDK without an API key: ```ts // New approach - consistent with rest of SDK import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS({ clientId: 'client_...' }); const url = workos.userManagement.getAuthorizationUrl({ ... }); ``` This provides a single, consistent API surface rather than two parallel approaches. ```ts import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS({ clientId: 'client_...' }); // Step 1: Get authorization URL with auto-generated PKCE const { url, state, codeVerifier } = await workos.userManagement.getAuthorizationUrlWithPKCE({ redirectUri: 'myapp://callback', provider: 'authkit', }); // Store codeVerifier securely, then redirect user to url // Step 2: Exchange code for tokens const { accessToken, refreshToken, user } = await workos.userManagement.authenticateWithCode({ code: authCode, codeVerifier, }); ``` | Method | Description | |--------|-------------| | `userManagement.getAuthorizationUrlWithPKCE()` | Build OAuth URL with auto-generated PKCE | | `userManagement.getAuthorizationUrl()` | Build OAuth URL (with manual PKCE params) | | `userManagement.authenticateWithCode()` | Exchange code + verifier for tokens | | `userManagement.authenticateWithCodeAndVerifier()` | Exchange code + verifier for tokens (explicit) | | `userManagement.authenticateWithRefreshToken()` | Refresh tokens | | `userManagement.getLogoutUrl()` | Build logout redirect URL | | `userManagement.getJwksUrl()` | Get JWKS URL for local JWT validation | | `workos.pkce.generate()` | Generate PKCE code verifier and challenge |
## Summary - Remove unused devDependencies: `@types/cookie`, `@types/glob`, `@types/qs`, `baseline-browser-mapping`, `glob`, `nock`, `supertest` - Remove deprecated `/* eslint-env node */` comments (globals already defined in eslint config for `.cjs` files) - Fix formatting/linting issues across interface files and serializers
…nts [v8] (#1440) ## Summary Adds a `createWorkOS()` factory function that provides **compile-time type safety** for public vs confidential clients. When the SDK is instantiated with only a `clientId` (no API key), most methods throw `ApiKeyRequiredException` at runtime. However, TypeScript can't warn you at compile time because the `WorkOS` class type is static—all methods appear available regardless of how it was constructed. The factory solves this by using function overloads that return different types based on input: - `createWorkOS({ clientId })` → returns `PublicWorkOS` (narrow type exposing only PKCE-compatible methods) - `createWorkOS({ apiKey, ... })` → returns full `WorkOS` type ## Example ```typescript import { createWorkOS } from '@workos-inc/node'; // Public client (Electron, mobile, CLI) - only PKCE methods available const publicClient = createWorkOS({ clientId: 'client_123' }); // ✅ These work - available on PublicWorkOS const { url, codeVerifier } = await publicClient.userManagement.getAuthorizationUrlWithPKCE({ provider: 'authkit', redirectUri: 'myapp://callback', }); const auth = await publicClient.userManagement.authenticateWithCodeAndVerifier({ code: authCode, codeVerifier, }); // ❌ TypeScript error - not available on PublicWorkOS publicClient.userManagement.listUsers(); publicClient.organizations.list(); // Confidential client (server) - full access const serverClient = createWorkOS({ apiKey: process.env.WORKOS_API_KEY!, clientId: 'client_123', }); // ✅ All methods available await serverClient.userManagement.listUsers(); await serverClient.organizations.list(); ``` ## Design - **No runtime changes** - The factory returns a standard `WorkOS` instance; type narrowing is purely compile-time - **Uses `Pick<>` for maintainability** - Public method names are listed once as a string union; types are derived automatically - **Ignores env vars** - Factory uses only explicit input for predictable types. Users who want env var convenience can use `new WorkOS()` or pass `process.env.WORKOS_API_KEY` explicitly - **Backward compatible** - `new WorkOS()` continues to work unchanged
## Summary - Splits tsdown build config into separate ESM and CJS configurations - ESM: unbundled with external deps (ESM consumers import ESM deps directly) - CJS: bundled with `iron-webcrypto` and `uint8array-extras` inlined ## Problem Previous single config with `noExternal` created `lib/node_modules/` structure that broke Electron asar packaging and pnpm symlink resolution. ## Why CJS inlining is required `iron-webcrypto` and `uint8array-extras` are ESM-only packages—they don't ship CJS builds. CJS code can't `require()` ESM modules, so these deps must be inlined/bundled into the CJS output for compatibility.
Merged
nicknisi
added a commit
that referenced
this pull request
Jan 12, 2026
## Description - #1370 ## Documentation Does this require changes to the WorkOS Docs? E.g. the [API Reference](https://workos.com/docs/reference) or code snippets need updates. ``` [ ] Yes ``` If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Version 8 is a major release focused on universal runtime compatibility, PKCE authentication support, and API modernization. The SDK now works seamlessly across Node.js, Deno, Bun, and Cloudflare Workers while removing long-deprecated APIs.
BREAKING CHANGES
Runtime & Build System
1. Node.js Version Requirement (BREAKING)
16→20package.json(engines.node)2. Package Type Change to ESM-First (BREAKING)
package.jsonnow includes"type": "module"package.json3. Build System Migration (Internal)
tsctotsdown(Rolldown/Oxc-based) for buildingtsdown.config.tswith dual-config approach:iron-webcrypto,uint8array-extras) for compatibilityRemoved Internal Classes (BREAKING)
4. HTTP Client Removal (BREAKING)
NodeHttpClientclass andcreateHttpClient()methodsrc/common/net/node-client.ts(deleted)WorkOSinstance instead - HTTP is handled automatically5. Crypto Provider Removal (BREAKING)
NodeCryptoProvider,IronSessionProvider,EdgeIronSessionProvider,WebIronSessionProvideriron-webcryptov2 directly with lightweight wrappersrc/common/crypto/node-crypto-provider.ts(deleted),src/common/iron-session/*(deleted),src/common/crypto/seal.ts(added)WorkOSinstance methods - crypto is handled automaticallyDirectory Sync (BREAKING)
6. DirectoryUser Interface Changes (BREAKING)
emails→ UsecustomAttributes.emailsusername→ UsecustomAttributes.usernamejobTitle→ UsecustomAttributes.jobTitlegetPrimaryEmail()functionsrc/directory-sync/interfaces/directory-user.interface.ts,src/directory-sync/utils/get-primary-email.ts(deleted)User Management (BREAKING)
7. AuthorizationURLOptions Changes (BREAKING)
contextfield (no longer supported)src/user-management/interfaces/authorization-url-options.interface.tscontextparameter from authorization URL calls8. Removed Deprecated Methods (BREAKING)
sendMagicAuthCode()→ UseuserManagement.sendMagicCode()insteadsendPasswordResetEmail()→ UseuserManagement.sendPasswordResetEmail()insteadrefreshAndSealSessionData()→ Use new session helper methods insteadsrc/user-management/user-management.ts, serializers removed9. listOrganizationMemberships Requires userId or organizationId (BREAKING)
listOrganizationMemberships()now requires eitheruserIdororganizationIdsrc/user-management/user-management.tsSSO (BREAKING)
10. SSOAuthorizationURLOptions Type Changes (BREAKING)
domainfield (deprecated)src/sso/interfaces/authorization-url-options.interface.tsconnection,organization, orprovider11. Connection Interface (BREAKING)
src/sso/interfaces/connection.interface.tsMFA (BREAKING)
12. Method Removal (BREAKING)
verifyFactor()methodsrc/mfa/mfa.ts,src/mfa/interfaces/verify-factor-options.ts(deleted)verifyChallenge()instead (same functionality)Organizations (BREAKING)
13. Organization Options Changes (BREAKING)
allowProfilesOutsideOrganizationdomains(usedomainDatainstead)src/organizations/interfaces/*.interface.ts14. Organization Domain Enum (BREAKING)
LegacyVerifiedfromOrganizationDomainStateenumsrc/organizations/interfaces/organization-domain.interface.tsVerifiedinsteadEvents (BREAKING)
15. Event Type Removals (BREAKING)
DsyncDeactivatedEvent→ Usedsync.deletedinsteadOrganizationMembershipAdded→ Not applicable in v8OrganizationMembershipRemoved→ Not applicable in v8src/common/interfaces/event.interface.tsVault (BREAKING)
16. Removed Deprecated Method Aliases (BREAKING)
createSecret()→ UsecreateObject()insteadlistSecrets()→ UselistObjects()insteadlistSecretVersions()→ UselistObjectVersions()insteadreadSecret()→ UsereadObject()insteaddescribeSecret()→ UsedescribeObject()insteadupdateSecret()→ UseupdateObject()insteaddeleteSecret()→ UsedeleteObject()insteadsrc/vault/vault.ts*Secretmethods with*ObjectequivalentsWebhooks (NON-BREAKING)
17. constructEvent Payload Typing (NON-BREAKING)
constructEventpayload parameter typed asRecord<string, unknown>for better type safetysrc/webhooks/webhooks.tsNEW FEATURES
18. PKCE Authentication Support (NON-BREAKING)
clientIdfor PKCE-only modeuserManagement.getAuthorizationUrlWithPKCE()- generates PKCE internally, returns{ url, state, codeVerifier }userManagement.authenticateWithCodeAndVerifier()- explicit PKCE token exchangeworkos.pkce.generate()- manual PKCE generationauthenticateWithCode()auto-detects client mode based on credentials19. createWorkOS Factory Function (NON-BREAKING)
createWorkOS()factory with compile-time type safety for public vs confidential clientssrc/workos.ts20. Universal Runtime Support (NON-BREAKING)
package.json(exports),src/index.worker.ts21. Environment Variable Helper (NON-BREAKING)
getEnv()helper for better cross-runtime environment variable accesssrc/common/utils/env.ts22. Pagination Improvements (NON-BREAKING)
AutoPaginatablenow properly defaultsPaginationOptionsgeneric parametersrc/common/utils/pagination.ts23. Runtime Analytics (NON-BREAKING)
src/workos.tsINTERNAL IMPROVEMENTS
24. Linting Migration (Internal)
eslint.config.mjstslint.json25. Runtime Testing (Internal)
scripts/ecosystem-check.ts).github/workflows/runtime-tests.yml26. Dependency Updates (Internal)
lebandqspackages - replaced with internal vanilla implementationspackage.json,package-lock.json27. Test Infrastructure (Internal)
jest.config.cjs,jest-transform-esm.cjs28. Dynamic jose Import (Internal)
joseto support Node.js 20.15-20.18 compatibilitysrc/common/utils/jose.ts29. Runtime-Agnostic UUIDs (Internal)
globalThis.crypto.randomUUIDinstead of Node-specific cryptoREMOVED (Previously Announced)
30.
/clientEntry Point Removed (BREAKING)@workos-inc/node/cliententry pointFiles Changed Summary
/cliententry pointMigration Guide
See
docs/V8_MIGRATION_GUIDE.mdfor detailed migration instructions.Testing