[tools] Lint that all non-bundled deps of published packages are pinned#14112
Conversation
Add a check:pinned-deps lint enforcing exact-pinned versions for every published package's dependencies/optionalDependencies and every pnpm catalog entry (except the @cloudflare/workers-types peer dep). Pin the existing unpinned dependencies to satisfy it.
🦋 Changeset detectedLatest commit: 4707a08 The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Codeowners approval required for this PR:
Show detailed file reviewers |
There was a problem hiding this comment.
I'm Bonk, and I've done a quick review of your PR.
This adds a lint enforcing exact-pinned versions for non-bundled dependencies of published packages and for the pnpm catalog, plus pins all existing violations.
- Bug: missing
.join("")on error output —errors.map(...)returns an array, and concatenating it with+callsArray.prototype.toString(), which joins elements with commas. With multiple errors the::error::annotation will have spurious commas between entries.validate-catalog-usage.ts:115already does this correctly with.join(""). (The pre-existingvalidate-package-dependencies.ts:53has the same bug, but that's out of scope here.)
|
I'm Bonk, and I've done a quick review of your PR. This adds a lint enforcing exact-pinned versions for non-bundled dependencies of published packages and for the pnpm catalog, plus pins all existing violations. I found one issue:
|
create-cloudflare
@cloudflare/deploy-helpers
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
@cloudflare/wrangler-bundler
commit: |
dario-piotrowicz
left a comment
There was a problem hiding this comment.
LGTM, besides the missing .join("")
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
Co-authored-by: Dario Piotrowicz <dario@cloudflare.com>
Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com>
…ion-lint # Conflicts: # package.json # packages/wrangler/package.json # pnpm-lock.yaml
…nto penalosa/package-version-lint
|
✅ All changesets look good |
…ion-lint # Conflicts: # .changeset/whoami-trailing-period.md
Dependencies that aren't bundled into a published package's output are installed directly into consumers' dependency trees, so their versions need to be pinned — an unpinned external dep can resolve to a compromised upstream release on a fresh install without us vetting it. This adds a lint to enforce that, following the existing
tools/deployments/validate-*.tspattern.New
pnpm check:pinned-deps(tools/deployments/validate-pinned-dependencies.ts) enforces two rules:catalog:block ofpnpm-workspace.yamlmust be an exact version, so anycatalog:defaultreference is guaranteed pinned. Deliberate exceptions live inCATALOG_PIN_EXCEPTIONS(currently only@cloudflare/workers-types, which is consumed as a peer dependency where a range is intentional).dependenciesandoptionalDependenciesentry of a published package must be an exact version.workspace:/catalog:/npm:/link:/file:specifiers are skipped;peerDependenciesanddevDependenciesare excluded (ranges are correct for peers, and devDependencies are never installed into consumers' trees).Also wired into the root
checkchain, and the existingvalidate-catalog-usage.tswas made import-safe so its catalog parser can be reused. The previously-unpinned catalog entries and package dependencies (sharp,cjs-module-lexer,zod,react-split-pane,rosie-skills,fsevents,@clack/core,chalk,cross-spawn,log-update, etc.) are pinned to their currently-resolved versions to satisfy the new check.CONTRIBUTING.mdin this PR.A picture of a cute animal (not mandatory, but encouraged)
🦫