Release 8.4.1

[rocketchat-github-ci]

Summary by CodeRabbit

• Chores

  • Marked a patch release for the meteor package via a changeset.
  • Updated numerous dependency and dev-dependency versions across the repo (linting, build, tooling, and runtime libraries).

• Bug Fixes

  • Restored SAML decryption behavior to maintain compatibility for SAML-based logins.

You can see below a preview of the release change log:

8.4.1

Engine versions

• Node: 22.16.0
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.62.0

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40410 by @dionisio-bot) Disables SAML login when it is set to validate signatures without the proper configuration for it

• (#40410 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• Updated dependencies [5b291c3]:

  • @rocket.chat/model-typings@2.2.1
  • @rocket.chat/core-typings@8.4.1
  • @rocket.chat/models@2.2.1
  • @rocket.chat/i18n@3.0.1
  • @rocket.chat/rest-typings@8.4.1

[changeset-bot]

🦋 Changeset detected

Latest commit: 5b291c3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 43 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/i18n	Patch
@rocket.chat/apps	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/omnichannel-services	Patch
rocketchat-services	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a changeset for a patch bump to @rocket.chat/meteor, upgrades many runtime and dev dependency versions across the monorepo, adds explicit TypeScript annotations to Octokit throttling callbacks, and passes disallowDecryptionWithInsecureAlgorithm: false to SAML decryption calls.

Changes

Monorepo dependency bump, release marker, typings, and SAML decryption flag

Layer / File(s)	Summary
Release marker .changeset/bump-patch-1777809871566.md	Creates a changeset declaring a patch bump for @rocket.chat/meteor with a short message.
Root resolutions & tooling package.json	Updates resolutions for @react-aria/* entries and bumps root dev tooling (@changesets/cli, eslint, turbo).
Core apps apps/meteor/package.json, apps/uikit-playground/package.json	Multiple runtime and dev dependency bumps and specifier tightenings in apps/meteor (e.g., @opentelemetry/api, adm-zip, bson, codemirror, dompurify, katex, overlayscrollbars, qs, react-virtuoso, twilio, xml-encryption, zustand, webpack, eslint) and a small bump in uikit-playground.
EE apps & packages ee/apps/*, ee/packages/*	Predominantly patch-level devDependency updates (mainly eslint) and a few runtime/dev bumps (uuid, sanitize-html, various @types/*).
Packages (libs, UI, tooling) packages/*, packages/ui-*, packages/fuselage-ui-kit, packages/storybook-config, ...	Widespread devDependency and selective runtime upgrades across many packages: eslint, @types/react, react-virtuoso, webpack, ts-jest, @msgpack/msgpack, adm-zip, esbuild, @swc/core, dompurify, @opentelemetry/api. Several specifiers tightened.
Build/test tooling consistency packages/*/package.json (many)	Consistent dev tooling bumps across many packages (eslint, ts-jest, jest, tinybench, vite, @types/*).
Octokit typings packages/release-action/src/setupOctokit.ts	Adds explicit TypeScript parameter annotations to Octokit throttling callbacks (onRateLimit, onSecondaryRateLimit) without changing runtime behavior.
SAML decryption option apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts	xmlenc.decrypt calls for assertion and subject decryption now explicitly pass disallowDecryptionWithInsecureAlgorithm: false alongside the private key to preserve previous behavior under xml-encryption v4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(deps): Upgrade some dependencies #36905 — Overlapping monorepo dependency/version bumps.

Suggested labels

type: chore

Suggested reviewers

• ggazzo
• tassoevan
• d-gubert

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Release 8.4.1' directly and clearly summarizes the main change—preparing a patch release of version 8.4.1, which aligns with the extensive dependency updates and changeset metadata visible throughout the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[codecov]

Codecov Report

❌ Patch coverage is 72.60274% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.92%. Comparing base (bb8c7be) to head (5b291c3).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40368      +/-   ##
==========================================
- Coverage   69.97%   69.92%   -0.05%     
==========================================
  Files        3299     3307       +8     
  Lines      120261   120581     +320     
  Branches    21559    21590      +31     
==========================================
+ Hits        84153    84318     +165     
- Misses      32830    32976     +146     
- Partials     3278     3287       +9     

Flag	Coverage Δ
e2e	59.70% <ø> (+<0.01%)	⬆️
e2e-api	46.30% <81.25%> (-0.78%)	⬇️
unit	70.67% <70.45%> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts`:
- Around line 211-213: Update the xml-encryption options object used in
Response.ts (the const options in the Response class where
disallowDecryptionWithInsecureAlgorithm is set to false) to include
warnInsecureAlgorithm: false to suppress per-login console warnings, and revise
the surrounding comment to remove the outdated "3DES" reference (mentioning only
AES-CBC compatibility concerns); also make the identical change to the options
passed in getSubject so both decryption call sites use warnInsecureAlgorithm:
false and have the corrected comment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b74bac20-d31c-4ffa-bad2-aacf80481aa5

📥 Commits

Reviewing files that changed from the base of the PR and between b05e5d0 and daacbd1.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• .github/actions/update-version-durability/package.json
• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts
• apps/meteor/package.json
• package.json

✅ Files skipped from review due to trivial changes (1)

• .github/actions/update-version-durability/package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• apps/meteor/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: update-pr
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

🧠 Learnings (2)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

disallowDecryptionWithInsecureAlgorithm: false degrades security posture and will produce per-login stderr noise

xml-encryption versions prior to 4.0 treated AES-128-CBC and AES-256-CBC as secure; in v4 they are classified as insecure because CBC mode does not provide integrity guarantees. The deliberate opt-out here is understandable for broad IdP compatibility, but two follow-up concerns are worth addressing:

1. Per-login stderr noise. When disallowDecryptionWithInsecureAlgorithm: false and an insecure algorithm is encountered, a warning is piped to stderr via console.warn() by default; this can be disabled via the warnInsecureAlgorithm flag. Since AES-CBC is the most common SAML encryption algorithm, every SSO login attempt will generate console noise in production unless warnInsecureAlgorithm: false is added to the options.

2. 3DES reference in the comment is dead code. Node 18+ does not support Triple DES algorithms, and this PR targets Node 22.16.0, so the comment mentioning "3DES" is misleading — it will never be reached regardless of this flag.

🛠️ Proposed options fix

-// disallowDecryptionWithInsecureAlgorithm defaults to true in xml-encryption v4, but AES-CBC/3DES
-// are still widely used by SAML IdPs in practice, so we keep the pre-v4 behaviour here.
-const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
+// xml-encryption v4 classifies AES-CBC as insecure; opt out for backwards compatibility with common IdPs.
+const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false, warnInsecureAlgorithm: false };

Apply the same change to the getSubject options at line 355.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// disallowDecryptionWithInsecureAlgorithm defaults to true in xml-encryption v4, but AES-CBC/3DES
	// are still widely used by SAML IdPs in practice, so we keep the pre-v4 behaviour here.
	const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false };
	// xml-encryption v4 classifies AES-CBC as insecure; opt out for backwards compatibility with common IdPs.
	const options = { key: this.serviceProviderOptions.privateKey, disallowDecryptionWithInsecureAlgorithm: false, warnInsecureAlgorithm: false };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/meteor-accounts-saml/server/lib/parsers/Response.ts` around
lines 211 - 213, Update the xml-encryption options object used in Response.ts
(the const options in the Response class where
disallowDecryptionWithInsecureAlgorithm is set to false) to include
warnInsecureAlgorithm: false to suppress per-login console warnings, and revise
the surrounding comment to remove the outdated "3DES" reference (mentioning only
AES-CBC compatibility concerns); also make the identical change to the options
passed in getSubject so both decryption call sites use warnInsecureAlgorithm:
false and have the corrected comment.