Bump node-pty from 1.1.0-beta30 to 1.1.0-beta38#12
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [node-pty](https://github.com/microsoft/node-pty) from 1.1.0-beta30 to 1.1.0-beta38. - [Release notes](https://github.com/microsoft/node-pty/releases) - [Commits](https://github.com/microsoft/node-pty/commits/v1.1.0-beta38) --- updated-dependencies: - dependency-name: node-pty dependency-version: 1.1.0-beta38 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Author
|
Superseded by #26. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/node-pty-1.1.0-beta38
branch
AviPeltz
added a commit
that referenced
this pull request
May 10, 2026
Resolves 11 findings from greptile + coderabbit review on the remote-control feature: - #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the raw token, hashing it for constant-time comparison against the row's `tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset session — the share link itself is the credential. - #10 (Major): the host-side `sendInput` no longer round-trips bytes through a latin1 string before `pty.write` re-encodes them as UTF-8 (which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that forwards a `Uint8Array` straight to the daemon. - #2: a single `cleanup()` helper now handles `onClose` and `onError`, removing the viewer from the session's set, detaching the handle, and unsubscribing the revoke listener idempotently. Fixes a leak where abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host restart. - #8: client WebSocket payloads are validated via a zod discriminated union before dispatch; `resize` and `runCommand` are wrapped in try/catch like `input` was. - #5: `TerminalRemoteControlButton` hydrates from `remoteControl.listForWorkspace` on mount and refreshes every 30s, so the live badge survives remounts and reflects backend revocation / expiry. The original `webUrl` is unrecoverable after `create` (the cloud only stores `tokenHash`), so Copy Link is disabled when we don't hold it. - #3: handshake-time auth result is cached on the WS context; per- message handling just compares `expiresAt` against `now` instead of re-running HMAC + SHA-256 at 200/s/viewer. - #4: the bearer token is now passed in the URL fragment (`#remoteControlToken=…`), not the query string. The fragment never reaches the server, never appears in `Referer` headers, and stays out of access logs and history. A new `RemoteTerminalLoader` client component reads `location.hash` after mount. - #7: the web viewer writes a one-time dim hint into xterm when the user types in `command` mode so silent drops are explained. - #9: oversized PTY chunks (> 256 KB in one event) now have their tail preserved instead of being pushed-and-immediately-shifted out of the ring, which would have left late-joining viewers with an empty snapshot. - #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`, matching `mintRemoteControlToken`'s internal clamp. - #12: revoke `UPDATE` adds `organizationId` and `status='active'` to the `WHERE` so re-revoke is idempotent and cannot transition an `expired` row to `revoked`. Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy paths don't call `maybeReplay` either, so this PR doesn't regress the single-region behavior. Multi-region replay is a broader gap tracked separately.
AviPeltz
added a commit
that referenced
this pull request
May 11, 2026
* feat: browser-based remote control for v2 desktop terminals
Adds an end-to-end remote control flow: a desktop user clicks Share on a
v2 terminal pane, gets a one-time URL, and anyone opening the link in a
browser sees the live terminal output and can type into it.
Pieces:
- v2_remote_control_sessions table + remote_control_session_{mode,status}
enums, with a unique index on token_hash. Cloud row stores the SHA-256
hash only; the host-service mints and verifies the HMAC-signed token
end-to-end so a leaked DB row cannot grant new sessions.
- Shared protocol module (packages/shared/remote-control-protocol)
pinning the wire format, capabilities, and limits.
- Host-service: session manager (token mint/verify, registry, expiry
sweep), /remote-control/:sessionId WS route, attachTerminalViewer fan-
out on TerminalSession (256 KB tail ring, output sequence, viewer
set), and terminal.remoteControl.{mintToken,revoke,listActive} tRPC.
- Cloud tRPC: remoteControl.{create,get,revoke,listForWorkspace,
expireStale}; mints a short user JWT for the relay POST and inserts
the row only after the host returns a token.
- Relay: lets /hosts/:hostId/remote-control/* skip the user-JWT gate;
the per-session HMAC validated by the host is the credential.
- Desktop UI: TerminalRemoteControlButton on v2 terminal panes (radio
icon -> live badge dropdown with copy/stop) wired through pane
registry. Host-service spawn now propagates HOST_SERVICE_SECRET into
the child env so the secret derivation is stable.
- Web viewer: /agents/remote-control/[sessionId] page + RemoteTerminal
client component (xterm.js + addon-fit, mobile-only key toolbar,
status badge, copy/stop controls).
Out of scope: viewer-count fan-out, host->cloud heartbeat for
last_connected_at, host-driven resize push, and rebuilding the in-
memory session registry across host-service restarts (viewers see
session-not-found and the desktop user re-shares).
* style(web): match desktop terminal theme in remote-control viewer
Pulls the xterm options and color palette from the desktop's default
"dark" (Ember) theme so the browser viewer renders identical font, font
size, scrollback, ANSI colors, cursor, and selection. The chrome (header,
buttons, banners, mobile toolbar) now uses the same warm-dark surface
tones (#151110/#1a1716/#2a2827) and matches the ANSI accent colors for
status badges and the destructive Stop button.
`vtExtensions` (kittyKeyboard) and `scrollbar` are intentionally omitted
because they only exist on the desktop's xterm beta build; the stable
web release does not type them.
* fix(remote-control): address PR review findings
Resolves 11 findings from greptile + coderabbit review on the
remote-control feature:
- #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the
raw token, hashing it for constant-time comparison against the row's
`tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset
session — the share link itself is the credential.
- #10 (Major): the host-side `sendInput` no longer round-trips bytes
through a latin1 string before `pty.write` re-encodes them as UTF-8
(which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that
forwards a `Uint8Array` straight to the daemon.
- #2: a single `cleanup()` helper now handles `onClose` and `onError`,
removing the viewer from the session's set, detaching the handle, and
unsubscribing the revoke listener idempotently. Fixes a leak where
abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host
restart.
- #8: client WebSocket payloads are validated via a zod discriminated
union before dispatch; `resize` and `runCommand` are wrapped in
try/catch like `input` was.
- #5: `TerminalRemoteControlButton` hydrates from
`remoteControl.listForWorkspace` on mount and refreshes every 30s, so
the live badge survives remounts and reflects backend revocation /
expiry. The original `webUrl` is unrecoverable after `create` (the
cloud only stores `tokenHash`), so Copy Link is disabled when we
don't hold it.
- #3: handshake-time auth result is cached on the WS context; per-
message handling just compares `expiresAt` against `now` instead of
re-running HMAC + SHA-256 at 200/s/viewer.
- #4: the bearer token is now passed in the URL fragment
(`#remoteControlToken=…`), not the query string. The fragment never
reaches the server, never appears in `Referer` headers, and stays out
of access logs and history. A new `RemoteTerminalLoader` client
component reads `location.hash` after mount.
- #7: the web viewer writes a one-time dim hint into xterm when the
user types in `command` mode so silent drops are explained.
- #9: oversized PTY chunks (> 256 KB in one event) now have their tail
preserved instead of being pushed-and-immediately-shifted out of the
ring, which would have left late-joining viewers with an empty
snapshot.
- #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`,
matching `mintRemoteControlToken`'s internal clamp.
- #12: revoke `UPDATE` adds `organizationId` and `status='active'` to
the `WHERE` so re-revoke is idempotent and cannot transition an
`expired` row to `revoked`.
Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy
paths don't call `maybeReplay` either, so this PR doesn't regress the
single-region behavior. Multi-region replay is a broader gap tracked
separately.
* fix(remote-control): address second-round PR review
Resolves four further findings on PR #4345:
- High: redact `remoteControlToken` (and any `token` query param) from the
relay's request logger. The viewer has to put the bearer on the WS
upgrade URL because browser WebSockets can't carry custom headers, and
Hono's default `logger()` would otherwise spill the raw token into Fly
logs / Sentry breadcrumbs.
- High: when the bypass for `/hosts/:hostId/remote-control/*` skips the
user-JWT `authMiddleware`, still run the tunnel-presence check + Fly
`maybeReplay`. Previously a viewer landing on a relay instance that
doesn't own the destination tunnel would get a hard failure instead
of a `fly-replay` to the right region/instance.
- Medium: the web viewer's Stop button now calls a new public
`remoteControl.revokeWithToken({ sessionId, token })` mutation. The
protected `revoke` requires a Superset session, which anonymous share
recipients don't have, so the previous wiring silently 401'd. The
bearer token IS the credential — anyone holding it has the same
authority as whoever they got the link from. Constant-time SHA-256
match against `tokenHash`, then revoke + best-effort host tear-down.
- Medium: `revoke` (protected) and `listForWorkspace` now require host
membership in addition to active org membership, matching the gate
on `create`. Otherwise an org member who isn't on the host could
enumerate or revoke other people's share sessions.
The shared host-revoke flow is factored into `callHostRevoke()` so both
the protected and public revoke paths use the same best-effort tear-
down.
* fix(remote-control): make anonymous viewers actually work in prod
- Move /agents/remote-control/[sessionId] out of the `(agents)` route
group into `(public)` so it skips `getAgentsUiAccess`, and add it to
`proxy.ts` publicRoutes so unauthenticated viewers aren't redirected
to /sign-in before the page mounts.
- Allow the relay WebSocket origin in the prod CSP `connect-src` so
`wss://relay…` isn't blocked once `ws:/wss:` are dropped outside dev.
- Stop swallowing host-revoke failures: both revoke paths now throw a
TRPCError if the host call fails, so the Stop button can't report
success while in-memory host sessions (and connected viewers) live on.
The cloud row still flips to `revoked` first, so retries stay
idempotent and new attaches via `get` are blocked either way.
* fix(remote-control): keep bearer tokens out of URLs and harden cloud gates
- Convert `remoteControl.get` from a query to a mutation so tRPC's
httpBatchLink puts the bearer token in the POST body instead of the
URL query string (which would land in access logs and Referer). The
web viewer now calls `.mutate()`.
- `get` refuses to hand out `wsUrl`/`routingKey` for non-active rows
(revoked/expired). Also promotes active rows past `expiresAt` to
`expired` even if the sweep hasn't run, so a just-expired share
can't slip through. `SessionMeta.wsUrl` is now `string | null` and
the WS-connect effect gates on it.
- Add `timeoutMs: 5000` to the mintToken relayMutation in `create`
so a stuck host can't pin the Share button in "Starting…".
- Wrap the cloud `INSERT` in try/catch; on failure best-effort call
`callHostRevoke` so the host-side minted token isn't orphaned and
invisible to `listForWorkspace`/`revoke` until the host TTL sweep.
* chore(db): renumber remote-control migration to 0050 after main merge
Main shipped its own 0048 + 0049 while this branch had the original
0048_add_v2_remote_control_sessions. Regenerated via drizzle-kit
generate; same DDL, new slot.
* feat(remote-control): gate Share button on PostHog flag + add Open-in-browser
- New \`WEB_REMOTE_CONTROL_ACCESS\` (\`web-remote-control-access\`) feature
flag controls who sees the Share button on v2 desktop terminal panes.
Evaluated against the sharer's user id; the per-session HMAC stays the
credential for anyone with the link, so this only gates session
creation.
- TerminalRemoteControlButton returns null when the flag is off and skips
the 30s cloud-hydrate poll for that user, so non-cohort users don't
pay a tRPC round-trip every interval.
- Adds an "Open in browser" item to the live-badge dropdown that uses
\`window.open(url, "_blank")\` (Electron routes it to the system
browser), so the sharer can verify the link without leaving the app
to paste it.
* refactor(remote-control): one-folder-per-component layout for web viewer
- Promote `RemoteTerminalLoader` to a sibling folder under `[sessionId]/
components/RemoteTerminalLoader/` so `page.tsx`'s import resolves
through a barrel that actually points at it (used to import the
loader via the `RemoteTerminal` barrel, which was misleading).
- Extract inline `MobileToolbar` from `RemoteTerminal.tsx` into nested
`RemoteTerminal/components/MobileToolbar/MobileToolbar.tsx` per the
project's one-folder-per-component convention. No behavior change.
* fix(remote-control): close enumeration, schema leak, observability gaps
- Collapse `get` + `revokeWithToken` into a single generic 401
("Invalid remote control session or token") whether the row is
missing or the token is wrong. Always runs the constant-time
compare — against the row's tokenHash when present, otherwise
against DUMMY_TOKEN_HASH — so timing and response both equalize
and sessionIds can't be probed via these endpoints.
- Wrap the raw drizzle/pg error in `create`'s INSERT-failure path
with TRPCError so pg constraint / column names don't get echoed
back to clients through the default tRPC serializer.
- Upgrade the orphan-cleanup swallow from `console.warn` to a
structured `console.error("[remote-control:orphan-host-session]",
{ sessionId, hostId, organizationId, insertError, revokeError })`
so log scrapers can alert and a future Sentry
`captureConsoleIntegration` picks it up automatically.
* docs(remote-control): plan for remaining work
* fix(remote-control): debounce viewer resize broadcasts via requestAnimationFrame
ResizeObserver can fire at refresh-rate (~60Hz) during a window-drag,
which immediately trips the host's REMOTE_CONTROL_RESIZE_RATE_PER_SEC
= 10 rate limit and surfaces a spurious "rate-limited" banner in the
viewer during normal use. Coalesce to one fit+broadcast per animation
frame and cancel any pending frame in the cleanup so we don't
fit+send after the WS is gone.
* fix(remote-control): trailing-debounce resize broadcasts to fix rate-limit banner
The RAF coalescing from the previous commit didn't actually help —
ResizeObserver already fires once per layout, so RAF was a no-op for
sustained window-drag, and the host's 10/s bucket still drained in
~166ms and tripped the "rate-limited" error.
Switch to a trailing 200ms debounce: keep calling `fit()` per event so
local rendering stays responsive, but only fire the host-side resize
message once after the user stops dragging. 5 Hz worst case, well
under the host's 10/s cap.
* ci(sherif): allow @xterm/{xterm,addon-fit} version split
Desktop's terminal-runtime uses the @xterm beta 6.x track for
kittyKeyboard + scrollbar options; the new web remote-control viewer
uses stable 5.x because the beta is too churny for a fresh feature.
The split is intentional and documented in the viewer's source, so
tell Sherif to ignore those two deps rather than force-aligning to
either track.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps node-pty from 1.1.0-beta30 to 1.1.0-beta38.
Release notes
Sourced from node-pty's releases.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)