Dev clarity hands on

[BTreston]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31159

📔 Objective

This is a massive modernization PR that combines multiple phases of the Directory Connector tech debt roadmap. It merges:

1. Phase 1: StateService Rewrite (from PR [PM-31159] State service rewrite #990)
2. Phase 2: Remove remaining jslib code (partial, focused on CryptoService, TokenService, etc)
3. Phase 5: ESM file Migration (CommonJS → ES Modules) note: does not enable type: module in package.json yet

Key Changes

1. State Service Modernization:

• Merged the vNext StateService implementation that replaces the monolithic account-based StateService
• Flattened account structure to simple key-value storage
• Added State Version 5 migration logic
• Removed old StateService dependencies

2. ESM Migration:

• Migrated all CommonJS files to ES Modules
• Updated configuration files (webpack, jest, electron-builder) to ESM
• Converted require() to import statements throughout the codebase
• Created a custom skill for CJS→ESM migration (.claude/skills/commonjs-to-esm/)

3. jslib Cleanup:

• Removed significant amounts of unused jslib code (6,263 deletions)
• Cleaned up Account models, State factories, and unnecessary abstractions
• Removed hard-coded state keys
• Fixed environment URLs and account state migration

4. Service Updates:

• Updated all callers to use vNext StateService
• Migrated Electron, window/tray, and UI state management
• Updated AuthService, SyncService, EnvironmentService, TokenService
• Fixed integration tests for new state structure

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – b07d9245-2f02-4f09-9988-3533eba6ab7d

---

New Issues (16)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-2441	Npm-electron-39.2.1	details Description: Use After Free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-2648	Npm-electron-39.2.1	details Description: Heap Buffer Overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a cr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-2649	Npm-electron-39.2.1	details Description: Integer Overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-2650	Npm-electron-39.2.1	details Description: Heap Buffer Overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a craft... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-26996	Npm-minimatch-3.1.2	details Recommended version: 3.1.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-26996	Npm-minimatch-9.0.5	details Recommended version: 9.0.6 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-26996	Npm-minimatch-5.1.6	details Recommended version: 5.1.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-27606	Npm-rollup-4.57.1	details Recommended version: 4.59.0 Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		Use_Of_Hardcoded_Password	/src/services/state-service/state.service.spec.ts: 129	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
10		Use_Of_Hardcoded_Password	/src/services/state-service/state.service.spec.ts: 475	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
11		Use_Of_Hardcoded_Password	/src/services/state-service/state.service.spec.ts: 129	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
12		Use_Of_Hardcoded_Password	/src/services/state-service/state.service.spec.ts: 475	details The application uses the hard-coded password "secret-password" for authentication purposes, either using it to verify users' identities, or to ac... Attack Vector
13		Use_Of_Hardcoded_Password	/src/services/token/token.service.ts: 15	details The application uses the hard-coded password "apiKeyClientSecret" for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
14		Use_Of_Hardcoded_Password	/src/services/token/token.service.ts: 15	details The application uses the hard-coded password "apiKeyClientSecret" for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
15		Use_Of_Hardcoded_Password	/src/services/token/token.service.ts: 15	details The application uses the hard-coded password "apiKeyClientSecret" for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
16		Cx5f84137a-beef	Npm-hono-4.11.9	details Recommended version: 4.11.10 Description: The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal str... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

[codecov]

Codecov Report

❌ Patch coverage is 36.10108% with 354 lines in your changes missing coverage. Please review.
✅ Project coverage is 20.24%. Comparing base (984ae97) to head (5afdd23).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...c/services/state-service/stateMigration.service.ts	0.00%	168 Missing ⚠️
src/services/token/token.service.ts	0.00%	36 Missing ⚠️
src/services/environment/environment.service.ts	0.00%	34 Missing ⚠️
src/app/accounts/environment.component.ts	0.00%	25 Missing ⚠️
src/app/services/services.module.ts	0.00%	20 Missing ⚠️
src/utils/jwt.util.ts	0.00%	20 Missing ⚠️
src/services/state-service/state.service.ts	90.90%	14 Missing and 4 partials ⚠️
src/bwdc.ts	0.00%	13 Missing ⚠️
src/main.ts	0.00%	8 Missing ⚠️
src/commands/config.command.ts	0.00%	5 Missing ⚠️
... and 5 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1015      +/-   ##
==========================================
+ Coverage   15.11%   20.24%   +5.12%     
==========================================
  Files          67       73       +6     
  Lines        2798     2998     +200     
  Branches      483      532      +49     
==========================================
+ Hits          423      607     +184     
- Misses       2271     2285      +14     
- Partials      104      106       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ D)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE