chore: refresh transitive deps via tightened pnpm overrides#2053
Merged
Conversation
Bumps the root `turbo` devDependency from ^2.8.21 to ^2.9.14 and adds ranged overrides under `pnpm.overrides` so transitive deps move to in-range patched releases. Each override is bounded by a version range so other majors continue to resolve to their own latest. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds ranged `pnpm.overrides` to the isolated otel-v1 and otel-v2 test environments so transitive deps move to in-range patched releases. Uses per-major version ranges (e.g. `vite@>=8.0.0 <8.0.5: ^8.0.5`) to preserve the multi-major testing intent of these environments. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds ranged `pnpm.overrides` to both otel-js example sub-apps so transitive deps move to in-range patched releases. Also adds an `@opentelemetry/sdk-node` override to displace an old transitive pulled in by `@vercel/otel@0.1.0`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps `uuid` (and matching `@types/uuid`) from ^9.0.0 to ^11.1.1
across the temporal-ai-sdk, temporal-cjs, and temporal-esm examples.
v11.x still ships both CJS and ESM and preserves the named-export API
used in the example clients (`import { v4 as uuid } from "uuid"`).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8698fc8e7d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
| "@tootallnate/once@>=3.0.0 <3.0.1": "^3.0.1", | ||
| "@tootallnate/once@<2.0.1": "^2.0.1", | ||
| "@opentelemetry/sdk-node@<0.217.0": "^0.217.0", | ||
| "@opentelemetry/auto-instrumentations-node@<0.75.0": "^0.75.0", |
There was a problem hiding this comment.
The scenario manifest declares @opentelemetry/auto-instrumentations-node@<0.75.0 -> ^0.75.0, but the adjacent committed lockfile records the override as @opentelemetry/auto-instrumentations-node@<0.217.0 -> ^0.217.0. pnpm validates the lockfile's overrides against package.json during frozen installs, so prepareScenarioDir/CI installs for this scenario fail before the test runs; the same copied mismatch appears in the other refreshed e2e scenario manifests such as ai-sdk-instrumentation, cohere, google-adk, and openai-agents.
Useful? React with 👍 / 👎.
Stephen Belanger (Qard)
added
the
dependencies
Adds a per-scenario \`pnpm.overrides\` block to each e2e scenario so transitive deps move to in-range patched releases. Each scenario gets only the overrides relevant to its own dependency tree, kept as ranged overrides (e.g. \`hono@>=4.0.0 <4.12.18: ^4.12.18\`) so the bump only fires on the intended subrange. Scenarios covered: ai-sdk-instrumentation, ai-sdk-otel-export, cohere-instrumentation, cursor-sdk-instrumentation, genkit-instrumentation, github-copilot-instrumentation, google-adk-instrumentation, google-genai-instrumentation, langgraph-auto-instrumentation, mistral-instrumentation, openai-agents-instrumentation, wrap-langchain-js-traces. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps `next` from 16.2.1 to 16.2.6 in the next-16 auto-instrumentation scenario and adds a postcss override (<8.5.10 → ^8.5.10). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Stephen Belanger (Qard)
force-pushed
the
deps-refresh
branch
from
8698fc8 to
ac02b07
Compare
Reinstalls each affected e2e scenario incrementally on top of its existing lockfile so only the override-driven bumps land (e.g. \`ws\` moves to 8.20.1+, \`hono\` to 4.12.18+) and unrelated transitives (\`zod\`, \`node-abi\`, etc.) keep their prior pins. Without this, a full \`pnpm install\` after \`rm pnpm-lock.yaml\` was also re-resolving unrelated packages to their latest, which broke recorded HTTP cassettes (notably mistral-instrumentation, where \`zod\` drifted 4.3.6 → 4.4.3 and the resulting request bytes no longer matched the cassette). Also restores \`pnpm.onlyBuiltDependencies: ["sqlite3"]\` in cursor-sdk-instrumentation/package.json (it was inadvertently dropped when the \`pnpm\` block was rewritten with just the trimmed overrides). That allowlist is required so pnpm 10 runs sqlite3's prebuild-install script under \`--ignore-scripts=false\` installs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Abhijeet Prasad (AbhiPrasad)
left a comment
Abhijeet Prasad (AbhiPrasad)
left a comment
There was a problem hiding this comment.
can we run pnpm dedupe before merging this in?
Runs \`pnpm dedupe --ignore-workspace\` in each e2e scenario and commits the resulting consolidations. Four scenarios had duplicate package entries that collapse cleanly (mostly \`@protobufjs/*\` patch-version pairs and a \`@opentelemetry/api-logs\` peer-resolution duplicate); the rest were already deduped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ockfile The previous incremental refresh left \`svelte\` pinned at 5.53.6 in the lockfile even though the scenario declares a \`svelte@<5.55.7: ^5.55.7\` override — pnpm prefers existing lockfile pins over override-driven re-resolution unless the lockfile is regenerated. Switch the override to the permissive unscoped form (\`svelte: ^5.55.7\`) and regenerate the lockfile so it lands at 5.55.9. \`zod\` stays at 3.25.76 (cassette-stable). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Abhijeet Prasad (@AbhiPrasad) Done. 🙂 |
Abhijeet Prasad (AbhiPrasad)
approved these changes
May 27, 2026
3 tasks
Stephen Belanger (Qard)
added a commit
that referenced
this pull request
May 29, 2026
…arios (#2068) ## Summary Follow-up to #2053. Three more e2e scenarios pick up the same per-scenario `pnpm.overrides` pattern: - `mastra-instrumentation` — new scenario added after #2053 merged, didn't have overrides yet. Bumps `hono`, `fast-uri`, `ip-address`, `ws`, `uuid`, `qs` transitives. - `nextjs-instrumentation` — skipped in #2053 under the next-14 scope decision; now picks up the protobufjs/@protobufjs/utf8 transitive bumps (pulled via `@vercel/otel`'s `@opentelemetry/otlp-transformer` chain). Direct-`next` alerts were dismissed separately and stay dismissed. - `nextjs-auto-instrumentation/versions/next-14` — mirrors the `postcss` override already applied to the sibling `next-16` directory. Same conventions as #2053: - Ranged-selector overrides (`pkg@<patched: ^patched`) so only the vulnerable subrange is bumped. - Incremental lockfile refresh (`rm node_modules && pnpm install --ignore-workspace`) — preserves unrelated transitive pins so cassettes / structural snapshots stay valid. Three commits, one per scenario. Build passes locally (`pnpm run build` — 9/9 turbo tasks). ## Commits | Commit | |---| | `chore: refresh mastra-instrumentation lockfile and add pnpm overrides` | | `chore: refresh nextjs-instrumentation lockfile and add protobufjs overrides` | | `chore: add postcss override to next-14 auto-instrumentation scenario` | ## Test plan - [x] `pnpm run build` passes (turbo, 9/9 successful) - [x] `pnpm install --frozen-lockfile --ignore-workspace` passes in each touched scenario - [ ] CI runs hermetic test suite and e2e replay 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pnpm-lock.yamlfiles across the monorepo and tightenspnpm.overridesso transitive deps resolve to in-range patched releases.vite@>=8.0.0 <8.0.5: ^8.0.5) so a bump only fires on the intended subrange — preserves each lockfile's deliberate multi-version coverage (notably the otel-v1/otel-v2 split and the multi-version e2e scenarios).pnpm run build— 9/9 turbo tasks).Commits
chore: refresh root lockfile and tighten pnpm overrideschore: refresh otel-v1/v2 lockfiles and tighten pnpm overrideschore: refresh otel-js example lockfiles and tighten pnpm overrideschore: bump uuid to ^11.1.1 in temporal-js exampleschore: refresh e2e scenario lockfiles and tighten pnpm overrideschore: bump next-16 e2e scenario to next@16.2.6Test plan
pnpm run buildpasses (turbo, 9/9 successful)pnpm run test,test:checks)pnpm run test:e2e)🤖 Generated with Claude Code