Skip to content

Integrate uppy io#6330

Open
mifi wants to merge 6 commits into
mainfrom
integrate-uppy-io
Open

Integrate uppy io#6330
mifi wants to merge 6 commits into
mainfrom
integrate-uppy-io

Conversation

@mifi

@mifi mifi commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

/packages/uppy.io used to live in its own git repository but I am here moving it into the uppy monorepo workspace.

NOTE: This is best reviewed commit by commit.

TODO (future?)

  • Review each workflow to ensure env secrets and permissions are set for the monorepo.
  • eslint/remark/prettier -> biome
  • move static out of the repo (100+ megabytes)
  • also probably move out existing large files from the uppy repo
  • archive/deprecate https://github.com/transloadit/uppy.io

@changeset-bot

changeset-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 2606116

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedlodash@​4.17.23 ⏵ 4.18.181 +1100 +1887 +182100
Updatedchalk@​2.4.2 ⏵ 5.3.0100 +1100100 +182100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/caniuse-lite@1.0.30001793

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/caniuse-lite@1.0.30001793

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/caniuse-lite@1.0.30001793

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/caniuse-lite@1.0.30001793

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001793. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@mifi

mifi commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@copilot why are github actions (e.g. ci tests) not being run?

Copilot AI commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@copilot why are github actions (e.g. ci tests) not being run?

Looking at the CI workflow configuration and the PR's changed files:

The ci.yml has a paths-ignore filter for pull_request events:

paths-ignore:
  - '**.md'
  - '.github/**'
  - '!.github/workflows/ci.yml'

This PR changes 484 files. Of those, the vast majority are either:

  • Blog posts / docs under packages/uppy.io/ that are .md / .mdx files → matched by **.md
  • Files under .github/ → matched by .github/**

The !.github/workflows/ci.yml negation pattern was intended to ensure CI still runs when ci.yml itself is modified. However, since this PR also modifies .github/workflows/deploy-web.yml and .github/dependabot.yml, those are still treated as "ignored".

That said, the PR also changes several files that are not covered by paths-ignorebiome.json, package.json, yarn.lock, and many packages/uppy.io/ config/source files (.eslintrc.js, babel.config.js, .mdx docs, etc.) — which should have triggered CI. The lockfile_check.yml uses paths: - yarn.lock and yarn.lock was changed, so that should have triggered too.

In short, based on the workflow configuration the CI should be triggering. This appears to be a GitHub Actions processing issue, likely related to the unusually large diff size (484 files, 50k+ additions including many static assets). You may want to try pushing an empty commit to re-trigger the pull_request: synchronize event, or close and reopen the PR to fire pull_request: reopened.

On a related note: the PR description already has a TODO to "Review each workflow to ensure env secrets and permissions are set for the monorepo" — once CI does trigger, the new Build website step in the unit_tests job and the new lint_web job will both exercise the uppy-io workspace, so it's worth confirming those pass end-to-end.

Copilot finished work on behalf of mifi June 11, 2026 20:12
@mifi mifi requested a review from qxprakash June 11, 2026 21:09

@qxprakash qxprakash left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to test this locally but for some reason I can't check this branch out locally on my machine it keeps erroring out, but apart from couple of my review comments. I would like to stress on the point which you already made in the PR description which is to move static files out of the repo , I think we should do this before merging this PR to main because once this PR gets merged into main those static files would become part of the git history and every clone would pull those static files.

Comment thread .github/workflows/ci.yml
Comment on lines +62 to +63
- name: Build website
run: corepack yarn workspace uppy-io build

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Build website" step was added to the unit_tests job ? every CI run will now run a full docusaurus build which deploy-web.yml does already ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought to add it to CI to make sure that it successfully builds, to catch any obvious errors like syntax errors or broken imports (e.g. in PRs because the deploy job does not run in PRs)

Comment on lines +3 to +23
on:
workflow_dispatch:
push:
branches:
- main
# Review gh actions docs if you want to further define triggers, paths, etc
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on

env:
NODE_VERSION: lts/*

permissions:
contents: read
id-token: write
pages: write

concurrency:
group: github-pages
cancel-in-progress: false

jobs:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we have a path filter here ? so that it only runs with changes to packages/uppy.io/** and not on every push to main ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it, but uppy.io depends on @uppy/react, which again depends on

    "@uppy/core": "workspace:^",
    "@uppy/dashboard": "workspace:^",
    "@uppy/screen-capture": "workspace:^",
    "@uppy/status-bar": "workspace:^",
    "@uppy/webcam": "workspace:^",

and at this point, maybe we should just build it all the time?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants