Skip to content

Support "use workflow" serialization for Sandbox and Command#72

Merged
Schniz merged 19 commits intomainfrom
malte/serde
Mar 27, 2026
Merged

Support "use workflow" serialization for Sandbox and Command#72
Schniz merged 19 commits intomainfrom
malte/serde

Conversation

@cramforce
Copy link
Copy Markdown
Contributor

@cramforce cramforce commented Mar 1, 2026
edited by pranaygp
Loading

Does not add "use step" anywhere, so users will have to do this themselves. It could be done, but it is hard to reconzile with the use of AbortSignals and also won't be very useful in practice.

Introduces Sandbox.setCredentials to allow creating APIClient from serialized values.

Note: this needs #109 to actually work

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Mar 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
sandbox Ready Ready Preview, Comment, Open in v0 Mar 27, 2026 9:54pm
sandbox-cli Ready Ready Preview, Comment, Open in v0 Mar 27, 2026 9:54pm
sandbox-sdk Ready Ready Preview, Comment, Open in v0 Mar 27, 2026 9:54pm
sandbox-sdk-ai-example Ready Ready Preview, Comment, Open in v0 Mar 27, 2026 9:54pm
vercel-sandbox-sdk-tests Error Error Open in v0 Mar 27, 2026 9:54pm
workflow-code-runner Ready Ready Preview, Comment, Open in v0 Mar 27, 2026 9:54pm

Request Review

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​next@​16.0.106277919770
Addednpm/​@​workflow/​serde@​4.1.0-beta.2691007289100
Addednpm/​@​workflow/​core@​4.2.0-beta.739710075100100
Addednpm/​react@​19.2.31001008497100
Addednpm/​workflow@​4.2.0-beta.739910085100100
Addednpm/​zod@​4.3.610010010088100
Addednpm/​ai@​5.0.1579210010099100
Addednpm/​react-dom@​19.2.31001009298100

View full report

@cramforce cramforce requested a review from Schniz March 1, 2026 14:32
@cramforce cramforce changed the title Support "use workflow" sealization for Sandbox and Command Support "use workflow" seralization for Sandbox and Command Mar 1, 2026
@cramforce cramforce changed the title Support "use workflow" seralization for Sandbox and Command Support "use workflow" serialization for Sandbox and Command Mar 1, 2026
Schniz
Schniz reviewed Mar 1, 2026
View reviewed changes
Comment thread packages/vercel-sandbox/src/sandbox.ts Outdated
Comment thread packages/vercel-sandbox/package.json
Comment thread packages/vercel-sandbox/README.md Outdated
Comment thread README.md Outdated
Comment thread packages/vercel-sandbox/src/sandbox.ts Outdated
@pranaygp @claude
address PR review comments
cc3eb5a 
- Remove Sandbox.setCredentials, keep standalone setSandboxCredentials as canonical API
- Make projectId optional in setSandboxCredentials (new SandboxCredentials type)
- Compose CommandFinished serialization via Command[WORKFLOW_SERIALIZE]
- Fix README wording per Schniz suggestion
- Remove OPENAI_API_KEY from .env.local.example (use gateway)
- Add comment about `both` losing interleaved stream order
- Add Command serialization tests (12 tests)
- Add sandbox-credentials unit tests (5 tests)
- Add deserialized+credentials flow test
- Exclude integration tests from default vitest run (require SWC plugin)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 27, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
High CVE: npm path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters

CVE: GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters (HIGH)

Affected versions: < 0.1.13

Patched version: 0.1.13

From: pnpm-lock.yamlnpm/workflow@4.2.0-beta.73npm/path-to-regexp@0.1.12

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

pranaygp
pranaygp reviewed Mar 27, 2026
View reviewed changes
Comment thread packages/vercel-sandbox/package.json Outdated
@pranaygp @claude
fix quote style to match codebase convention (double quotes)
b03e29b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pranaygp @claude
run prettier on all changed files
7419fff 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pranaygp @claude
remove setSandboxCredentials — ensureClient already uses getCredentia…
829e900 
…ls()

The lazy client in ensureClient() already falls back to OIDC/env var
credentials via getCredentials(), so deserialized instances transparently
recreate their API client without any explicit credential setup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pranaygp and others added 2 commits March 27, 2026 14:51
@pranaygp @claude
bump @workflow/core to 4.2.0-beta.73, add workflow devDependencies
1191ab3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pranaygp @claude
remove unused @workflow/vitest and workflow devDependencies
5e3792d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot mentioned this pull request Apr 1, 2026
Merged
@marc-vercel marc-vercel mentioned this pull request Apr 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pranaygp pranaygp pranaygp left review comments

@Schniz Schniz Schniz approved these changes

@vercel vercel[bot] vercel[bot] left review comments

@TooTallNate TooTallNate Awaiting requested review from TooTallNate

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cramforce @pranaygp @Schniz @TooTallNate