Conversation
Bumps the npm_and_yarn group with 1 update in the /app directory: [esbuild](https://github.com/evanw/esbuild). Updates `esbuild` from 0.21.5 to 0.27.2 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md) - [Commits](evanw/esbuild@v0.21.5...v0.27.2) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.27.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…_and_yarn-a9e5fb3b87 Bump esbuild from 0.21.5 to 0.27.2 in /app in the npm_and_yarn group across 1 directory
Completed Working on "Code Review"✅ Review submitted: COMMENT. Total comments: 2 across 2 files. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found. |
![overcut-ai[bot]](https://avatars.githubusercontent.com/in/1367736?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thanks for the upgrade work. The current diff still has blocking issues: app/package.json doesn’t declare the higher Node baseline that Vite 7.3.0 now enforces, so contributors on Node 18 will fail at runtime, and the two npm lockfiles resolve different Rollup versions, which breaks reproducible installs. Please address these before merging.
| "typescript": "^5.8.3", | ||
| "typescript-eslint": "^8.38.0", | ||
| "vite": "^5.4.19" | ||
| "vite": "^7.3.0" |
There was a problem hiding this comment.
[MAJOR]: Manifest does not enforce new Node ≥20.19 requirement
Upgrading Vite to 7.3.0 bumps the tooling baseline to Node ^20.19 (see the new engine range in the lockfile), but app/package.json still advertises no engines.node. Contributors who remain on the previously supported Node 18 will now discover the incompatibility only after npm run dev/build crashes, which makes the upgrade brittle and hard to triage.
Suggested fix: add an "engines": { "node": ">=20.19" } block (and mirror the change in onboarding docs/CI images) so installs fail fast on unsupported runtimes.
| "esbuild": "^0.21.3", | ||
| "postcss": "^8.4.43", | ||
| "rollup": "^4.20.0" | ||
| "esbuild": "^0.27.0", |
There was a problem hiding this comment.
[MAJOR]: Root and app lockfiles disagree on rollup version
This lockfile now resolves rollup through Vite 7.3.0’s dependency chain to 4.53.3, but app/package-lock.json still pins 4.53.2. Running npm ci at the repo root and then inside app/ produces different native rollup binaries, which breaks reproducible builds and has bitten us before on ARM runners.
Suggested fix: regenerate both lockfiles in a single install (e.g., delete them and run npm install once from the repo root) so they both resolve to the same rollup version before merging.
There was a problem hiding this comment.
Summary:
2 MAJOR comments posted addressing Node version requirement updates and lockfile inconsistency. Key themes: Toolchain Node version alignment, Reproducible dependency versions. Next steps: declare engines node>=20.19 in package.json and update docs; update CI workflows to use Node 20.19+; regenerate root and app lockfiles to converge rollup version. No blocking issues, but please address before merging.
| "typescript": "^5.8.3", | ||
| "typescript-eslint": "^8.38.0", | ||
| "vite": "^5.4.19" | ||
| "vite": "^7.3.0" |
3 participants
No description provided.