letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(deps): @next/bundle-analyzer + ts-pattern exhaustive webhook

Browse Source 
Two adoption candidates from the audit's section-35 package matrix:

1. @next/bundle-analyzer wraps next.config.ts. Run
   `ANALYZE=true pnpm build` to get treemaps of client + server bundles.
   Companion to the recharts dynamic-import work the audit flagged —
   gives us the tool to verify the dashboard chart bundle only ships on
   the dashboard surface, not routes that don't render charts. Dev-only
   dependency, zero runtime impact.

2. ts-pattern replaces the 13-case event-type switch in the Documenso
   webhook with `match(event).with(...).exhaustive()`. The 13 known
   event types are codified as a `KnownDocumensoEvent` union with an
   `isKnownEvent()` type guard so:
     - Unknown events still get the informational catch-all log (so
       Documenso 2.x adding a new event doesn't 500).
     - The match itself is compile-time exhaustive — adding a new
       event to KnownDocumensoEvent without handling it in the
       match() fails the build.
   This is the bug class the multi-agent audit flagged ("webhook
   silently drops new event types"). Same pattern can be rolled out
   to the 19-case search dispatcher and the 12-case client-restore
   service when those files are next touched.

Verified: tsc clean, vitest 1293/1293 (webhook tests green).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-12 18:33:10 +02:00
parent a7a008c62e
commit ce662071f8
4 changed files with 279 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
next.config.ts
View File

@@ -1,7 +1,17 @@
import type { NextConfig } from 'next';
import bundleAnalyzer from '@next/bundle-analyzer';
const isProd = process.env.NODE_ENV === 'production';
// Wrap the config with the bundle analyzer. Run `ANALYZE=true pnpm build`
// to get treemaps of the client + server bundles after the build
// completes. Pairs with the recharts dynamic-import work the audit
// flagged — gives us the tool to verify chart bundles only ship on the
// dashboard surface and not on routes that don't render them.
const withBundleAnalyzer = bundleAnalyzer({
enabled: process.env.ANALYZE === 'true',
});
/**
* Security headers applied to every response. Per audit-pass-#3 finding:
* the previous config emitted no CSP, X-Frame-Options, HSTS, or
@@ -107,4 +117,4 @@ const nextConfig: NextConfig = {
},
};
export default nextConfig;
export default withBundleAnalyzer(nextConfig);