Skip to content

Commit 48fab66

Browse files
fix: pin all dependencies to exact versions (#1634)
* chore: add syncpack for dependency version management - Add syncpack as dev dependency - Configure semver groups to enforce exact versions (no ^ or ~) - Add prebuild script to validate pinned dependencies * fix: pin all dependencies to exact versions Remove caret (^) and tilde (~) ranges from all dependencies to prevent supply chain attacks from automatic dependency updates. All dependencies are now pinned to their currently resolved versions. This affects: - All workspace packages (cli, compiler, locales, logging, react, sdk, spec) - Demo applications (adonisjs, next-app, react-router-app, vite-project) - Integrations (directus) - Legacy packages * chore: add version field to private packages Add version: 1.0.0 to packages that were missing it: - demo/react-router-app - scripts/docs Required for syncpack validation to pass. * chore: enforce dependency pinning in build pipeline Add prebuild hook that runs syncpack lint to validate all dependencies are pinned to exact versions. Build will fail if any ^ or ~ ranges are detected, preventing unpinned dependencies from being introduced. * chore: add changeset for dependency pinning * chore: update lockfile with exact version specifiers * fix: update dependencies to resolve critical security vulnerabilities Updated packages to fix CVEs: - vitest: 2.1.8 → 3.2.4 (CVE: RCE vulnerability) - @directus/extensions-sdk: 12.1.4 → 17.0.3 (includes rollup, axios, form-data fixes) - glob: 11.0.0 → 11.1.0 (CVE: command injection) Security improvements: - 3 critical vulnerabilities → 0 - 4 high severity → 0 - 40 moderate → 27 - 28 low → 25 All updated dependencies pinned to exact versions. * ci: update Node.js version to 20.19 for directus compatibility * test: fix vitest v4 compatibility in compiler tests Updated test mocking syntax for vitest v4: - Replace vi.mocked() with vi.hoisted() for ESM module mocks - Use vi.fn() factories in hoisted scope for fs and prettier mocks - Fix PostHog mock to use function declaration for proper constructor mocking - Mock LCPCache.writeLocaleDictionary in server tests to prevent filesystem access All 226 tests now pass with vitest v4.0.13. * fix: correct package name in changeset
1 parent 389190b commit 48fab66

24 files changed

Lines changed: 6760 additions & 5506 deletions

File tree

.changeset/pin-dependencies.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
"lingo.dev": minor
3+
"@lingo.dev/_compiler": minor
4+
"@lingo.dev/_locales": minor
5+
"@lingo.dev/_logging": minor
6+
"@lingo.dev/_react": minor
7+
"@lingo.dev/_sdk": minor
8+
"@lingo.dev/_spec": minor
9+
---
10+
11+
Pin all dependencies to exact versions to prevent supply chain attacks. Dependencies no longer use caret (^) or tilde (~) ranges, ensuring full control over version updates and requiring explicit review of all dependency changes.

.github/workflows/pr-check.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
- name: Use Node.js
3434
uses: actions/setup-node@v4
3535
with:
36-
node-version: "20.17"
36+
node-version: "20.19"
3737

3838
- name: Install pnpm
3939
uses: pnpm/action-setup@v4

.syncpackrc.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"semverGroups": [
3+
{
4+
"dependencies": ["**"],
5+
"dependencyTypes": ["prod", "dev"],
6+
"range": ""
7+
}
8+
]
9+
}

demo/adonisjs/package.json

Lines changed: 32 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -30,42 +30,42 @@
3030
"#config/*": "./config/*.js"
3131
},
3232
"devDependencies": {
33-
"@adonisjs/assembler": "^7.8.2",
34-
"@adonisjs/eslint-config": "^2.0.0",
35-
"@adonisjs/tsconfig": "^1.4.0",
36-
"@japa/assert": "^4.0.1",
37-
"@japa/plugin-adonisjs": "^4.0.0",
38-
"@japa/runner": "^4.2.0",
39-
"@swc/core": "1.11.24",
40-
"@types/node": "^22.15.18",
41-
"@types/react": "^19.1.8",
42-
"@types/react-dom": "^19.1.6",
43-
"@vitejs/plugin-react": "^4.7.0",
44-
"eslint": "^9.26.0",
45-
"hot-hook": "^0.4.0",
46-
"pino-pretty": "^13.0.0",
47-
"ts-node-maintained": "^10.9.5",
48-
"typescript": "~5.8.3",
49-
"vite": "^6.3.5"
33+
"@adonisjs/assembler": "7.8.2",
34+
"@adonisjs/eslint-config": "2.1.2",
35+
"@adonisjs/tsconfig": "1.4.1",
36+
"@japa/assert": "4.1.1",
37+
"@japa/plugin-adonisjs": "4.0.0",
38+
"@japa/runner": "4.4.0",
39+
"@swc/core": "1.15.3",
40+
"@types/node": "22.15.18",
41+
"@types/react": "19.2.7",
42+
"@types/react-dom": "19.2.3",
43+
"@vitejs/plugin-react": "4.7.0",
44+
"eslint": "9.39.1",
45+
"hot-hook": "0.4.0",
46+
"pino-pretty": "13.1.2",
47+
"ts-node-maintained": "10.9.6",
48+
"typescript": "5.9.3",
49+
"vite": "6.3.5"
5050
},
5151
"dependencies": {
52-
"@adonisjs/auth": "^9.4.0",
53-
"@adonisjs/core": "^6.18.0",
54-
"@adonisjs/cors": "^2.2.1",
55-
"@adonisjs/inertia": "^3.1.1",
56-
"@adonisjs/lucid": "^21.6.1",
57-
"@adonisjs/session": "^7.5.1",
58-
"@adonisjs/shield": "^8.2.0",
59-
"@adonisjs/static": "^1.1.1",
60-
"@adonisjs/vite": "^4.0.0",
61-
"@inertiajs/react": "^2.0.17",
52+
"@adonisjs/auth": "9.5.1",
53+
"@adonisjs/core": "6.19.1",
54+
"@adonisjs/cors": "2.2.1",
55+
"@adonisjs/inertia": "3.1.1",
56+
"@adonisjs/lucid": "21.8.1",
57+
"@adonisjs/session": "7.5.1",
58+
"@adonisjs/shield": "8.2.0",
59+
"@adonisjs/static": "1.1.1",
60+
"@adonisjs/vite": "4.0.0",
61+
"@inertiajs/react": "2.2.18",
6262
"@lingo.dev/_compiler": "workspace:^",
63-
"@vinejs/vine": "^3.0.1",
64-
"edge.js": "^6.2.1",
63+
"@vinejs/vine": "3.0.1",
64+
"edge.js": "6.3.0",
6565
"lingo.dev": "workspace:*",
66-
"react": "^19.1.0",
67-
"react-dom": "^19.1.0",
68-
"reflect-metadata": "^0.2.2"
66+
"react": "19.2.0",
67+
"react-dom": "19.2.0",
68+
"reflect-metadata": "0.2.2"
6969
},
7070
"hotHook": {
7171
"boundaries": [

demo/next-app/package.json

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,19 +10,19 @@
1010
},
1111
"dependencies": {
1212
"lingo.dev": "workspace:*",
13-
"react": "^19.0.0",
14-
"react-dom": "^19.0.0",
15-
"next": "15.3.1"
13+
"next": "15.3.1",
14+
"react": "19.2.0",
15+
"react-dom": "19.2.0"
1616
},
1717
"devDependencies": {
18-
"typescript": "^5",
19-
"@types/node": "^20",
20-
"@types/react": "^19",
21-
"@types/react-dom": "^19",
22-
"@tailwindcss/postcss": "^4",
23-
"tailwindcss": "^4",
24-
"eslint": "^9",
18+
"@eslint/eslintrc": "3",
19+
"@tailwindcss/postcss": "4.1.17",
20+
"@types/node": "20.19.25",
21+
"@types/react": "19.2.7",
22+
"@types/react-dom": "19.2.3",
23+
"eslint": "9.39.1",
2524
"eslint-config-next": "15.3.1",
26-
"@eslint/eslintrc": "^3"
25+
"tailwindcss": "4.1.17",
26+
"typescript": "5.9.3"
2727
}
2828
}

demo/react-router-app/package.json

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
{
22
"name": "react-router-app",
3+
"version": "1.0.0",
34
"private": true,
45
"type": "module",
56
"scripts": {
@@ -9,23 +10,23 @@
910
"typecheck": "react-router typegen && tsc"
1011
},
1112
"dependencies": {
13+
"@react-router/node": "7.9.6",
14+
"@react-router/serve": "7.9.6",
15+
"isbot": "5.1.32",
1216
"lingo.dev": "workspace:*",
13-
"@react-router/node": "^7.5.3",
14-
"@react-router/serve": "^7.5.3",
15-
"isbot": "^5.1.27",
16-
"react": "^19.1.0",
17-
"react-dom": "^19.1.0",
18-
"react-router": "^7.5.3"
17+
"react": "19.2.0",
18+
"react-dom": "19.2.0",
19+
"react-router": "7.9.6"
1920
},
2021
"devDependencies": {
21-
"@react-router/dev": "^7.5.3",
22-
"@tailwindcss/vite": "^4.1.4",
23-
"@types/node": "^20",
24-
"@types/react": "^19.1.2",
25-
"@types/react-dom": "^19.1.2",
26-
"tailwindcss": "^4.1.4",
27-
"typescript": "^5.8.3",
28-
"vite": "^6.3.3",
29-
"vite-tsconfig-paths": "^5.1.4"
22+
"@react-router/dev": "7.9.6",
23+
"@tailwindcss/vite": "4.1.17",
24+
"@types/node": "20.19.25",
25+
"@types/react": "19.2.7",
26+
"@types/react-dom": "19.2.3",
27+
"tailwindcss": "4.1.17",
28+
"typescript": "5.9.3",
29+
"vite": "6.3.3",
30+
"vite-tsconfig-paths": "5.1.4"
3031
}
3132
}

demo/vite-project/package.json

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -10,22 +10,22 @@
1010
"preview": "vite preview"
1111
},
1212
"dependencies": {
13-
"@vitejs/plugin-react": "^4.4.1",
14-
"react": "^19.1.0",
15-
"react-dom": "^19.1.0"
13+
"@vitejs/plugin-react": "4.4.1",
14+
"react": "19.2.0",
15+
"react-dom": "19.2.0"
1616
},
1717
"devDependencies": {
18-
"@eslint/js": "^9.25.0",
19-
"@types/react": "^19.1.2",
20-
"@types/react-dom": "^19.1.2",
21-
"@vitejs/plugin-react-swc": "^3.9.0",
22-
"eslint": "^9.25.0",
23-
"eslint-plugin-react-hooks": "^5.2.0",
24-
"eslint-plugin-react-refresh": "^0.4.19",
25-
"globals": "^16.0.0",
18+
"@eslint/js": "9.39.1",
19+
"@types/react": "19.2.7",
20+
"@types/react-dom": "19.2.3",
21+
"@vitejs/plugin-react-swc": "3.9.0",
22+
"eslint": "9.39.1",
23+
"eslint-plugin-react-hooks": "5.2.0",
24+
"eslint-plugin-react-refresh": "0.4.24",
25+
"globals": "16.5.0",
2626
"lingo.dev": "workspace:*",
27-
"typescript": "~5.8.3",
28-
"typescript-eslint": "^8.30.1",
29-
"vite": "^6.3.5"
27+
"typescript": "5.9.3",
28+
"typescript-eslint": "8.48.0",
29+
"vite": "6.3.5"
3030
}
3131
}

integrations/directus/package.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,12 @@
2828
},
2929
"license": "Apache-2.0",
3030
"dependencies": {
31-
"@replexica/sdk": "^0.7.7"
31+
"@replexica/sdk": "0.7.7"
3232
},
3333
"devDependencies": {
34-
"@directus/extensions-sdk": "12.1.4",
35-
"tsup": "^8.3.5",
36-
"typescript": "^5.8.3",
37-
"vitest": "^2.1.8"
34+
"@directus/extensions-sdk": "17.0.3",
35+
"tsup": "8.5.1",
36+
"typescript": "5.9.3",
37+
"vitest": "4.0.13"
3838
}
3939
}

legacy/cli/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
"author": "",
2323
"license": "Apache-2.0",
2424
"dependencies": {
25-
"lingo.dev": "*"
25+
"lingo.dev": "0.116.5"
2626
},
2727
"deprecated": "Replexica is now Lingo.dev! Please use our new CLI package by running: npx lingo.dev@latest. Visit https://lingo.dev for the latest features and documentation."
2828
}

legacy/sdk/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
"author": "",
1717
"license": "Apache-2.0",
1818
"dependencies": {
19-
"lingo.dev": "*"
19+
"lingo.dev": "0.116.5"
2020
},
2121
"deprecated": "Replexica is now Lingo.dev! Please use our new SDK package by running: npm install lingo.dev. Visit https://lingo.dev for the latest features and documentation."
2222
}

0 commit comments

Comments
 (0)