Conversation
…l in blog and chat plugins
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| query, | ||
| context, | ||
| )) as unknown; | ||
| if (result === false) shimDenied = true; |
There was a problem hiding this comment.
Shim uses strict equality, weakening backward-compatible fail-safe
Medium Severity
The backward-compatibility shim checks result === false (strict equality), but the old code used !result (falsy check). This means an old-style hook that returns a falsy-but-not-false value (e.g. undefined from a forgotten return true) now silently allows access instead of denying it. The old !result pattern was fail-safe — any non-truthy return denied access. The new === false shim only catches explicit false, losing that safety net for existing consumers upgrading the library.
Additional Locations (2)
| if (shimDenied) | ||
| throw ctx.error(403, { | ||
| message: "Unauthorized: Cannot list posts", | ||
| }); |
There was a problem hiding this comment.
Identical shim pattern duplicated across sixty call sites
Medium Severity
The shimDenied backward-compatibility pattern (declare flag, try/catch the hook, check === false, re-throw as 403) is copy-pasted across 60+ call sites in blog, ai-chat, kanban, cms, form-builder, and ui-builder plugins. A small utility function (e.g. runHookWithShim) could replace all of them, reducing duplication and ensuring any fix to the shim logic (like the === false vs falsy-check issue) is applied in one place instead of sixty.
Additional Locations (2)
1 participant
Note
Medium Risk
Changes hook contracts and authorization/SSR loader control flow across multiple core plugins; while runtime shims still treat
falseas denial, TypeScript signatures and error propagation/messages may break consumer integrations.Overview
Hook API breaking-direction refactor: Authorization and SSR loader hooks across
ai-chat,blog,cms,form-builder,kanban, andui-builderare changed from returning booleans to throwing errors to deny/cancel, with implementations updated to catch hook errors and surface them as appropriate HTTP errors (typically403,400for rejected submissions) using the thrown message.Compatibility + docs: Runtime “shim” handling still treats a returned
falseas denial for now, but TypeScript hook types/docs/examples are updated to the new throw-based pattern; the@btst/stackpackage version is bumped from2.4.0to2.5.0.Written by Cursor Bugbot for commit d445feb. This will update automatically on new commits. Configure here.