chore(deps): pin npm dependencies to exact lockfile versions#2638
Open
tolzhabayev wants to merge 6 commits into
Open
chore(deps): pin npm dependencies to exact lockfile versions#2638tolzhabayev wants to merge 6 commits into
tolzhabayev wants to merge 6 commits into
Conversation
Replace semver ranges in dependencies and devDependencies with the exact versions already resolved by package-lock.json. Direct deps no longer drift across reinstalls. Also harden .npmrc with supply-chain settings: - allow-git=none (block git dependencies) - ignore-scripts=true (idempotent if already present) - min-release-age=3 (only install packages at least 3 days old)
tolzhabayev
requested review from
ashharrison90 and
joshhunt
and removed request for
a team
tolzhabayev
requested review from
mckn,
sunker and
xnyo
and removed request for
a team
Contributor
|
Hello! 👋 This repository uses Auto for releasing packages using PR labels. ✨ This PR can be merged. It will not be considered when calculating future versions of the npm packages and will not appear in the changelogs. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to reduce dependency drift across reinstalls by replacing semver ranges in multiple workspace/root package.json files with exact versions (intended to match what is already resolved in package-lock.json).
Changes:
- Pin
dependencies/devDependenciesacross workspaces (and the repo root) from ranges (e.g.,^x.y.z) to exact versions. - Standardize versions for commonly shared tooling deps (TypeScript, ESLint,
@typescript-eslint/*, etc.) across packages.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
package.json |
Pins root devDependencies to exact versions. |
packages/create-plugin/package.json |
Pins CLI build/runtime deps to exact versions. |
packages/sign-plugin/package.json |
Pins signing tool deps to exact versions. |
packages/react-detect/package.json |
Pins parsing/globbing-related deps to exact versions. |
packages/plugin-types-bundler/package.json |
Pins bundler deps (types/debug/minimist/etc.) to exact versions. |
packages/plugin-meta-extractor/package.json |
Pins extractor deps and dev deps to exact versions. |
packages/plugin-e2e/package.json |
Pins Playwright/test tooling deps to exact versions. |
packages/plugin-docs-parser/package.json |
Pins unified/remark/rehype stack deps to exact versions. |
packages/plugin-docs-cli/package.json |
Pins docs CLI server/test deps (Express, types, supertest, etc.) to exact versions. |
packages/eslint-plugin-plugins/package.json |
Pins ESLint-plugin build deps to exact versions. |
docusaurus/website/package.json |
Pins website dependencies and devDependencies to exact versions. |
| "dependencies": { | ||
| "find-up": "^8.0.0", | ||
| "minimist": "^1.2.2", | ||
| "find-up": "7.0.0", |
Comment on lines
+33
to
+36
| "find-up": "7.0.0", | ||
| "glob": "13.0.6", | ||
| "handlebars": "4.7.9", | ||
| "jsonc-parser": "3.2.0", |
| "@axe-core/playwright": "4.11.1", | ||
| "@playwright/test": "1.58.2", | ||
| "@types/uuid": "11.0.0", | ||
| "dotenv": "8.6.0" |
| "supertest": "^7.0.0" | ||
| "@types/debug": "4.1.12", | ||
| "@types/ejs": "3.1.5", | ||
| "@types/express": "4.17.25", |
| "raw-loader": "^4.0.2", | ||
| "typescript": "^5.9.3", | ||
| "vitest": "^4.0.18" | ||
| "dotenv": "8.6.0", |
Comment on lines
28
to
+36
| "devDependencies": { | ||
| "@auto-it/all-contributors": "11.3.6", | ||
| "@auto-it/first-time-contributor": "11.3.6", | ||
| "@auto-it/omit-commits": "11.3.6", | ||
| "@auto-it/omit-release-notes": "11.3.6", | ||
| "@auto-it/slack": "11.3.6", | ||
| "@grafana/eslint-config": "^9.0.0", | ||
| "@playwright/test": "^1.58.1", | ||
| "@rollup/plugin-commonjs": "^29.0.0", | ||
| "@rollup/plugin-json": "^6.1.0", | ||
| "@rollup/plugin-node-resolve": "^16.0.3", | ||
| "@stylistic/eslint-plugin-ts": "^4.4.1", | ||
| "@swc/core": "^1.15.11", | ||
| "@tsconfig/node24": "^24.0.4", | ||
| "@tsconfig/recommended": "^1.0.13", | ||
| "@types/glob": "^9.0.0", | ||
| "@types/node": "^24.10.11", | ||
| "@typescript-eslint/eslint-plugin": "^8.54.0", | ||
| "@typescript-eslint/parser": "^8.54.0", | ||
| "@grafana/eslint-config": "9.0.0", | ||
| "@playwright/test": "1.58.2", | ||
| "@rollup/plugin-commonjs": "29.0.0", |
Follow-up to previous commit: include .npmrc supply-chain settings and lockfile sync that were dropped by a driver bug (git add aborted when yarn.lock was absent in an npm repo). No spec changes.
tolzhabayev
added
the
no-changelog
Revert .npmrc to main's version. The supply-chain hardening keys (allow-git=none, min-release-age=3) are being added in a separate PR. This PR now only covers the dependency pinning.
The previous pin pass picked the root-hoisted version for every dep, so workspaces with their own nested resolution got the wrong pin. Re-pin from each workspace's actual lockfile resolution: - packages/sign-plugin: find-up 7.0.0 -> 8.0.0 - packages/create-plugin: find-up 7.0.0 -> 8.0.0, glob 13.0.6 -> 11.1.0, jsonc-parser 3.2.0 -> 3.3.1 - packages/plugin-e2e: dotenv 8.6.0 -> 17.3.1 - packages/plugin-docs-cli: @types/express 4.17.25 -> 5.0.6 - docusaurus/website: dotenv 8.6.0 -> 17.3.1 No tarball resolutions change; only the declared specs in the workspace package.json files and their lockfile mirrors. `npm install` is now a no-op.
Comment on lines
+32
to
+36
| "enquirer": "2.4.1", | ||
| "find-up": "8.0.0", | ||
| "glob": "11.1.0", | ||
| "handlebars": "4.7.9", | ||
| "jsonc-parser": "3.3.1", |
Comment on lines
32
to
+35
| "devDependencies": { | ||
| "@libs/output": "^1.0.3", | ||
| "@libs/version": "^1.0.2", | ||
| "@types/minimist": "^1.2.5" | ||
| "@types/minimist": "1.2.5" |
Comment on lines
47
to
+50
| "dependencies": { | ||
| "@grafana/plugin-docs-parser": "^0.0.4", | ||
| "chokidar": "^5.0.0", | ||
| "debug": "^4.3.7", | ||
| "ejs": "^5.0.0", | ||
| "express": "^5.0.0", | ||
| "github-slugger": "^1.5.0", | ||
| "gray-matter": "^4.0.3", | ||
| "hast-util-to-html": "^9.0.0", | ||
| "minimist": "^1.2.8" | ||
| "chokidar": "5.0.0", | ||
| "debug": "4.4.3", |
Contributor
Playwright test results
Troubleshooting404 when clicking on
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dependenciesanddevDependencieswith the exact versions already resolved inpackage-lock.json. Direct deps will no longer drift across reinstalls.peerDependenciesandoptionalDependenciesare intentionally left as ranges. Specifiers usingfile:,link:,workspace:,git+,npm:(alias),http(s):, or*/latestare also untouched.Generated by a script that reads
package-lock.jsonand rewrites the direct dep ranges in everypackage.json(root + workspaces) to the resolved version.npm installafter the change is a no-op (no resolved versions changed).Note
.npmrcsupply-chain hardening (allow-git=none,min-release-age=3) is handled in a separate PR, not this one.Test plan
npm installproduces no further changes