Conversation
… prevent counter drift
…thorized access to pending/spam comments
… access to pending or spam comments
… and prevent unauthorized comment posting
…rePost hook, enhancing security and preventing client-side ID manipulation
…ormalizing parentId, ensuring accurate cache targeting
…rify access control for comment list and count requests
…hance comment fetching logic
…anced user engagement
…oved status filters to admin sessions
…nents for enhanced user context
…re consistent dependency resolution
…aintain pending state in cache
…sistent installation and avoid cache issues
…ST response includes resolvedAuthorName and handling undefined values in getInitials function
…ies after page refresh, ensuring correct server-side handling of currentUserId
…icity and prevent orphaned replies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
packages/stack/src/plugins/comments/client/components/comment-thread.tsx
Show resolved
Hide resolved
| status: "approved", | ||
| currentUserId: params.currentUserId, | ||
| }).queryKey; | ||
| }; |
There was a problem hiding this comment.
Reply optimistic update targets wrong cache key
Medium Severity
The getListKey helper in usePostComment constructs a reply-list cache key without passing offset, so commentsListDiscriminator defaults to offset: 0. Meanwhile, RepliesSection uses useComments with offset: replyOffset, which can be 20, 40, etc. after clicking "Load more replies." When a user posts a reply while viewing a non-first page of replies, the optimistic update and onSuccess replacement both target the offset: 0 cache entry — not the one the component is subscribed to. Since onSuccess deliberately skips invalidateQueries for replies, the new reply is silently invisible until the user collapses and re-expands the section.
Additional Locations (1)
packages/stack/src/plugins/comments/client/components/comment-thread.tsx
Show resolved
Hide resolved
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
packages/stack/src/plugins/comments/client/components/comment-thread.tsx
Show resolved
Hide resolved
…entries in local state
1 participant
Summary
Type of change
Checklist
pnpm buildpassespnpm typecheckpassespnpm lintpassesdocs/content/docs/) if consumer-facing types or behavior changedScreenshots
Note
Medium Risk
Adds a new first-party
commentsplugin (new API endpoints, client routes, and example wiring) which affects moderation/access-control surfaces and requires careful review of default security hooks. CI/e2e changes are low risk but may impact test runtime and artifact naming.Overview
Introduces a new Comments plugin with threaded replies, likes, editing, moderation UI routes, and a “My comments” page, plus public exports/CSS and version bump to
@btst/stack@2.8.0.Updates all three example apps to register the comments backend/client plugins, import plugin CSS, embed
CommentThreadvia new blog/kanban slot overrides, and addsPATCHsupport to the framework API handlers.Expands Playwright coverage with
smoke.comments.spec.ts, adds per-frameworke2e:smoke:*scripts, and changes the GitHub Actions E2E workflow to run a framework matrix in parallel with per-framework concurrency groups and artifacts; docs are updated to describe the new plugin and the per-framework E2E workflow, plus minor CLI/install doc tweaks.Written by Cursor Bugbot for commit 97b2b01. This will update automatically on new commits. Configure here.