Fix broken updates

[elie222]

Summary by CodeRabbit

• Bug Fixes

  • Enhanced status label removal to gracefully handle missing labels without interrupting operations.

• Chores

  • Version updated to v2.17.4.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Building	Preview	Oct 21, 2025 9:12pm

[coderabbitai]

Walkthrough

Dependency versions downgraded in web app (better-auth, @better-auth/sso, fast-xml-parser, jsdom). Root package.json patched dependency entry updated to match new better-auth version. Patch file replaced to adjust session.user.image nulling logic. Error handling in label-helpers modified to skip missing labels non-fatally. Version bumped to v2.17.4.

Changes

Cohort / File(s)	Change Summary
Dependency Downgrades apps/web/package.json	Downgraded @better-auth/sso (1.3.28 → 1.3.7), better-auth (1.3.28 → 1.3.7), fast-xml-parser (5.3.0 → 5.2.5), jsdom (27.0.1 → 26.1.0)
Package Manifest Patch Entry package.json	Updated patchedDependencies entry for better-auth to reference version 1.3.7 patch file instead of 1.3.28
Better-auth Patch Files patches/better-auth@1.3.28.patch, patches/better-auth@1.3.7.patch	Removed 1.3.28 patch file; added 1.3.7 patch file that sets session.user.image = null in dist/cookies/index.mjs setCookieCache logic
Error Handling apps/web/utils/reply-tracker/label-helpers.ts	Changed missing label ID handling from fatal error with halt to informational log with silent skip
Release Version version.txt	Incremented version from v2.17.3 to v2.17.4

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Update packages #858: Modifies apps/web/package.json dependencies and better-auth patch files with identical changes to session.user.image nulling in setCookieCache.
• fix: Patch better-auth to force delete image of the session cache #727: Updates dist/cookies/index.mjs patch logic to set session.user.image = null, directly mirroring the patch modifications here.
• Better logging for remove label errors #717: Alters label-removal error handling to skip missing labels instead of failing, matching the non-fatal error handling approach in this PR.

Poem

🐰 Dependencies downgraded with care,
Better-auth patched—image nulled fair,
Error logs skip what we can't find,
v2.17.4 leaves bugs behind!
Hop forward, the code's refined! 🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title "Fix broken updates" is overly vague and generic. While it suggests that something broken is being fixed, it doesn't clearly communicate what "broken updates" refers to—whether it's the dependency downgrades, the error handling changes in label-helpers.ts, the version bump, or something else entirely. The changes in this PR span multiple concerns including dependency version updates, error handling logic modifications, and patch file updates, but the title fails to pinpoint the primary focus or provide meaningful specificity about what problem is being addressed.	Consider updating the title to be more specific and descriptive of the main change. For example, if the primary focus is fixing dependency compatibility, the title could be "Downgrade better-auth and dependencies to fix compatibility issues." If the focus is error handling, something like "Make missing label handling non-fatal in reply tracker" would be more informative. A clearer title will help reviewers and maintainers understand the PR's intent at a glance.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​better-auth/​sso@​1.3.28 ⏵ 1.3.7	-10		-2

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3054981 and 8bdbbc0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• apps/web/package.json (3 hunks)
• apps/web/utils/reply-tracker/label-helpers.ts (1 hunks)
• package.json (1 hunks)
• patches/better-auth@1.3.28.patch (0 hunks)
• patches/better-auth@1.3.7.patch (1 hunks)
• version.txt (1 hunks)

💤 Files with no reviewable changes (1)

• patches/better-auth@1.3.28.patch

🧰 Additional context used

📓 Path-based instructions (8)

!{.cursor/rules/*.mdc}

📄 CodeRabbit inference engine (.cursor/rules/cursor-rules.mdc)

Never place rule files in the project root, in subdirectories outside .cursor/rules, or in any other location

Files:

• package.json
• version.txt
• patches/better-auth@1.3.7.patch
• apps/web/package.json
• apps/web/utils/reply-tracker/label-helpers.ts

!pages/_document.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

!pages/_document.{js,jsx,ts,tsx}: Don't import next/document outside of pages/_document.jsx in Next.js projects.
Don't import next/document outside of pages/_document.jsx in Next.js projects.

Files:

• package.json
• version.txt
• patches/better-auth@1.3.7.patch
• apps/web/package.json
• apps/web/utils/reply-tracker/label-helpers.ts

apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Path aliases: Use @/ for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Leverage TypeScript inference for better DX

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/form-handling.mdc)

**/*.ts: The same validation should be done in the server action too
Define validation schemas using Zod

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/*.{ts,tsx}: Use createScopedLogger for logging in backend TypeScript files
Typically add the logger initialization at the top of the file when using createScopedLogger
Only use .with() on a logger instance within a specific function, not for a global logger

Import Prisma in the project using import prisma from "@/utils/prisma";

**/*.{ts,tsx}: Don't use TypeScript enums.
Don't use TypeScript const enum.
Don't use the TypeScript directive @ts-ignore.
Don't use primitive type aliases or misleading types.
Don't use empty type parameters in type aliases and interfaces.
Don't use any or unknown as type constraints.
Don't use implicit any type on variable declarations.
Don't let variables evolve into any type through reassignments.
Don't use non-null assertions with the ! postfix operator.
Don't misuse the non-null assertion operator (!) in TypeScript files.
Don't use user-defined types.
Use as const instead of literal types and type annotations.
Use export type for types.
Use import type for types.
Don't declare empty interfaces.
Don't merge interfaces and classes unsafely.
Don't use overload signatures that aren't next to each other.
Use the namespace keyword instead of the module keyword to declare TypeScript namespaces.
Don't use TypeScript namespaces.
Don't export imported variables.
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions.
Don't use parameter properties in class constructors.
Use either T[] or Array consistently.
Initialize each enum member value explicitly.
Make sure all enum members are literal values.

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

apps/web/utils/**

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Create utility functions in utils/ folder for reusable logic

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

apps/web/utils/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

apps/web/utils/**/*.ts: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use elements in Next.js projects.
Don't use elements in Next.js projects.
Don't use namespace imports.
Don't access namespace imports dynamically.
Don't use global eval().
Don't use console.
Don't use debugger.
Don't use var.
Don't use with statements in non-strict contexts.
Don't use the arguments object.
Don't use consecutive spaces in regular expression literals.
Don't use the comma operator.
Don't use unnecessary boolean casts.
Don't use unnecessary callbacks with flatMap.
Use for...of statements instead of Array.forEach.
Don't create classes that only have static members (like a static namespace).
Don't use this and super in static contexts.
Don't use unnecessary catch clauses.
Don't use unnecessary constructors.
Don't use unnecessary continue statements.
Don't export empty modules that don't change anything.
Don't use unnecessary escape sequences in regular expression literals.
Don't use unnecessary labels.
Don't use unnecessary nested block statements.
Don't rename imports, exports, and destructured assignments to the same name.
Don't use unnecessary string or template literal concatenation.
Don't use String.raw in template literals when there are no escape sequences.
Don't use useless case statements in switch statements.
Don't use ternary operators when simpler alternatives exist.
Don't use useless this aliasing.
Don't initialize variables to undefined.
Don't use the void operators (they're not familiar).
Use arrow functions instead of function expressions.
Use Date.now() to get milliseconds since the Unix Epoch.
Use .flatMap() instead of map().flat() when possible.
Use literal property access instead of computed property access.
Don't use parseInt() or Number.parseInt() when binary, octal, or hexadecimal literals work.
Use concise optional chaining instead of chained logical expressions.
Use regular expression literals instead of the RegExp constructor when possible.
Don't use number literal object member names th...

Files:

• apps/web/utils/reply-tracker/label-helpers.ts

🧬 Code graph analysis (1)

apps/web/utils/reply-tracker/label-helpers.ts (1)

apps/web/app/api/outlook/webhook/logger.ts (1)

• logger (3-3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Software Component Analysis Js
• GitHub Check: cubic · AI code reviewer
• GitHub Check: Jit Security

🔇 Additional comments (6)

version.txt (1)

1-1: LGTM!

Standard version bump to v2.17.4 for this patch release.

apps/web/utils/reply-tracker/label-helpers.ts (1)

45-46: Verify that silent skip is appropriate for missing labels.

The change from error to info log makes sense for the case where users haven't set up all status types yet. However, this fundamentally changes the behavior from failing fast to silently continuing.

Ensure that silently skipping missing labels won't mask legitimate configuration issues or cause unexpected behavior downstream. Consider whether there are scenarios where a missing label should still be treated as an error.

apps/web/package.json (3)

26-26: Verify and document the downgrade reason—it introduces a security regression.

The downgrade removes a critical security fix from 1.3.26+ that addressed an API-key plugin vulnerability enabling unauthenticated API-key creation / account takeover. The web search found no breaking changes or critical bugs in 1.3.28 that justify rolling back ~21 patch versions.

Before merging:

• Verify what specific issue in 1.3.28 necessitates this downgrade
• Document it in the PR description to explain the security tradeoff
• Track when it's safe to upgrade beyond 1.3.7 and re-apply the 1.3.26+ security patch

---

118-118: Address version mismatch between jsdom and @types/jsdom.

The jsdom package was downgraded to 26.1.0, but @types/jsdom remains at 27.0.0. This mismatch will cause TypeScript type errors or incorrect type information at runtime. Additionally, no security vulnerabilities exist in either version, and the Node.js version (>=22.0.0) is compatible with jsdom v27. Verify whether:

• This downgrade was intentional and the types should also be downgraded to 26.x.x
• The reasons for downgrading (test failures, dependency conflicts, etc.)
• Whether the codebase actually requires the breaking changes in v27 to be avoided

---

111-111: Based on my verification using GitHub security advisories and npm registry information, the security concerns raised in the review comment appear to be unfounded.

The downgrade from 5.3.0 to 5.2.5 does not involve missing security patches. All reported security vulnerabilities for fast-xml-parser are in version 4.x (versions 4.1.2 through 4.4.1), not in the 5.x series. Neither 5.3.0 nor 5.2.5 have known security vulnerabilities tracked in GitHub's advisory database.

However, I could not find public information about what changed between these two patch versions (5.2.5 and 5.3.0) to determine if the downgrade is addressing a regression or incompatibility. The downgrade may be necessary for project-specific compatibility reasons not reflected in public security advisories.

Verify the actual reason for the downgrade. If this is addressing an incompatibility or regression specific to your codebase, document that reason in the code comments. If this is simply following a dependency update tool without investigation, consider upgrading to 5.3.0 unless you've identified specific issues.

patches/better-auth@1.3.7.patch (1)

1-12: This patch will break avatar display in two identified locations—verify the nulling intention is deliberate.

The patch explicitly nulls session.user.image in the setCookieCache function. Evidence shows this will have side effects:

• apps/web/utils/dub.ts:36 — uses user.image as customerAvatar for Dub analytics integration
• apps/web/app/api/user/email-accounts/route.ts:42 — uses user.image as fallback for account image display

The patch is intentionally configured in package.json via pnpm's patchedDependencies, confirming this is deliberate. However, the codebase contains no comments, TODOs, or documentation explaining why the image is being nulled or what issue this addresses.

Before merging, confirm with the developer:

1. Is nulling user images intentional and acceptable given the avatar impact?
2. Does this address a specific issue (bug, privacy, performance)?
3. Should affected code in dub.ts and email-accounts route be updated to handle null images gracefully?

[cubic-dev-ai]

No issues found across 7 files