Upcoming Release Changes

[theguild-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

hive@9.5.0

Minor Changes

• #7699
  5f88ce8
  Thanks @n1ru4l! - Add experimental support for running without
  supertokens service.

  Instructions

  Prerequisites

  Adjust your docker compose file like the following:

  • Remove services.supertokens from your docker-compose.community.yml file
  • Remove the following environment variables from the services.server.environment
    • SUPERTOKENS_CONNECTION_URI=
    • SUPERTOKENS_API_KEY=
  • Set the following environment variables for services.server.environment
    • SUPERTOKENS_AT_HOME=1
    • SUPERTOKENS_REFRESH_TOKEN_KEY=
    • SUPERTOKENS_ACCESS_TOKEN_KEY=
  • Set the following environment variables for services.migrations.environment
    • SUPERTOKENS_AT_HOME=1

  Set the refresh token key

  Extract from existing supertokens deployment

  This method works if you use supertokens before and want to have existing user sessions to
  continue working. If you want to avoid messing with the database, you can also create a new
  refresh token key from scratch, the drawback is that users are forced to login again.

  Extract the refresh token key from the supertokens database

  SELECT
    "value"
  FROM
    "supertokens_key_value"
  WHERE
    "name" = 'refresh_token_key';

  The key should look similar to this:
  1000:15e5968d52a9a48921c1c63d88145441a8099b4a44248809a5e1e733411b3eeb80d87a6e10d3390468c222f6a91fef3427f8afc8b91ea1820ab10c7dfd54a268:39f72164821e08edd6ace99f3bd4e387f45fa4221fe3cd80ecfee614850bc5d647ac2fddc14462a00647fff78c22e8d01bc306a91294f5b889a90ba891bf0aa0

  Update the docker compose services.server.environment.SUPERTOKENS_REFRESH_TOKEN_KEY environment
  variable value to this string.

  Create from scratch

  Run the following command to create a new refresh key from scratch:

  echo "1000:$(openssl rand -hex 64):$(openssl rand -hex 64)"

  Update the docker compose services.server.environment.SUPERTOKENS_REFRESH_TOKEN_KEY environment
  variable value to this string.

  Set the access token key

  Generate a new access token key using the following instructions:

  # 1. Generate a unique key name. 'uuidgen' is great for this.
  #    You can replace this with any string you like, e.g., KEY_NAME="my-app-key-1"
  KEY_NAME=$(uuidgen)
  # 2. Generate a 2048-bit RSA private key in PEM format, held in memory.
  PRIVATE_KEY_PEM=$(openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
  # 3. Extract the corresponding public key from the private key, also held in memory.
  PUBLIC_KEY_PEM=$(echo "$PRIVATE_KEY_PEM" | openssl rsa -pubout)
  # 4. Strip the headers/footers and newlines from the private key PEM
  #    to get just the raw Base64 data.
  PRIVATE_KEY_DATA=$(echo "$PRIVATE_KEY_PEM" | awk 'NF {if (NR!=1 && $0!~/-----END/) print}' | tr -d '\n')
  # 5. Do the same for the public key PEM.
  PUBLIC_KEY_DATA=$(echo "$PUBLIC_KEY_PEM" | awk 'NF {if (NR!=1 && $0!~/-----END/) print}' | tr -d '\n')
  # 6. Echo the final formatted string to the console.
  echo "${KEY_NAME}|${PUBLIC_KEY_DATA}|${PRIVATE_KEY_DATA}"

  Update the docker compose services.server.environment.SUPERTOKENS_ACCESS_TOKEN_KEY environment
  variable value to the formatted string output.

  Conclusion

  After performing this updates you can run Hive Console without the need for the supertokens
  service. All the relevant authentication logic resides within the server container instead.

  Existing users in the supertokens system will continue to exist when running without the
  supertokens service.

• #7706
  9357d39
  Thanks @jdolle! - We continue to build and expand the features of
  schema proposals. In this change, a background composition job was added to allow asynchronous
  updates to the composition state of a proposal. This composition job uses the schema service's
  composer but is unique from checks in that it takes the latest state of all subgraphs that are a
  part of a schema proposal.

  Additional environment variables for workflows service:

  The workflow service calls the schema service's composeAndValidate TRPC endpoint and requires
  the schema service endpoint. And the shared instance of Redis, used as a pubsub in the server
  and api services, is also now used by workflows to update
  Subscription.schemaProposalComposition.

  For self hosters, make sure to provide the following environment variables to the workflows
  service:

  • SCHEMA_ENDPOINT
  • REDIS_HOST
  • REDIS_PORT
  • REDIS_PASSWORD

Patch Changes

• #7761
  14581ba
  Thanks @n1ru4l! - Correctly display permission group without assigned
  resources.

• #7700
  d777e32
  Thanks @adambenhassen! - Add server-side sorting to app
  deployments table (Created, Activated, Last Used).

• #7677
  c3cb1ac
  Thanks @jdolle! - Increase service keepAliveTimeout from 72s to 905s

• #7746
  ade45f5
  Thanks @n1ru4l! - fix unexpected error for support tickets in case
  the user already exists within zendesk.

• #7673
  f8aac8b
  Thanks @adambenhassen! - Handle OIDC token exchange errors
  gracefully instead of returning 500. Classifies OAuth 2.0 error codes into user-safe messages
  without leaking sensitive provider details. Fix OIDC debug log modal not displaying the log area.

• #7732
  3567483
  Thanks @jonathanawesome! - fix: correct RPM chart Y-axis
  scale to match actual values

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request prepares for the upcoming hive@9.5.0 release, incorporating several new features, improvements, and bug fixes. Key updates include enabling an experimental mode to run without the supertokens authentication service for more flexible deployments, and enhancing schema proposals with asynchronous background composition jobs. Additionally, various quality-of-life improvements and bug fixes have been addressed across the application, such as better error handling for OIDC and Zendesk integrations, improved UI elements like deployment table sorting, and a fix for RPM chart scaling.

Highlights

• Authentication Flexibility: Added experimental support to run the Hive Console without the external supertokens service, allowing authentication logic to reside within the server container. This provides self-hosters with more control over their authentication setup.
• Schema Proposal Enhancements: Introduced a background composition job for schema proposals, enabling asynchronous updates to their composition state. This job utilizes the schema service's composer and Redis for pubsub, improving the responsiveness and scalability of schema proposal processing.
• Permission Group Display: Corrected the display of permission groups to ensure they are shown correctly even when no resources are assigned.
• Deployment Table Sorting: Implemented server-side sorting for the application deployments table, allowing users to sort by creation date, activation date, and last used date.
• Service Timeout Increase: Increased the keepAliveTimeout for services from 72 seconds to 905 seconds, which can help prevent premature connection closures for long-running operations.
• Zendesk Error Handling: Fixed an unexpected error that occurred when creating support tickets if the user already existed within Zendesk.
• OIDC Error Handling Improvements: Improved graceful handling of OIDC token exchange errors, providing user-safe messages without leaking sensitive provider details, and fixed an issue where the OIDC debug log modal was not displaying the log area.
• RPM Chart Y-axis Fix: Corrected the Y-axis scale for RPM (Requests Per Minute) charts to accurately match and display actual values.

Changelog

• deployment/CHANGELOG.md
  • Added experimental support for running without supertokens service.
  • Added a background composition job for schema proposals to allow asynchronous updates to their composition state.
  • Correctly displayed permission groups without assigned resources.
  • Added server-side sorting to the app deployments table (Created, Activated, Last Used).
  • Increased service keepAliveTimeout from 72s to 905s.
  • Fixed unexpected error for support tickets in case the user already exists within Zendesk.
  • Handled OIDC token exchange errors gracefully instead of returning 500, classifying OAuth 2.0 error codes into user-safe messages and fixing the OIDC debug log modal display.
  • Corrected RPM chart Y-axis scale to match actual values.

Activity

• This pull request was automatically opened by the Changesets release GitHub action.
• The PR will be automatically updated if more changesets are added to the main branch before merging.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🚀 Snapshot Release (rc)

The latest changes of this PR are available as rc on npm (based on the declared changesets):

Package	Version	Info
hive	9.5.0-rc-20260303175427-b136e440eef85566addb4a9842ffc64bcc3d1545	npm ↗︎ unpkg ↗︎
@hive/pubsub	0.0.1	npm ↗︎ unpkg ↗︎

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/amd64

Image Tag: b136e440eef85566addb4a9842ffc64bcc3d1545

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7764.hive-landing-page.pages.dev

[gemini-code-assist]

Code Review

This pull request automates the release of hive@9.5.0, which includes experimental support for running without the SuperTokens service and new background composition jobs for schema proposals. However, the new authentication and cryptographic logic introduces several critical security vulnerabilities, including potential SSRF in the OIDC flow and weak cryptographic configurations. A minor duplication in the .gitignore file also needs to be cleaned up. These issues pose significant risks to the security and reliability of the new authentication feature and must be addressed before the release is finalized.

[gemini-code-assist]

This change introduces a duplicate Cargo.lock entry. The file already contains this entry on preceding lines. Please remove this duplication to keep the .gitignore file clean.