build: pin devDependencies to caret ranges instead of latest#38
Conversation
Replace `latest` with caret ranges matching the versions currently resolved in bun.lock for all 10 devDependencies, including semantic-release and its plugins (publish path), typescript, and @biomejs/biome. Prevents a lockfile regeneration from silently pulling a new major into the build/release pipeline. Verified: bun install --frozen-lockfile leaves bun.lock unchanged; biome, tsc --noEmit, and bun test (113 pass) all green. Closes #20 Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
Greptile SummaryPins all 10
Confidence Score: 5/5Configuration-only change that only updates version specifiers; no runtime code is touched and both package.json and bun.lock are kept in sync. The change is mechanical — every 'latest' is replaced with a caret range whose base matches the already-resolved lockfile entry, and the lockfile's workspace metadata is updated in the same commit. There is no executable code modification, and the PR description confirms bun install --frozen-lockfile, lint, type-check, and the full test suite all pass. No files require special attention.
|
| Filename | Overview |
|---|---|
| package.json | Replaces "latest" with caret ranges for all 10 devDependencies; versions match the lockfile-resolved entries in bun.lock. |
| bun.lock | Workspace metadata in the lockfile updated from "latest" to the matching caret ranges, keeping it in sync with package.json. |
| docs/specs/issue-20-pin-devdependencies-to-ranges-instead-of-latest.md | New implementation plan artifact documenting the rationale, acceptance criteria, and verification steps for this change. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[package.json\ndevDependencies] -->|was 'latest'| B[Non-reproducible\nfresh installs]
A -->|now caret ranges\ne.g. ^6.0.2| C[Reproducible ranges]
C --> D[bun.lock\nworkspace metadata\nalso updated]
D --> E{bun install\n--frozen-lockfile}
E -->|exit 0, no churn| F[CI passes ✓]
E -->|lockfile diverges| G[CI fails — catches drift]
Reviews (2): Last reviewed commit: "build: reconcile bun.lock workspace spec..." | Re-trigger Greptile
|
@claude check the comment |
|
Claude finished @beogip's task in 1m 35s —— View job Checked the review comment ✅Greptile flagged that I verified both claims locally on this branch:
Verdict: Greptile was right about the cosmetic divergence but wrong about the consequence. Frozen-lockfile integrity is validated against the resolved package versions (which all satisfy the new caret ranges), not against the original specifier strings stored in That said, the divergence is real and worth tidying, so I reconciled it:
The lockfile is now fully consistent with |
The lockfile's workspaces block still recorded "latest" for the 10 devDependencies pinned to caret ranges in package.json. Running a non-frozen `bun install` updates only those specifier strings — no resolved versions or integrity hashes change. `bun install --frozen-lockfile` already passed before this commit; this only removes the cosmetic metadata divergence flagged in review. Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
Summary
Pins all 10
devDependenciesthat usedlatestto caret ranges, matching the versions currently resolved inbun.lock. This includessemantic-releaseand its plugins (which run in the publish path),typescript, and@biomejs/biome— exactly the packages called out in the issue.Reproducibility was protected today by
bun.lock+bun install --frozen-lockfile, but a lockfile regeneration could silently pull a new major into the build/release pipeline. Caret ranges close that gap while still allowing minor/patch updates.@arethetypeswrong/cli^0.18.3@biomejs/biome^2.4.10bun-types^1.3.11dts-bundle-generator^9.5.1lefthook^2.1.4semantic-release^25.0.3@semantic-release/changelog^6.0.3@semantic-release/git^10.0.1@semantic-release/github^12.0.8@semantic-release/npm^13.1.5typescript^6.0.2zodwas already^4.0.0and is left untouched.Verification
bun install --frozen-lockfile→ exit 0,bun.lockunchanged (every caret base matches the lockfile-resolved version)bunx biome check .→ passbunx tsc --noEmit→ passbun test→ 113 pass / 0 failFiles changed
package.json—latest→ caret ranges indevDependenciesdocs/specs/issue-20-...md— implementation plan artifactPlan level: lean · depth: medium
Closes #20
Generated with Claude Code