chore(deps): pin every direct dependency to an exact version#651
Merged
FelixTJDietrich merged 3 commits intomainfrom Apr 27, 2026
Merged
chore(deps): pin every direct dependency to an exact version#651FelixTJDietrich merged 3 commits intomainfrom
FelixTJDietrich merged 3 commits intomainfrom
Conversation
Strip every `^` / `~` from `dependencies`, `devDependencies`, and
`optionalDependencies` across all 7 in-tree package.json files. Each
range is replaced with the exact version currently resolved in the
matching package-lock.json, so the install graph does not move.
Scope:
- root `package.json`
- `library/package.json` (only devDependencies were unpinned —
`dependencies` shipped to consumers were already exact)
- `standalone/{server,webapp}/package.json`
- `vscode-extension/package.json`, `vscode-extension/{menu,editor}/package.json`
`peerDependencies` are intentionally left as ranges (none currently in
the repo, but the rule documents intent). The `@tumaet/apollon` entry in
`vscode-extension/package.json` is changed from `^4.2.16` to `*` to match
the workspace-link convention used by `standalone/{server,webapp}` —
pinning to an exact version would have forced npm to fetch the published
release instead of using the workspace symlink, breaking local dev.
Verified:
- `npm install` produces zero drift in any `node_modules/*` entry across
all three lockfiles (root, vscode-extension/menu, vscode-extension/editor).
The lockfile diffs are exclusively the `packages[""].{dependencies,…}`
manifest mirrors, which is expected.
- `npm run format:check`, `npm run lint`, `npm run build`, and `npm test`
(781/781) all pass.
- `grep -rE '"\\^|"~' package.json **/package.json` returns nothing in
project files.
Co-Authored-By: Claude Opus 4.7 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Strip every
^/~fromdependencies,devDependencies, andoptionalDependenciesacross all 7 in-treepackage.jsonfiles. Each range is replaced with the exact version currently resolved in the matchingpackage-lock.json, so the install graph does not move.package.jsonlibrary/package.jsondependenciesshipped to library consumers were already exact)standalone/webapp/package.jsonstandalone/server/package.jsonvscode-extension/package.jsonvscode-extension/menu/package.jsonvscode-extension/editor/package.jsonpeerDependenciesare intentionally untouched (none today; the rule documents intent for future deps).Subtle case worth flagging
vscode-extension/package.jsonpreviously declared"@tumaet/apollon": "^4.2.16". It is an npm workspace member; pinning to an exact version would force npm to fetch the published4.2.16from the registry instead of using the workspace symlink (which is currently at4.2.22), breaking local development of the VS Code extension against in-tree library changes. Changed to"*"— the same conventionstandalone/serverandstandalone/webappalready use. The non-workspace consumervscode-extension/editor/package.jsonkeeps a real exact pin (4.2.16) since it depends on the published package.Verification
npm installin the root,vscode-extension/menu, andvscode-extension/editor, everynode_modules/*entry in all three lockfiles has the same version as before. The lockfile diffs are exclusively thepackages[""].{dependencies,…}manifest mirrors.npm run format:check✅npm run lint✅npm run build✅ (library + server + webapp + vscode)npm test✅ 781/781grep -rE '"\\^|"~'across all 7 projectpackage.jsonfiles returns nothing.Renovate interaction
The repo's
renovate.jsonextendsconfig:best-practices, which uses thereplacerange strategy — Renovate will simply rewrite each pin with the new exact version when an update is approved, so this change is fully compatible with the existing dependency-dashboard workflow.🤖 Generated with Claude Code