Conversation
The separate `clerk.chips.browser.js` bundle is no longer needed. This removes the variant from the rspack build config, dev scripts, and bundlewatch. The `__BUILD_VARIANT_CHIPS__` flag is temporarily hardcoded to `false` and will be replaced with an environment flag in the next commit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `partitioned_cookies` to `EnvironmentJSON` and `EnvironmentResource`, following the same pattern as `client_debug_mode`. The flag is read from the Clerk environment API response and defaults to `false`. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace the build-time __BUILD_VARIANT_CHIPS__ constant with a runtime flag from the Clerk environment API response. Cookie handlers now receive a usePartitionedCookies getter that reads Environment.partitionedCookies, following the same pattern as clientDebugMode. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Thread the usePartitionedCookies getter through createDevBrowser to createDevBrowserCookie so that the dev browser cookie also sets SameSite=None, Secure, and Partitioned when the environment flag is enabled. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 4d1a4a9 The changes in this PR will be included in the next version bump. This PR includes changesets to release 20 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThe changes remove the CHIPS build variant and its compile-time flag from bundlewatch, build, and test configs, and delete the related dev script. Runtime control for partitioned cookies is introduced: Environment gains a partitionedCookies flag (serialized as partitioned_cookies), new cookie option types and callbacks (usePartitionedCookies) are added, and dev/session cookie creation and devBrowser APIs are updated to accept and act on these runtime cookie options. Tests and coverage configs were updated accordingly. 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
brkalow
changed the title
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.changeset/remove-chips-build-variant.md:
- Around line 2-3: The changes add new exported API surface (partitionedCookies
on EnvironmentJSON/EnvironmentResource in `@clerk/shared` and partitionedCookies
plus cookieOptions parameters threading through cookie handlers on Environment
in `@clerk/clerk-js`); update the changeset bump from "patch" to "minor" for both
"@clerk/shared" and "@clerk/clerk-js" or, if you intentionally treat these
additions as internal, add an explicit rationale in the changeset explaining why
they remain "patch" (refer to the symbols EnvironmentJSON, EnvironmentResource,
Environment, partitionedCookies, and cookieOptions when documenting your
decision).
ℹ️ Review info
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
.changeset/remove-chips-build-variant.md
| "@clerk/clerk-js": patch | ||
| "@clerk/shared": patch |
There was a problem hiding this comment.
Consider whether minor bump is warranted for new public API surface.
Both packages are bumped as patch, but the changes introduce new public API surface:
@clerk/sharedaddspartitionedCookiesto the exportedEnvironmentJSON/EnvironmentResourcetypes.@clerk/clerk-jsadds apartitionedCookiesproperty toEnvironmentand newcookieOptionsparameters threading through cookie handlers.
Under standard SemVer, additive changes to a public API should be a minor bump. If your project's SemVer policy treats all non-breaking additions as patch (e.g., because these are considered internal/implementation details), this is fine to keep as-is — but it's worth a conscious call.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.changeset/remove-chips-build-variant.md around lines 2 - 3, The changes add
new exported API surface (partitionedCookies on
EnvironmentJSON/EnvironmentResource in `@clerk/shared` and partitionedCookies plus
cookieOptions parameters threading through cookie handlers on Environment in
`@clerk/clerk-js`); update the changeset bump from "patch" to "minor" for both
"@clerk/shared" and "@clerk/clerk-js" or, if you intentionally treat these
additions as internal, add an explicit rationale in the changeset explaining why
they remain "patch" (refer to the symbols EnvironmentJSON, EnvironmentResource,
Environment, partitionedCookies, and cookieOptions when documenting your
decision).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…titioned attributes Dev browser cookies are written at Step 0 before Environment is fetched, so they initially use stale (non-partitioned) attributes. After Environment resolves, refreshCookies() re-writes them with the correct attributes. Also fixes non-partitioned cookie cleanup: when transitioning to partitioned, the old non-partitioned cookies are now properly removed (plain remove without partitioned attribute targets the non-partitioned version, since the browser treats them as different cookies). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/clerk-js/src/core/auth/cookies/session.ts`:
- Around line 38-42: The remove() function only deletes cookies using the
current partitioned attributes, leaving non-partitioned __session cookies
behind; update remove() in session.ts to also explicitly remove the
non-partitioned variants by calling sessionCookie.remove(...) and
suffixedSessionCookie.remove(...) with both getCookieAttributes(options) and
getCookieAttributes({ ...options, partitioned: false }) (or otherwise obtain
both partitioned and non-partitioned attribute sets) so both cookie flavors are
deleted, and apply the same dual-attribute removal change to the analogous
remove logic in devBrowser.ts.
ℹ️ Review info
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (4)
packages/clerk-js/src/core/auth/AuthCookieService.tspackages/clerk-js/src/core/auth/cookies/devBrowser.tspackages/clerk-js/src/core/auth/cookies/session.tspackages/clerk-js/src/core/auth/devBrowser.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- packages/clerk-js/src/core/auth/devBrowser.ts
- packages/clerk-js/src/core/auth/AuthCookieService.ts
| const remove = () => { | ||
| const attributes = getCookieAttributes(); | ||
| const attributes = getCookieAttributes(options); | ||
| sessionCookie.remove(attributes); | ||
| suffixedSessionCookie.remove(attributes); | ||
| }; |
There was a problem hiding this comment.
remove() doesn't clean up non-partitioned cookie variants when transitioning to partitioned mode.
set() (lines 52-55) correctly removes the old non-partitioned cookies before writing partitioned ones, but remove() only deletes cookies matching the current (partitioned) attributes. Because the browser treats partitioned and non-partitioned cookies with the same name as distinct, a sign-out that hits remove() without a prior set() in the same page lifecycle will leave stale non-partitioned __session cookies behind. The same gap exists in devBrowser.ts.
Proposed fix
const remove = () => {
const attributes = getCookieAttributes(options);
+ // When partitioned, also remove leftover non-partitioned variants
+ // (browser treats them as separate cookies).
+ if (attributes.partitioned) {
+ sessionCookie.remove();
+ suffixedSessionCookie.remove();
+ }
sessionCookie.remove(attributes);
suffixedSessionCookie.remove(attributes);
};🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/clerk-js/src/core/auth/cookies/session.ts` around lines 38 - 42, The
remove() function only deletes cookies using the current partitioned attributes,
leaving non-partitioned __session cookies behind; update remove() in session.ts
to also explicitly remove the non-partitioned variants by calling
sessionCookie.remove(...) and suffixedSessionCookie.remove(...) with both
getCookieAttributes(options) and getCookieAttributes({ ...options, partitioned:
false }) (or otherwise obtain both partitioned and non-partitioned attribute
sets) so both cookie flavors are deleted, and apply the same dual-attribute
removal change to the analogous remove logic in devBrowser.ts.
Collapse nested ternaries into single conditions since both branches resolve to 'None', and condense non-partitioned cleanup comments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The remove() function only deleted cookies using the current partitioned attributes, leaving the other variant behind. Now also removes non-partitioned cookies when partitioned is enabled, matching the existing pattern in set(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/clerk-js/src/core/auth/cookies/clientUat.ts (1)
62-67:⚠️ Potential issue | 🟠 MajorPartitioned mode does not clear domain-scoped non-partitioned
__client_uatcookies
set()only removes host-only variants before writing, but writes withdomain. If partitioned mode is turned on, stale domain-scoped non-partitioned cookies can remain and conflict with auth-state reads.Proposed fix
// Removes any existing cookies without a domain specified to ensure the change doesn't break existing sessions. suffixedClientUatCookie.remove(); clientUatCookie.remove(); + + // When partitioned is enabled, also remove previously written domain-scoped + // non-partitioned variants (partitioned/non-partitioned are distinct cookies). + if (partitioned && domain) { + suffixedClientUatCookie.remove({ domain, sameSite, secure }); + clientUatCookie.remove({ domain, sameSite, secure }); + } suffixedClientUatCookie.set(val, { domain, expires, partitioned, sameSite, secure }); clientUatCookie.set(val, { domain, expires, partitioned, sameSite, secure });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/clerk-js/src/core/auth/cookies/clientUat.ts` around lines 62 - 67, When partitioned mode is enabled the current logic calls suffixedClientUatCookie.remove() and clientUatCookie.remove() (host-only removals) then calls set(..., { domain, ... }) which writes domain-scoped cookies but does not clear existing domain-scoped non-partitioned __client_uat cookies; update the code so that before writing in partitioned mode you explicitly remove any domain-scoped variants as well (e.g., call remove with the domain option or enhance set() to first clear domain-scoped cookies) for both suffixedClientUatCookie and clientUatCookie to prevent stale domain-scoped cookies from conflicting with auth reads.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@packages/clerk-js/src/core/auth/cookies/clientUat.ts`:
- Around line 62-67: When partitioned mode is enabled the current logic calls
suffixedClientUatCookie.remove() and clientUatCookie.remove() (host-only
removals) then calls set(..., { domain, ... }) which writes domain-scoped
cookies but does not clear existing domain-scoped non-partitioned __client_uat
cookies; update the code so that before writing in partitioned mode you
explicitly remove any domain-scoped variants as well (e.g., call remove with the
domain option or enhance set() to first clear domain-scoped cookies) for both
suffixedClientUatCookie and clientUatCookie to prevent stale domain-scoped
cookies from conflicting with auth reads.
ℹ️ Review info
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (3)
packages/clerk-js/src/core/auth/cookies/clientUat.tspackages/clerk-js/src/core/auth/cookies/devBrowser.tspackages/clerk-js/src/core/auth/cookies/session.ts
… partitioned cookies (#7916) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
Summary
clerk.chips.browser.jsbuild variant from rspack config, dev scripts, and bundlewatchpartitioned_cookiesfield to the Environment API response (EnvironmentJSON/EnvironmentResource), following theclient_debug_modepattern__BUILD_VARIANT_CHIPS__constant with a runtimeusePartitionedCookiesgetter that reads fromEnvironment.getInstance().partitionedCookiesTest plan
usePartitionedCookiesreturnstruepartitioned_cookies: truein the environment payloadSameSite=None; Secure; Partitionedin a cross-origin iframe context🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
New Features
Tests