Skip to content

[pull] main from jsr-io:main#92

Merged
pull[bot] merged 7 commits into
code:mainfrom
jsr-io:main
Jun 5, 2026
Merged

[pull] main from jsr-io:main#92
pull[bot] merged 7 commits into
code:mainfrom
jsr-io:main

Conversation

@pull

@pull pull Bot commented Jun 5, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

crowlbot and others added 7 commits June 5, 2026 04:43
Fixes #1121

The package header's description `<p>` has no overflow-wrap setting, so
descriptions containing long unbreakable tokens (long URLs, technical
identifiers, undelimited strings, etc.) can extend past the viewport on
narrow screens. Add `break-words` (CSS `overflow-wrap: break-word`) so
the description wraps at whitespace as usual, and only breaks within a
word when one is wider than the column.

### Diff

```diff
-            <p class="text-secondary text-base max-w-3xl mb-6">
+            <p class="text-secondary text-base max-w-3xl mb-6 break-words">
```

### Verification

- Built the frontend locally and loaded
`http://localhost:8000/@salmidev/maths-objects` (the URL from the
issue). The description `<p>` renders with `class="... break-words"` and
the generated Tailwind CSS includes
`.break-words{overflow-wrap:break-word}`.
- `overflow-wrap: break-word` is the conservative variant: lines still
break at whitespace where they can; words only break mid-token when
nothing else would fit.
- `deno fmt --check` and `deno lint` pass on the changed file; full-repo
fmt/lint failures on `main` are unrelated (`assets/styles.css`,
`assets/tailwind.css`).
- Couldn't capture before/after screenshots in this environment (no
working headless browser available), but the rule applies only when a
token would otherwise overflow the container — wider viewports and
shorter descriptions are visually unchanged.
…acent content (#1413)

## Summary

Closes #1377.

The `Tooltip` popup container had no `z-index` set, so adjacent siblings
rendered later in the DOM painted on top of it whenever they overlapped
— most visibly the provenance "Built and signed on GitHub Actions"
tooltip on the package header, which sits inside the `<h1>` next to the
chips row and right above the secondary metadata row.

Adding `z-30` to the absolute container puts the popup above
same-context content while staying below sticky/modal layers, matching
the existing convention used by other popovers in the codebase:

- `DocUsages` (`islands/DocUsages.tsx`) — `z-30`
- `DocBreadcrumbsSwitcher` (`islands/DocBreadcrumbsSwitcher.tsx`) —
`z-30`
- `BreadcrumbsSticky` — `z-20` (now correctly below the tooltip)
- `Header` — `z-50` (correctly stays above)
- modals (`TicketModal`, `UserMenu`, `SignInMenu`) — `z-70`+ (correctly
stay above)

## Changes

- `frontend/components/Tooltip.tsx`: add `z-30` to the popup's
`absolute` container. One-class change; no markup or behavior changes
otherwise.

## Validation

- `deno task lint:frontend` — pre-existing `no-process-global` warnings
unrelated to this change; no new errors.
- `deno fmt --check` / `deno lint` / `deno check` on the touched file
all clean.
- Built with `deno task build` and ran `deno serve -A --cached-only
--port=8000 _fresh/server.js` against `API_ROOT=https://api.jsr.io`.
Inspected the rendered HTML on `/@std/path` (a package with provenance)
and confirmed the tooltip's absolute container now renders with
`class="absolute z-30"`. Screenshots couldn't be captured in this
sandbox (no Chromium and outbound asset downloads blocked), but the
change is one Tailwind utility class addition with no markup/JS behavior
change, so light/dark/responsive states are not affected.

## PR Checklist

- [x] The PR title follows [conventional
commits](https://www.conventionalcommits.org/en/v1.0.0/)
- [x] Is this closing an open issue? If so, link it, else include a
proper description of the changes and reason behind them.
- [x] Does the PR have changes to the frontend? If so, include
screenshots or a recording of the changes.
<br/>If it affect colors, please include screenshots/recording in both
light and dark mode.
- [ ] Does the PR have changes to the backend? If so, make sure tests
are added.
<br/>And if changing dababase queries, be sure you have ran `sqlx
prepare` and committed the changes in the `.sqlx` directory.

Co-authored-by: crowlbot <crowlbot@users.noreply.github.com>
First step of the API-service-split RFC (#1414): carve the shared data
types out of `api/` into a new wasm-safe `jsr_types` crate, so the
upcoming workers-rs front and the Cloud Run server can share a single
source of truth without the Worker pulling in `sqlx` or any native
crate.

This PR is a **pure refactor — no behaviour change, no endpoint moves.**

### What moves
- `api/src/ids.rs` → `crates/jsr_types/src/ids.rs` — the id newtypes
(`ScopeName`, `PackageName`, `Version`, `PackagePath`, …).
- `api/src/db/models.rs` → `crates/jsr_types/src/models.rs` — the plain
DB model structs.

### How sqlx stays out of wasm
The structs live in `jsr_types`; their `FromRow` / `Type` / `Encode` /
`Decode` impls move with them but are gated behind a **default-off
`sqlx` feature** (manual impls under `#[cfg(feature = "sqlx")]`, derives
under `#[cfg_attr(feature = "sqlx", …)]`). `registry_api` turns the
feature on, so its query code is untouched. With the feature off the
crate builds for `wasm32-unknown-unknown` — sqlx never compiles.
(`uuid`'s `v4`/`getrandom` is likewise left to the consuming crates.)

### No churn in the API server
`api/src/ids.rs` and `api/src/db/models.rs` become one-line re-export
shims (`pub use jsr_types::ids::*;` / `models::*;`), so all ~80 existing
`crate::ids::*` and `crate::db::*` call sites keep working verbatim. A
`testing` feature re-exposes `ExportsMap::mock()` to the API server's
tests via dev-deps.

### Verification
- ✅ `cargo build -p jsr_types --target wasm32-unknown-unknown` (default
features) — the whole point; now enforced in CI.
- ✅ `cargo check -p registry_api --all-targets` (sqlx feature on, incl.
tests).
- ✅ `cargo clippy --all-targets --all-features -- -D warnings`.
- ✅ `cargo fmt --all -- --check`.
- ✅ `cargo test -p jsr_types` — the id-validation unit tests moved with
the types (now run by a new CI step).

Next in the sequence (#1414): scaffold the empty workers-rs crate, then
the Hyperdrive + `tokio-postgres` DB spike.

---------

Co-authored-by: crowlbot <crowlbot@users.noreply.github.com>
## What

Step 2 of the API service split (design: #1414, step 1 `jsr_types`
extraction landed in #1417): **scaffold the `workers-rs` API Worker**.

This adds a new `workers-rs/` crate — a minimal Cloudflare Worker (Rust
→ `wasm32`) that will become the front for `api.jsr.io`. It is
deliberately a skeleton:

- `#[event(fetch)]` entrypoint + a `worker::Router` route table,
- a `GET /health` liveness check returning a small JSON body,
- a catch-all that returns `501 Not Implemented` for every other path,
so the not-yet-migrated surface is explicit,
- **no database and no real endpoints** — those move over one endpoint
group per PR per the design doc's sequence (Hyperdrive DB spike is the
next step).

## Notes

- **Detached workspace.** `workers-rs/Cargo.toml` declares its own
`[workspace]` (with its own `Cargo.lock`) so the repo-root
`registry_api` native build never tries to compile this `wasm32`-only
crate. The existing `check`/`test` jobs are unaffected.
- **CI.** Adds an `api-worker` job that installs the pinned toolchain,
adds the `wasm32-unknown-unknown` target, and runs `cargo fmt --check`,
`cargo clippy --target wasm32-unknown-unknown -- -D warnings`, and a
release `cargo build --target wasm32-unknown-unknown`. The full bundle
is produced by `worker-build` at deploy time; the CI gate is the wasm
compile.
- **Deploy.** `wrangler.toml` here is for local `wrangler dev` only.
Production bindings (Hyperdrive, the compute-service URL/service
binding, OAuth + Orama config) and the deployment resources are managed
by Terraform in a later infra PR, mirroring
`terraform/cloudflare_frontend.tf`. None of that is wired up yet.

## Verification

Locally, on `wasm32-unknown-unknown` (toolchain 1.89.0):

- `cargo build --target wasm32-unknown-unknown --release` ✅
- `cargo clippy --target wasm32-unknown-unknown -- -D warnings` ✅
- `cargo fmt --check` ✅

No behavior change to the existing compute service.

Co-authored-by: crowlbot <crowlbot@users.noreply.github.com>
Fixes #1246.

## Repro

`api/src/npm/tarball.rs` previously called `header.set_mode(0o777)` for
every entry written into the npm-compat tarball. After publishing and
`npm install`ing a JSR package, every file in `node_modules/<pkg>/…`
ended up with the executable bit set, including `.d.ts` files. This
breaks tooling that warns on non-shebang executables (e.g. RPM
packaging).

## Fix

Use `0o644` for all tarball entries. The generated `package.json` has no
`bin` field, so no file in the npm-compat tarball is supposed to be
executable. `0o644` matches npm's default for non-bin files.

## Test

Extended the `test_npm_tarballs` spec runner to assert the mode of every
emitted entry. Verified manually that the assertion fails (`unexpected
mode 777`) before the one-line fix and passes after.
…ettings (#1428)

## What

The provider-logo `<img>` tags in the **Connect / Disconnect** buttons
on the account settings page (`/account/settings`) have no `alt`
attribute. Because they're rendered from
`asset(\`/logos/${serviceId}.svg\`)`, screen readers fall back to
announcing the image filename (e.g. *"github.svg"*) before the button's
own text.

These logos are purely decorative — each button already has a visible
text label that names the service ("Connect GitHub", "Disconnect
GitHub", …) — so they should be hidden from the accessibility tree.

## Change

Add `alt=""` to the two logo images in `Connection()`, matching the
existing convention already used for the other decorative provider/brand
logos across the frontend (e.g. the sign-in/provider logos in
`routes/new.tsx`, `routes/index.tsx`, `routes/packages.tsx`, and the
Orama logo in `islands/GlobalSearch.tsx`).

```diff
-        <img class="size-5" src={asset(`/logos/${serviceId}.svg`)} />
+        <img class="size-5" src={asset(`/logos/${serviceId}.svg`)} alt="" />
```

## Visual / a11y impact

- **Visual:** none — `alt=""` does not change rendering; the logos look
identical in light and dark mode.
- **Accessibility:** the decorative logos are now correctly omitted from
the accessibility tree, so screen readers announce only the button's
text label instead of the SVG filename.

## Testing

- `deno fmt --check` and `deno lint` pass on the changed file.

Co-authored-by: Leo Kettmeir <crowlkats@toaxl.com>
@pull pull Bot locked and limited conversation to collaborators Jun 5, 2026
@pull pull Bot added the ⤵️ pull label Jun 5, 2026
@pull pull Bot merged commit 440be34 into code:main Jun 5, 2026
1 check failed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants