fix: pin all dependencies to exact versions (#1634)

* chore: add syncpack for dependency version management

- Add syncpack as dev dependency
- Configure semver groups to enforce exact versions (no ^ or ~)
- Add prebuild script to validate pinned dependencies

* fix: pin all dependencies to exact versions

Remove caret (^) and tilde (~) ranges from all dependencies
to prevent supply chain attacks from automatic dependency updates.
All dependencies are now pinned to their currently resolved versions.

This affects:
- All workspace packages (cli, compiler, locales, logging, react, sdk, spec)
- Demo applications (adonisjs, next-app, react-router-app, vite-project)
- Integrations (directus)
- Legacy packages

* chore: add version field to private packages

Add version: 1.0.0 to packages that were missing it:
- demo/react-router-app
- scripts/docs

Required for syncpack validation to pass.

* chore: enforce dependency pinning in build pipeline

Add prebuild hook that runs syncpack lint to validate all dependencies
are pinned to exact versions. Build will fail if any ^ or ~ ranges are
detected, preventing unpinned dependencies from being introduced.

* chore: add changeset for dependency pinning

* chore: update lockfile with exact version specifiers

* fix: update dependencies to resolve critical security vulnerabilities

Updated packages to fix CVEs:
- vitest: 2.1.8 → 3.2.4 (CVE: RCE vulnerability)
- @directus/extensions-sdk: 12.1.4 → 17.0.3 (includes rollup, axios, form-data fixes)
- glob: 11.0.0 → 11.1.0 (CVE: command injection)

Security improvements:
- 3 critical vulnerabilities → 0
- 4 high severity → 0
- 40 moderate → 27
- 28 low → 25

All updated dependencies pinned to exact versions.

* ci: update Node.js version to 20.19 for directus compatibility

* test: fix vitest v4 compatibility in compiler tests

Updated test mocking syntax for vitest v4:
- Replace vi.mocked() with vi.hoisted() for ESM module mocks
- Use vi.fn() factories in hoisted scope for fs and prettier mocks
- Fix PostHog mock to use function declaration for proper constructor mocking
- Mock LCPCache.writeLocaleDictionary in server tests to prevent filesystem access

All 226 tests now pass with vitest v4.0.13.

* fix: correct package name in changeset

Author: maxprilutskiy

.changeset/pin-dependencies.md

@@ -0,0 +1,11 @@
+---
+"lingo.dev": minor
+"@lingo.dev/_compiler": minor
+"@lingo.dev/_locales": minor
+"@lingo.dev/_logging": minor
+"@lingo.dev/_react": minor
+"@lingo.dev/_sdk": minor
+"@lingo.dev/_spec": minor
+---
+
+Pin all dependencies to exact versions to prevent supply chain attacks. Dependencies no longer use caret (^) or tilde (~) ranges, ensuring full control over version updates and requiring explicit review of all dependency changes.

.github/workflows/pr-check.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "20.17"
+          node-version: "20.19"
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4

.syncpackrc.json

@@ -0,0 +1,9 @@
+{
+  "semverGroups": [
+    {
+      "dependencies": ["**"],
+      "dependencyTypes": ["prod", "dev"],
+      "range": ""
+    }
+  ]
+}

demo/adonisjs/package.json

@@ -30,42 +30,42 @@
     "#config/*": "./config/*.js"
   },
   "devDependencies": {
-    "@adonisjs/assembler": "^7.8.2",
-    "@adonisjs/eslint-config": "^2.0.0",
-    "@adonisjs/tsconfig": "^1.4.0",
-    "@japa/assert": "^4.0.1",
-    "@japa/plugin-adonisjs": "^4.0.0",
-    "@japa/runner": "^4.2.0",
-    "@swc/core": "1.11.24",
-    "@types/node": "^22.15.18",
-    "@types/react": "^19.1.8",
-    "@types/react-dom": "^19.1.6",
-    "@vitejs/plugin-react": "^4.7.0",
-    "eslint": "^9.26.0",
-    "hot-hook": "^0.4.0",
-    "pino-pretty": "^13.0.0",
-    "ts-node-maintained": "^10.9.5",
-    "typescript": "~5.8.3",
-    "vite": "^6.3.5"
+    "@adonisjs/assembler": "7.8.2",
+    "@adonisjs/eslint-config": "2.1.2",
+    "@adonisjs/tsconfig": "1.4.1",
+    "@japa/assert": "4.1.1",
+    "@japa/plugin-adonisjs": "4.0.0",
+    "@japa/runner": "4.4.0",
+    "@swc/core": "1.15.3",
+    "@types/node": "22.15.18",
+    "@types/react": "19.2.7",
+    "@types/react-dom": "19.2.3",
+    "@vitejs/plugin-react": "4.7.0",
+    "eslint": "9.39.1",
+    "hot-hook": "0.4.0",
+    "pino-pretty": "13.1.2",
+    "ts-node-maintained": "10.9.6",
+    "typescript": "5.9.3",
+    "vite": "6.3.5"
   },
   "dependencies": {
-    "@adonisjs/auth": "^9.4.0",
-    "@adonisjs/core": "^6.18.0",
-    "@adonisjs/cors": "^2.2.1",
-    "@adonisjs/inertia": "^3.1.1",
-    "@adonisjs/lucid": "^21.6.1",
-    "@adonisjs/session": "^7.5.1",
-    "@adonisjs/shield": "^8.2.0",
-    "@adonisjs/static": "^1.1.1",
-    "@adonisjs/vite": "^4.0.0",
-    "@inertiajs/react": "^2.0.17",
+    "@adonisjs/auth": "9.5.1",
+    "@adonisjs/core": "6.19.1",
+    "@adonisjs/cors": "2.2.1",
+    "@adonisjs/inertia": "3.1.1",
+    "@adonisjs/lucid": "21.8.1",
+    "@adonisjs/session": "7.5.1",
+    "@adonisjs/shield": "8.2.0",
+    "@adonisjs/static": "1.1.1",
+    "@adonisjs/vite": "4.0.0",
+    "@inertiajs/react": "2.2.18",
     "@lingo.dev/_compiler": "workspace:^",
-    "@vinejs/vine": "^3.0.1",
-    "edge.js": "^6.2.1",
+    "@vinejs/vine": "3.0.1",
+    "edge.js": "6.3.0",
     "lingo.dev": "workspace:*",
-    "react": "^19.1.0",
-    "react-dom": "^19.1.0",
-    "reflect-metadata": "^0.2.2"
+    "react": "19.2.0",
+    "react-dom": "19.2.0",
+    "reflect-metadata": "0.2.2"
   },
   "hotHook": {
     "boundaries": [

demo/next-app/package.json

@@ -10,19 +10,19 @@
   },
   "dependencies": {
     "lingo.dev": "workspace:*",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
-    "next": "15.3.1"
+    "next": "15.3.1",
+    "react": "19.2.0",
+    "react-dom": "19.2.0"
   },
   "devDependencies": {
-    "typescript": "^5",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "@tailwindcss/postcss": "^4",
-    "tailwindcss": "^4",
-    "eslint": "^9",
+    "@eslint/eslintrc": "3",
+    "@tailwindcss/postcss": "4.1.17",
+    "@types/node": "20.19.25",
+    "@types/react": "19.2.7",
+    "@types/react-dom": "19.2.3",
+    "eslint": "9.39.1",
     "eslint-config-next": "15.3.1",
-    "@eslint/eslintrc": "^3"
+    "tailwindcss": "4.1.17",
+    "typescript": "5.9.3"
   }
 }

demo/react-router-app/package.json

@@ -1,5 +1,6 @@
 {
   "name": "react-router-app",
+  "version": "1.0.0",
   "private": true,
   "type": "module",
   "scripts": {
@@ -9,23 +10,23 @@
     "typecheck": "react-router typegen && tsc"
   },
   "dependencies": {
+    "@react-router/node": "7.9.6",
+    "@react-router/serve": "7.9.6",
+    "isbot": "5.1.32",
     "lingo.dev": "workspace:*",
-    "@react-router/node": "^7.5.3",
-    "@react-router/serve": "^7.5.3",
-    "isbot": "^5.1.27",
-    "react": "^19.1.0",
-    "react-dom": "^19.1.0",
-    "react-router": "^7.5.3"
+    "react": "19.2.0",
+    "react-dom": "19.2.0",
+    "react-router": "7.9.6"
   },
   "devDependencies": {
-    "@react-router/dev": "^7.5.3",
-    "@tailwindcss/vite": "^4.1.4",
-    "@types/node": "^20",
-    "@types/react": "^19.1.2",
-    "@types/react-dom": "^19.1.2",
-    "tailwindcss": "^4.1.4",
-    "typescript": "^5.8.3",
-    "vite": "^6.3.3",
-    "vite-tsconfig-paths": "^5.1.4"
+    "@react-router/dev": "7.9.6",
+    "@tailwindcss/vite": "4.1.17",
+    "@types/node": "20.19.25",
+    "@types/react": "19.2.7",
+    "@types/react-dom": "19.2.3",
+    "tailwindcss": "4.1.17",
+    "typescript": "5.9.3",
+    "vite": "6.3.3",
+    "vite-tsconfig-paths": "5.1.4"
   }
 }

demo/vite-project/package.json

@@ -10,22 +10,22 @@
     "preview": "vite preview"
   },
   "dependencies": {
-    "@vitejs/plugin-react": "^4.4.1",
-    "react": "^19.1.0",
-    "react-dom": "^19.1.0"
+    "@vitejs/plugin-react": "4.4.1",
+    "react": "19.2.0",
+    "react-dom": "19.2.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.25.0",
-    "@types/react": "^19.1.2",
-    "@types/react-dom": "^19.1.2",
-    "@vitejs/plugin-react-swc": "^3.9.0",
-    "eslint": "^9.25.0",
-    "eslint-plugin-react-hooks": "^5.2.0",
-    "eslint-plugin-react-refresh": "^0.4.19",
-    "globals": "^16.0.0",
+    "@eslint/js": "9.39.1",
+    "@types/react": "19.2.7",
+    "@types/react-dom": "19.2.3",
+    "@vitejs/plugin-react-swc": "3.9.0",
+    "eslint": "9.39.1",
+    "eslint-plugin-react-hooks": "5.2.0",
+    "eslint-plugin-react-refresh": "0.4.24",
+    "globals": "16.5.0",
     "lingo.dev": "workspace:*",
-    "typescript": "~5.8.3",
-    "typescript-eslint": "^8.30.1",
-    "vite": "^6.3.5"
+    "typescript": "5.9.3",
+    "typescript-eslint": "8.48.0",
+    "vite": "6.3.5"
   }
 }

integrations/directus/package.json

@@ -28,12 +28,12 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@replexica/sdk": "^0.7.7"
+    "@replexica/sdk": "0.7.7"
   },
   "devDependencies": {
-    "@directus/extensions-sdk": "12.1.4",
-    "tsup": "^8.3.5",
-    "typescript": "^5.8.3",
-    "vitest": "^2.1.8"
+    "@directus/extensions-sdk": "17.0.3",
+    "tsup": "8.5.1",
+    "typescript": "5.9.3",
+    "vitest": "4.0.13"
   }
 }

legacy/cli/package.json

@@ -22,7 +22,7 @@
   "author": "",
   "license": "Apache-2.0",
   "dependencies": {
-    "lingo.dev": "*"
+    "lingo.dev": "0.116.5"
   },
   "deprecated": "Replexica is now Lingo.dev! Please use our new CLI package by running: npx lingo.dev@latest. Visit https://lingo.dev for the latest features and documentation."
 }

legacy/sdk/package.json

@@ -16,7 +16,7 @@
   "author": "",
   "license": "Apache-2.0",
   "dependencies": {
-    "lingo.dev": "*"
+    "lingo.dev": "0.116.5"
   },
   "deprecated": "Replexica is now Lingo.dev! Please use our new SDK package by running: npm install lingo.dev. Visit https://lingo.dev for the latest features and documentation."
 }