Skip to content

feat: remove --ssr functionality from sites / resolve vulnerabilities @W-20203809 #561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nrkruk wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: remove --ssr functionality from sites / resolve vulnerabilities @W-20203809 #561

nrkruk wants to merge 3 commits into from

Conversation

@nrkruk
Copy link
Collaborator

@nrkruk nrkruk commented Nov 19, 2025
edited
Loading

What does this PR do?

This PR removes SSR (Server-Side Rendering) functionality and LWR dependencies from the plugin-lightning-dev to resolve critical security vulnerabilities.

Changes made:

  • Removed --ssr flag from the sf lightning dev site command
  • Removed --get-latest and --guest flags (only used for SSR functionality)
  • Removed @lwrjs/api dependency from package.json
  • Removed link-lwr and unlink-lwr scripts from package.json
  • Removed serveSSRSite method and related code
  • Removed isSiteSetup method from ExperienceSite class
  • Updated glob dependency to 10.5.0 to fix HIGH severity vulnerability (CVE-2025-64756)
  • Updated command documentation and examples

Impact:

  • The sf lightning dev site command now only supports the non-SSR preview mode
  • All existing tests pass
  • Build completes successfully without errors

What issues does this PR fix or reference?

@W-20203809@

@nrkruk nrkruk requested review from a team as code owners November 19, 2025 16:21
@nrkruk
chore: remove SSR-specific dead code from ExperienceSite class
af473ed 
- Removed all SSR download and metadata management methods
- Removed SiteMetadata types and caching
- Reduced file from 444 lines to 115 lines (74% reduction)
- Only kept methods needed for preview URL generation:
  - getAllExpSites() - list sites
  - getPreviewUrl() - get preview URL
  - getNetworkId() - helper for preview URL
- Removed test file for deleted getRemoteMetadata method
@nrkruk nrkruk changed the title chore: remove SSR functionality and LWR dependencies to resolve vulnerabilities @W-20203809@ feat: remove SSR functionality and LWR dependencies to resolve vulnerabilities @W-20203809 Nov 19, 2025
@nrkruk nrkruk self-assigned this Nov 19, 2025
@nrkruk nrkruk changed the title feat: remove SSR functionality and LWR dependencies to resolve vulnerabilities @W-20203809 feat: remove --ssr functionality from sites / resolve vulnerabilities @W-20203809 Nov 19, 2025
@nrkruk nrkruk force-pushed the nkruk/w20203809-remove-ssr-lwr-dependencies branch from 8f43d98 to af473ed Compare November 19, 2025 17:00
@nrkruk
docs: remove LWR-specific development instructions
436c390 
- Removed entire 'LWR Sites Development Environment' section
- Removed references to yarn link-lwr commands
- Removed LWR debugging instructions
- Simplified debugging section to focus on plugin debugging only
- Updated to be more generic and applicable to all commands
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@nrkruk nrkruk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nrkruk