chore: update @anuma/sdk to 1.0.0-next.20260423203831

[Denis Fadeev (fadeev)]

Updates @anuma/sdk to 1.0.0-next.20260320013605.

---

Note

Medium Risk
Primarily a dependency bump, but the new @anuma/sdk brings in browser-oriented packages (e.g. html2canvas, jspdf) that could break Cloudflare Workers builds/runtime if imported on the server path.

Overview
Bumps @anuma/sdk from 1.0.0-next.20260319135746 to 1.0.0-next.20260423203831.

Updates pnpm-lock.yaml accordingly, pulling in new direct SDK dependencies like html2canvas, jspdf, and marked (plus related transitive packages), which may impact bundle size and Workers compatibility depending on how the SDK loads them.

^{Reviewed by Cursor Bugbot for commit 6217666. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR bumps @anuma/sdk from 1.0.0-next.20260319135746 to 1.0.0-next.20260320013605. The new SDK version introduces three non-optional direct dependencies — html2canvas@1.4.1, jspdf@4.2.1, and marked@15.0.12 — along with ~15 transitive packages (e.g. canvg, core-js, dompurify, fflate, stackblur-canvas).

• New SDK dependencies: html2canvas, jspdf, and marked suggest the SDK now bundles PDF-export and markdown-rendering capabilities directly.
• Cloudflare Workers compatibility risk: html2canvas is a browser-centric library that accesses DOM APIs absent in the Workers runtime. Since it is a non-optional dependency in the new SDK version, a top-level import of it in the SDK would cause a runtime crash on the Workers deployment path.
• Duplicate pako: Both pako@1.0.11 (existing) and pako@2.1.0 (new, via fast-png ← jspdf) are now present, adding minor redundancy to the bundle.
• PR description: Per the project's CLAUDE.md guidelines, PR descriptions for SDK updates should include an Integration section (how to integrate new SDK changes into a client app) and a Breaking Changes section. These are absent from the current description; even noting "no integration steps required" and "no breaking changes" would satisfy the guideline.

Confidence Score: 3/5

• Merge with caution — verify that the new browser-only html2canvas dependency is lazily imported by the SDK and does not execute in the Cloudflare Workers runtime.
• The version bump itself is mechanical, but the new SDK version introduces html2canvas as a non-optional dependency. This library relies on browser DOM APIs incompatible with Cloudflare Workers. Without confirmation that the SDK guards these imports for browser-only contexts, the Workers deployment path carries real breakage risk.
• pnpm-lock.yaml — specifically the @anuma/sdk snapshot at line 1336 where html2canvas appears as a non-optional dependency.

Important Files Changed

Filename	Overview
package.json	Bumps @anuma/sdk from 1.0.0-next.20260319135746 to 1.0.0-next.20260320013605 — a straightforward version pin change with no other modifications.
pnpm-lock.yaml	Lock file updated to reflect new SDK version; three new non-optional SDK deps added (html2canvas, jspdf, marked) plus ~15 transitive packages. html2canvas is browser-only and may be incompatible with the Cloudflare Workers deployment target.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    SDK["@anuma/sdk\n1.0.0-next.20260320013605"]

    SDK --> EXISTING["Existing deps\n(ai, exceljs, jszip,\nmammoth, pdfjs-dist,\ntesseract.js, react)"]
    SDK --> HTML2CANVAS["html2canvas@1.4.1\n⚠️ Browser-only (DOM APIs)"]
    SDK --> JSPDF["jspdf@4.2.1"]
    SDK --> MARKED["marked@15.0.12"]

    JSPDF --> FAST_PNG["fast-png@6.4.0"]
    JSPDF --> FFLATE["fflate@0.8.2"]
    JSPDF --> BABEL_RT["@babel/runtime@7.29.2"]
    JSPDF -.->|optional| CANVG["canvg@3.0.11"]
    JSPDF -.->|optional| COREJS["core-js@3.49.0"]
    JSPDF -.->|optional| DOMPURIFY["dompurify@3.3.3"]
    JSPDF -.->|optional| HTML2CANVAS

    HTML2CANVAS --> CSS_LB["css-line-break@2.1.0"]
    HTML2CANVAS --> TEXT_SEG["text-segmentation@1.0.3"]

    FAST_PNG --> PAKO2["pako@2.1.0\n(duplicate: pako@1.0.11 also exists)"]
    FAST_PNG --> IOBUFFER["iobuffer@5.4.0"]

    CANVG --> RAF["raf@3.4.1"]
    CANVG --> STACKBLUR["stackblur-canvas@2.7.0"]
    CANVG --> SVG_PATH["svg-pathdata@6.0.3"]
    CANVG --> RGBCOLOR["rgbcolor@1.0.1"]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 1336-1337

Comment:
**Browser-only dependencies added as non-optional SDK deps**

`html2canvas@1.4.1` and `jspdf@4.2.1` are now **non-optional** direct dependencies of `@anuma/sdk`. `html2canvas` in particular relies heavily on browser DOM APIs (`document`, `window`, `HTMLCanvasElement`). This project deploys to **Cloudflare Workers** (via `wrangler deploy`), which does not expose DOM APIs.

If the SDK imports `html2canvas` at the module top level (rather than lazily), the Workers deployment will fail at startup with a `ReferenceError: document is not defined` (or similar). Even with lazy imports, any code path that triggers html2canvas at runtime would crash in the Workers environment.

Before merging, confirm that:
1. The SDK conditionally/lazily imports `html2canvas` only in browser environments, and
2. This Telegram bot's usage of `@anuma/sdk` does not exercise those code paths in the Workers runtime.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "chore: update @anuma..."}

Greptile also left 1 inline comment on this PR.

Context used:

• Context used - CLAUDE.md (source)

[github-actions]

✅ Cloudflare Workers Preview — Deployed!

https://telegram-pr-13.zetachain.workers.dev

[greptile-apps]

Browser-only dependencies added as non-optional SDK deps

html2canvas@1.4.1 and jspdf@4.2.1 are now non-optional direct dependencies of @anuma/sdk. html2canvas in particular relies heavily on browser DOM APIs (document, window, HTMLCanvasElement). This project deploys to Cloudflare Workers (via wrangler deploy), which does not expose DOM APIs.

If the SDK imports html2canvas at the module top level (rather than lazily), the Workers deployment will fail at startup with a ReferenceError: document is not defined (or similar). Even with lazy imports, any code path that triggers html2canvas at runtime would crash in the Workers environment.

Before merging, confirm that:

1. The SDK conditionally/lazily imports html2canvas only in browser environments, and
2. This Telegram bot's usage of @anuma/sdk does not exercise those code paths in the Workers runtime.

Prompt To Fix With AI

This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 1336-1337

Comment:
**Browser-only dependencies added as non-optional SDK deps**

`html2canvas@1.4.1` and `jspdf@4.2.1` are now **non-optional** direct dependencies of `@anuma/sdk`. `html2canvas` in particular relies heavily on browser DOM APIs (`document`, `window`, `HTMLCanvasElement`). This project deploys to **Cloudflare Workers** (via `wrangler deploy`), which does not expose DOM APIs.

If the SDK imports `html2canvas` at the module top level (rather than lazily), the Workers deployment will fail at startup with a `ReferenceError: document is not defined` (or similar). Even with lazy imports, any code path that triggers html2canvas at runtime would crash in the Workers environment.

Before merging, confirm that:
1. The SDK conditionally/lazily imports `html2canvas` only in browser environments, and
2. This Telegram bot's usage of `@anuma/sdk` does not exercise those code paths in the Workers runtime.

How can I resolve this? If you propose a fix, please make it concise.

[cursor]

Browser-only html2canvas may crash Cloudflare Workers

High Severity

html2canvas@1.4.1 is now a non-optional direct dependency of @anuma/sdk. This library requires browser DOM APIs (document, window, HTMLCanvasElement) that do not exist in the Cloudflare Workers runtime. Since this project deploys to Workers (confirmed by wrangler.jsonc and src/worker.ts), any eager/top-level import of html2canvas by the SDK will cause a startup crash with a ReferenceError.

 

[cursor]

Bugbot Autofix determined this is a false positive.

I verified that importing @anuma/sdk/server and @anuma/sdk/client in a non-DOM runtime and bundling the Worker do not load or include html2canvas, so no startup crash occurs.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue.}

^{Reviewed by Cursor Bugbot for commit 90fac6a. Configure here.}

[cursor]

PR description has wrong version and missing sections

Low Severity

The PR description states it updates to 1.0.0-next.20260320013605, but the actual version in package.json is 1.0.0-next.20260423203831. Additionally, per CLAUDE.md, PR descriptions for SDK updates must include Integration and Breaking Changes sections — even if just noting "none required" — but both are absent.

 

^{Reviewed by Cursor Bugbot for commit 90fac6a. Configure here.}