Summary
Following #51 / #52 (navigator.credentials is non-configurable on WebKit, so the Object.defineProperty() call added in 3.2.1 threw and loadOnce() rejected on all iOS browsers and desktop Safari), two gaps remain that let the regression both ship and linger in dependents:
-
No browser test exercised load(). CI runs lint only — there was no automated assertion that load() succeeds in any browser, so the WebKit breakage shipped undetected from 3.2.1 onward.
-
No signal pushed the fix downstream. Consumers pin ^4.0.x and would resolve the patched version on a fresh install, but lockfiles stayed pinned to the broken version and nothing prompted a bump + redeploy.
This issue proposes monitoring/guardrails across three layers. It is a proposal for discussion — the open questions at the bottom should be resolved before implementation.
Layer 1 — Browser-API regression detection
1a. Cross-browser smoke test in CI (highest leverage).
1b. External browser-release feed (optional second layer).
- Watch WebKit/Chromium release notes and web-platform-tests deltas for Credential Management API /
navigator.credentials changes, to flag upcoming behavior changes before they reach stable. Noisier; does not prove our code breaks (1a does).
Layer 2 — Downstream propagation
2a. Dependabot.
- Add
.github/dependabot.yml (npm) so a new release auto-opens a lockfile-bump PR in this repo and in dependents.
2b. Staleness check.
- A small script reporting, per consumer: pinned range, resolved (lockfile) version, and latest published — flagging anyone behind. Runnable on demand or on a schedule.
Layer 3 — External consumers
-
Publish release notes / advisory for the fix.
-
Consider npm deprecate on the affected version range with a message pointing at the WebKit breakage, so installers see a warning.
Open questions
-
WebKit in CI: Playwright's bundled WebKit (Linux, fast) vs. real Safari on a macOS runner (accurate, costlier)? Bundled WebKit already exhibits the non-configurable navigator.credentials behavior.
-
Layer 1b: build now, or defer until 1a is proven?
-
Dependabot rollout: this repo only, or this repo plus direct consumers?
-
Ownership of any scheduled check (1b / 2b): scheduled GitHub Action vs. run-on-demand?
-
npm deprecate: acceptable to deprecate the affected range, given some pinned consumers would then warn on install?
Summary
Following #51 / #52 (
navigator.credentialsis non-configurable on WebKit, so theObject.defineProperty()call added in 3.2.1 threw andloadOnce()rejected on all iOS browsers and desktop Safari), two gaps remain that let the regression both ship and linger in dependents:No browser test exercised
load(). CI runs lint only — there was no automated assertion thatload()succeeds in any browser, so the WebKit breakage shipped undetected from 3.2.1 onward.No signal pushed the fix downstream. Consumers pin
^4.0.xand would resolve the patched version on a fresh install, but lockfiles stayed pinned to the broken version and nothing prompted a bump + redeploy.This issue proposes monitoring/guardrails across three layers. It is a proposal for discussion — the open questions at the bottom should be resolved before implementation.
Layer 1 — Browser-API regression detection
1a. Cross-browser smoke test in CI (highest leverage).
Add Playwright with
chromium,firefox, andwebkitprojects.A test page loads the built bundle, calls
loadOnce(), and asserts: it resolves without throwing;window.WebCredentialis defined; andnavigator.credentials.get/.storeare functions (patched).The
webkitproject reproduces loadOnce() throws on iOS (WebKit) since 3.2.1: cannot redefine navigator.credentials #51 directly (red before Do not throw when navigator.credentials cannot be redefined #52, green after).Add a
testscript and atestCI job as a sibling oflint(noneeds:, runs in parallel). This makes the regression class fail pre-publish.1b. External browser-release feed (optional second layer).
navigator.credentialschanges, to flag upcoming behavior changes before they reach stable. Noisier; does not prove our code breaks (1a does).Layer 2 — Downstream propagation
2a. Dependabot.
.github/dependabot.yml(npm) so a new release auto-opens a lockfile-bump PR in this repo and in dependents.2b. Staleness check.
Layer 3 — External consumers
Publish release notes / advisory for the fix.
Consider
npm deprecateon the affected version range with a message pointing at the WebKit breakage, so installers see a warning.Open questions
WebKit in CI: Playwright's bundled WebKit (Linux, fast) vs. real Safari on a macOS runner (accurate, costlier)? Bundled WebKit already exhibits the non-configurable
navigator.credentialsbehavior.Layer 1b: build now, or defer until 1a is proven?
Dependabot rollout: this repo only, or this repo plus direct consumers?
Ownership of any scheduled check (1b / 2b): scheduled GitHub Action vs. run-on-demand?
npm deprecate: acceptable to deprecate the affected range, given some pinned consumers would then warn on install?