Skip to content

Pin dependency versions to lockfile values#1435

Merged
JamieMagee merged 1 commit intomasterfrom
pin-dependency-versions
Jan 26, 2026
Merged

Pin dependency versions to lockfile values#1435
JamieMagee merged 1 commit intomasterfrom
pin-dependency-versions

Conversation

@JamieMagee
Copy link
Copy Markdown
Contributor

@JamieMagee JamieMagee commented Jan 26, 2026

Replaces semver ranges (^, ~) in package.json with exact versions from package-lock.json.

Why?

Running npm install instead of npm ci can pull in newer versions that satisfy the range. This happens when the lock file gets deleted, regenerated, or when someone troubleshoots by clearing node_modules.

Since Dependabot handles weekly updates, pinning versions means every dependency change goes through a reviewed PR rather than happening silently.

Changes

  • Updated all dependency versions to match package-lock.json
  • Kept GitHub refs unchanged (e.g., github:clearlydefined/spdx#v0.1.10)
  • Regenerated package-lock.json

Closes #1434

@JamieMagee
fix: pin dependency versions to lockfile values
8507632 
Replaces semver ranges (^, ~) with exact versions from package-lock.json.
Dependabot handles updates, so pinning prevents unexpected version drift
when npm install runs instead of npm ci.

Closes #1434
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins all npm dependency and devDependency versions in package.json to the exact versions currently recorded in package-lock.json to avoid unreviewed version drift when using npm install. This makes dependency updates fully Dependabot-driven and reviewable.

Changes:

  • Replaced semver ranges (^, ~) for runtime dependencies with exact version numbers.
  • Replaced semver ranges for devDependencies with exact version numbers.
  • Left GitHub-based dependency references unchanged.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JamieMagee JamieMagee merged commit 241d545 into master Jan 26, 2026
4 checks passed
@JamieMagee JamieMagee deleted the pin-dependency-versions branch January 26, 2026 21:58
qtomlinson added a commit to qtomlinson/crawler that referenced this pull request Apr 6, 2026
@qtomlinson
chore: pin dependency versions to lockfile values
e4d3e02 
Replace all semver ranges (^ and ~) in package.json with exact versions resolved from package-lock.json, including the lzma-native override.

This ensures unreviewed dependency drift cannot occur when npm install is used instead of npm ci — all version updates will go through Dependabot-driven, reviewed PRs.

The root package entry in package-lock.json now reflects the exact pinned versions from package.json, including updates like debug 4.4.3, extend 3.0.2, and winston 3.19.0.

Similar to clearlydefined/service#1435.
@qtomlinson qtomlinson mentioned this pull request Apr 6, 2026
Closed
qtomlinson added a commit to qtomlinson/crawler that referenced this pull request Apr 6, 2026
@qtomlinson
chore: pin dependency versions to lockfile values
561ff4d 
Replace all semver ranges (^ and ~) in package.json with exact versions resolved from package-lock.json, including the lzma-native override.

This ensures unreviewed dependency drift cannot occur when npm install is used instead of npm ci — all version updates will go through Dependabot-driven, reviewed PRs.

The root package entry in package-lock.json now reflects the exact pinned versions from package.json, including updates like debug 4.4.3, extend 3.0.2, and winston 3.19.0.

Similar to clearlydefined/service#1435.
@qtomlinson qtomlinson mentioned this pull request Apr 6, 2026
Closed
qtomlinson added a commit to qtomlinson/crawler that referenced this pull request Apr 6, 2026
@qtomlinson
chore: pin dependency versions to lockfile values
253d287 
Replace all semver ranges (^ and ~) in package.json with exact versions resolved from package-lock.json, including the lzma-native override.

This ensures unreviewed dependency drift cannot occur when npm install is used instead of npm ci — all version updates will go through Dependabot-driven, reviewed PRs.

The root package entry in package-lock.json now reflects the exact pinned versions from package.json, including updates like debug 4.4.3, extend 3.0.2, and winston 3.19.0.

Similar to clearlydefined/service#1435.
@qtomlinson qtomlinson mentioned this pull request Apr 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@qtomlinson qtomlinson qtomlinson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin dependency versions in package.json

3 participants

@JamieMagee @qtomlinson