From 71f64a6a7f9c8a57b033947d1d048fb81c3ea506 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Sat, 25 Apr 2026 12:20:37 +0000
Subject: [PATCH] fix: pin devDependencies to exact versions in package.json

The caret ranges on @changesets/cli and lefthook allow any compatible
minor or patch upgrade to be silently installed. An unreviewed update
could introduce regressions or supply-chain risk. Pinning to exact
versions ensures every dependency change is an explicit, reviewable
commit.

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 .changeset/fix-pin-dev-deps.md | 5 +++++
 package.json                   | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/fix-pin-dev-deps.md

diff --git a/.changeset/fix-pin-dev-deps.md b/.changeset/fix-pin-dev-deps.md
new file mode 100644
index 00000000..1f13a38e
--- /dev/null
+++ b/.changeset/fix-pin-dev-deps.md
@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Pin devDependencies to exact versions to prevent unreviewed minor/patch updates
diff --git a/package.json b/package.json
index 2a556aad..4906e2dd 100644
--- a/package.json
+++ b/package.json
@@ -51,7 +51,7 @@
     "rust"
   ],
   "devDependencies": {
-    "@changesets/cli": "^2.29.8",
-    "lefthook": "^2.1.2"
+    "@changesets/cli": "2.29.8",
+    "lefthook": "2.1.2"
   }
 }