fix: pin devDependencies to exact versions in package.json#760
fix: pin devDependencies to exact versions in package.json#760xiaolai wants to merge 1 commit intogoogleworkspace:mainfrom
Conversation
The caret ranges on @changesets/cli and lefthook allow any compatible minor or patch upgrade to be silently installed. An unreviewed update could introduce regressions or supply-chain risk. Pinning to exact versions ensures every dependency change is an explicit, reviewable commit. Co-Authored-By: Claude Code <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 71f64a6 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves supply-chain security and build reproducibility by pinning development dependencies to exact versions. By removing caret ranges, the project ensures that environments remain consistent and that all dependency updates are intentional and subject to code review. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request pins the development dependencies @changesets/cli and lefthook to exact versions in package.json to ensure consistent environments and prevent unreviewed updates. A changeset file has been added to document this change. I have no feedback to provide.
1 participant
package.jsonuses caret ranges (^) for both@changesets/cliandlefthookindevDependencies. Caret ranges allow any compatible minor or patch version to be installed without an explicit update commit. This means:pnpm installin a fresh environment (e.g., a new developer machine or a CI ephemeral runner without a cache) can silently pull in a newer version than the one tested.Pinning to exact versions (
2.29.8and2.1.2) ensures that every dependency upgrade is a deliberate, reviewable change. The existingpnpm-lock.yamlalready records exact resolved versions; this change makespackage.jsonconsistent with that intent.