chore: test release-it preview

[wochinge]

Summary

• Updates release-it to the preview build requested in release-it issue #1295.
• Refreshes the pnpm lockfile for the preview dependency and its transitive dependency changes.

Greptile Summary

This PR replaces the stable release-it@^19.0.4 npm dependency with an ephemeral preview tarball (https://pkg.pr.new/release-it@a795932) to test an upstream preview build. The resulting lockfile churn upgrades all transitive @inquirer/* packages to their next major versions (requiring Node ≥20.12) and bumps @octokit/* packages to versions requiring Node ≥20; CI uses Node 24, so no CI breakage is expected.

• The preview URL in package.json must not be merged to main — pkg.pr.new builds are transient and could become unavailable, breaking reproducible installs.

Confidence Score: 3/5

Not safe to merge to main — contains a temporary preview URL dependency that must be reverted before landing.

A P1 finding is present: the release-it entry is an ephemeral preview tarball URL that will break reproducible installs if merged and the URL later disappears. The PR author acknowledges this is intentional for testing only, but the risk of accidental merge keeps confidence below 4.

package.json — contains the preview URL dependency that must be reverted to a stable semver before any merge to main.

Important Files Changed

Filename	Overview
package.json	Swaps release-it from stable semver ^19.0.4 to an ephemeral preview tarball URL https://pkg.pr.new/release-it@a795932; intentional for testing but must not be merged to main.
pnpm-lock.yaml	Lockfile reflects the preview release-it URL, a jiti bump (2.5.1→2.6.1), all @inquirer/* packages upgraded to major-bumped v5/v6/v8 versions (Node ≥20.12 required), and corresponding @octokit/* bumps (Node ≥20 required). CI uses Node 24 so these requirements are satisfied.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json - release-it preview URL] --> B[pnpm-lock.yaml updated]
    B --> C[inquirer packages v5 to v8 - Node 20.12 min]
    B --> D[octokit packages bumped - Node 20 min]
    B --> E[jiti 2.5.1 to 2.6.1]
    C --> F{CI Node version - Node 24}
    D --> F
    E --> F
    F -->|passes| G[CI green]
    A -->|must not merge to main| H[Revert to stable semver before landing]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
package.json:67
**Preview URL dependency must not be merged to main**

`release-it` is pinned to an ephemeral preview tarball URL (`https://pkg.pr.new/release-it@a795932`) rather than a versioned npm package. `pkg.pr.new` preview builds are transient and can be deleted or expire, so any future `pnpm install --frozen-lockfile` or reproducibility requirement could break once this URL is gone. The PR description itself flags this — please make sure this branch is not accidentally merged to `main` without reverting to a stable semver reference (e.g. `^19.0.4` or the next stable release).

_{Reviews (1): Last reviewed commit: "chore: test release-it preview" | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-js	Ready	Preview	May 4, 2026 11:14am

[github-actions]

@claude review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 062e659719

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[claude]

Deferring to a human — the description asks for confirmation that pinning release-it to a pkg.pr.new preview URL is intentional, and that decision should be made by a maintainer.

Extended reasoning...

Overview

The PR changes a single devDependency in package.json: release-it is moved from ^19.0.4 to a tarball URL https://pkg.pr.new/release-it@a795932 (a preview build hosted on pkg.pr.new). The pnpm lockfile is regenerated with the resulting transitive dependency churn (octokit, inquirer, ora, proxy-agent, etc.), but no source code in packages/* is touched.

Security risks

The main concern is supply-chain: pkg.pr.new serves PR-built tarballs from a third-party CDN, and the dependency is pinned by short commit hash (a795932) rather than by integrity hash in the manifest itself (the lockfile does carry an integrity entry). This dependency runs only at release time and only on a maintainer machine / CI release job, so blast radius is limited to release tooling — but it still has access to npm publish credentials when invoked. There are no runtime/published-package implications since release-it is dev-only.

Level of scrutiny

Low-to-moderate. The diff is mechanical (one specifier change + lockfile regen) and contained to dev tooling. The reason this needs a human is policy, not correctness: the PR title says "test", and the author's own "Review Focus" note explicitly asks a reviewer to confirm the preview dependency "should not be merged permanently unless intended." That's a judgment call I shouldn't make on the maintainer's behalf.

Other factors

No bugs were surfaced by the bug hunting system. The lockfile churn is large but consistent with a single root-dependency bump and its transitive pulls, so I don't see anything anomalous in it.