Skip to content

[tools] Lint that all non-bundled deps of published packages are pinned#14112

Merged
penalosa merged 7 commits into
mainfrom
penalosa/package-version-lint
Jun 1, 2026
Merged

[tools] Lint that all non-bundled deps of published packages are pinned#14112
penalosa merged 7 commits into
mainfrom
penalosa/package-version-lint

Conversation

@penalosa

@penalosa penalosa commented May 29, 2026

Copy link
Copy Markdown
Contributor

Dependencies that aren't bundled into a published package's output are installed directly into consumers' dependency trees, so their versions need to be pinned — an unpinned external dep can resolve to a compromised upstream release on a fresh install without us vetting it. This adds a lint to enforce that, following the existing tools/deployments/validate-*.ts pattern.

New pnpm check:pinned-deps (tools/deployments/validate-pinned-dependencies.ts) enforces two rules:

  • Catalog pinning — every entry in the catalog: block of pnpm-workspace.yaml must be an exact version, so any catalog:default reference is guaranteed pinned. Deliberate exceptions live in CATALOG_PIN_EXCEPTIONS (currently only @cloudflare/workers-types, which is consumed as a peer dependency where a range is intentional).
  • Package pinning — every dependencies and optionalDependencies entry of a published package must be an exact version. workspace:/catalog:/npm:/link:/file: specifiers are skipped; peerDependencies and devDependencies are excluded (ranges are correct for peers, and devDependencies are never installed into consumers' trees).

Also wired into the root check chain, and the existing validate-catalog-usage.ts was made import-safe so its catalog parser can be reused. The previously-unpinned catalog entries and package dependencies (sharp, cjs-module-lexer, zod, react-split-pane, rosie-skills, fsevents, @clack/core, chalk, cross-spawn, log-update, etc.) are pinned to their currently-resolved versions to satisfy the new check.


  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: this is internal CI/dependency tooling with no user-facing API or behavior change. Contributor guidance was added to CONTRIBUTING.md in this PR.

A picture of a cute animal (not mandatory, but encouraged)

🦫


Open in Devin Review

Add a check:pinned-deps lint enforcing exact-pinned versions for every
published package's dependencies/optionalDependencies and every pnpm
catalog entry (except the @cloudflare/workers-types peer dep). Pin the
existing unpinned dependencies to satisfy it.
@penalosa penalosa requested a review from workers-devprod as a code owner May 29, 2026 16:29
@changeset-bot

changeset-bot Bot commented May 29, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 4707a08

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages
Name Type
wrangler Patch
miniflare Patch
@cloudflare/vitest-pool-workers Patch
@cloudflare/workers-editor-shared Patch
@cloudflare/cli-shared-helpers Patch
@cloudflare/vite-plugin Patch
@cloudflare/wrangler-bundler Patch
@cloudflare/pages-shared Patch
@cloudflare/workers-playground Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 29, 2026
@workers-devprod workers-devprod requested review from a team and edmundhung and removed request for a team May 29, 2026 16:30
@workers-devprod

workers-devprod commented May 29, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@ask-bonk ask-bonk Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm Bonk, and I've done a quick review of your PR.

This adds a lint enforcing exact-pinned versions for non-bundled dependencies of published packages and for the pnpm catalog, plus pins all existing violations.

  1. Bug: missing .join("") on error outputerrors.map(...) returns an array, and concatenating it with + calls Array.prototype.toString(), which joins elements with commas. With multiple errors the ::error:: annotation will have spurious commas between entries. validate-catalog-usage.ts:115 already does this correctly with .join(""). (The pre-existing validate-package-dependencies.ts:53 has the same bug, but that's out of scope here.)

Comment thread tools/deployments/validate-pinned-dependencies.ts Outdated
@ask-bonk

ask-bonk Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

I'm Bonk, and I've done a quick review of your PR.

This adds a lint enforcing exact-pinned versions for non-bundled dependencies of published packages and for the pnpm catalog, plus pins all existing violations.

I found one issue:

  1. Bug: missing .join("") on error output at tools/deployments/validate-pinned-dependencies.ts:163errors.map(...) returns an array, and string-concatenating it with + implicitly calls .toString(), which joins elements with commas. With multiple errors, the ::error:: GitHub Actions annotation will have spurious commas between entries. validate-catalog-usage.ts:115 already handles this correctly with .join(""). I posted a suggestion comment on the PR with the fix.

github run

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 5 additional findings in Devin Review.

Open in Devin Review

Comment thread tools/deployments/validate-pinned-dependencies.ts Outdated
@pkg-pr-new

pkg-pr-new Bot commented May 29, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14112

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14112

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14112

miniflare

npm i https://pkg.pr.new/miniflare@14112

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14112

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14112

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14112

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14112

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14112

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14112

wrangler

npm i https://pkg.pr.new/wrangler@14112

@cloudflare/wrangler-bundler

npm i https://pkg.pr.new/@cloudflare/wrangler-bundler@14112

commit: 4707a08

@dario-piotrowicz dario-piotrowicz left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, besides the missing .join("")

Comment thread CONTRIBUTING.md
Comment thread tools/deployments/validate-pinned-dependencies.ts Outdated

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 30, 2026
penalosa and others added 4 commits June 1, 2026 12:14
Co-authored-by: Dario Piotrowicz <dario@cloudflare.com>
Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com>
…ion-lint

# Conflicts:
#	package.json
#	packages/wrangler/package.json
#	pnpm-lock.yaml
@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

✅ All changesets look good

@penalosa penalosa enabled auto-merge (squash) June 1, 2026 13:06
…ion-lint

# Conflicts:
#	.changeset/whoami-trailing-period.md
@penalosa penalosa merged commit 3a746ac into main Jun 1, 2026
64 of 66 checks passed
@penalosa penalosa deleted the penalosa/package-version-lint branch June 1, 2026 16:00
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants