chore(deps): fix ssh2 transitive dep on node-gyp

[Tobbe]

ssh2 fails to declare node-gyp as a dep, even though it uses it. This leads to errors like these in our CI:

➤ YN0000: │ cypress@npm:13.17.0 STDOUT
➤ YN0000: │ cpu-features@npm:0.0.10 STDOUT COPY Release/cpu_features.a
➤ YN0000: │ cpu-features@npm:0.0.10 STDOUT CXX(target) Release/obj.target/cpufeatures/src/binding.o
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR In file included from ../src/binding.cc:1:
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR /home/runner/.cache/node-gyp/24.14.0/include/node/node.h:1356:7: warning: cast between incompatible function types from ‘void ()(Nan::ADDON_REGISTER_FUNCTION_ARGS_TYPE)’ {aka ‘void ()(v8::Localv8::Object)’} to ‘node::addon_register_func’ {aka ‘void ()(v8::Localv8::Object, v8::Localv8::Value, void)’} [-Wcast-function-type]
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR 1356 | (node::addon_register_func) (regfunc),
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR /home/runner/.cache/node-gyp/24.14.0/include/node/node.h:1390:3: note: in expansion of macro ‘NODE_MODULE_X’
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR 1390 | NODE_MODULE_X(modname, regfunc, NULL, 0) // NOLINT (readability/null_usage)
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR | ^~~~~~~~~~~~~
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR ../src/binding.cc:151:1: note: in expansion of macro ‘NODE_MODULE’
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR 151 | NODE_MODULE(cpufeatures, init)
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR | ^~~~~~~~~~~
➤ YN0000: │ cpu-features@npm:0.0.10 STDOUT SOLINK_MODULE(target) Release/obj.target/cpufeatures.node
➤ YN0000: │ cpu-features@npm:0.0.10 STDOUT COPY Release/cpufeatures.node
➤ YN0000: │ cpu-features@npm:0.0.10 STDOUT make: Leaving directory '/home/runner/work/cedar/cedar/node_modules/cpu-features/build'
➤ YN0000: │ cpu-features@npm:0.0.10 STDERR gyp info ok
➤ YN0007: │ prisma@npm:7.5.0 [24afe] must be built because it never has been before or the last one failed
➤ YN0007: │ ssh2@npm:1.17.0 must be built because it never has been before or the last one failed
➤ YN0000: │ ssh2@npm:1.17.0 STDOUT Usage Error: Couldn't find a script name "node-gyp" in the top-level (used by ssh2@npm:1.17.0). This typically happens because some package depends on "node-gyp" to build itself, but didn't list it in their dependencies. To fix that, please run "yarn add node-gyp" into your top-level workspace. You also can open an issue on the repository of the specified package to suggest them to use an optional peer dependency.
➤ YN0000: │ ssh2@npm:1.17.0 STDOUT

This PR fixes this by using yarn's packageExtensions field

[netlify]

✅ Deploy Preview for cedarjs canceled.

Name	Link
🔨 Latest commit	b674109
🔍 Latest deploy log	https://app.netlify.com/projects/cedarjs/deploys/69c133aaebbd7e0008567b46

[greptile-apps]

Greptile Summary

This PR fixes a missing transitive dependency issue where ssh2 uses node-gyp during its native build step but fails to declare it as a dependency, causing CI failures. The fix correctly uses Yarn Berry's packageExtensions mechanism in .yarnrc.yml to inject node-gyp: '*' as a dependency of ssh2@*, which is the idiomatic approach recommended by Yarn for patching third-party package manifests.

• Added packageExtensions in .yarnrc.yml to augment ssh2@* with a node-gyp dependency.
• yarn.lock gains a new node-gyp@npm:* entry resolving to 12.2.0 (a minor bump from the existing ^12.1.0 → 12.1.0 entry already in the lockfile) plus tar@npm:^7.5.4 → 7.5.12 as its transitive dep.

Confidence Score: 5/5

• This PR is safe to merge — it applies a minimal, targeted fix using the standard Yarn Berry mechanism with no logic changes.
• The change is a single, well-understood Yarn packageExtensions entry that patches a known upstream packaging omission in ssh2. The approach is the officially recommended Yarn Berry pattern for exactly this scenario. The lockfile additions are mechanically generated and consistent with the config change. There are no logic, security, or correctness concerns.
• No files require special attention.

Important Files Changed

Filename	Overview
.yarnrc.yml	Adds a packageExtensions block to inject node-gyp as a dependency of ssh2@*, fixing the missing transitive dependency that caused CI build failures.
yarn.lock	Adds lockfile entries for node-gyp@npm:* (resolves to 12.2.0) and its new transitive dependency tar@npm:^7.5.4 (resolves to 7.5.12) as a result of the packageExtensions change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["cypress@13.17.0"] --> B["ssh2@1.17.0"]
    B --> C["cpu-features@0.0.10\n(native addon)"]
    C -->|"requires binary"| D["node-gyp\n(build tool)"]
    D -.->|"was MISSING\nfrom ssh2 deps"| B

    E[".yarnrc.yml\npackageExtensions"] -->|"injects\nnode-gyp: '*'"| B

    style D fill:#f66,color:#fff
    style E fill:#4a4,color:#fff

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): fix ssh2 transitive dep on ..." | Re-trigger Greptile}

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit b674109

Command	Status	Duration	Result
nx run-many -t build:pack --exclude create-ceda...	✅ Succeeded	2s	View ↗
nx run-many -t build	✅ Succeeded	4s	View ↗
nx run-many -t test --minWorkers=1 --maxWorkers=4	✅ Succeeded	4m 25s	View ↗
nx run-many -t test:types	✅ Succeeded	13s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-23 13:03:29 UTC

[github-actions]

The changes in this PR are now available on npm.

Try them out by running yarn cedar upgrade -t 4.0.0-canary.13660