…ingle hoisted family) — supersedes #81
Dependabot #81 did a surgical lockfile edit that nested @vue/compiler-* at
3.5.35 under sub-packages while the hoisted root vue/@VUE stayed at 3.5.33.
Two copies of vue in one tree severs reactivity → empty renders → toast.spec.ts
"Mock called 0 times" failures on test:coverage.
This regenerates package-lock.json from scratch (rm -rf node_modules
package-lock.json && npm install), yielding a single hoisted vue family at
3.5.35 across the whole workspace. No package.json range edits — the ^3.5.33
carets already permit 3.5.35. Lockfile-only.
The clean regen also collapses a pre-existing packages/router nested 3.5.35
split present on main; the regenerated tree has zero packages/*/node_modules
entries.
Audit-gate preservation: the naive regen floated Stryker's transitive
typed-rest-client 2.3.0 → 2.3.1, which exact-pins the vulnerable qs@6.15.1
(GHSA-q8mj-m7cp-5q26) — clobbering the curation PR #100 landed on main. Held
typed-rest-client at 2.3.0 (its ^6.14.1 qs range resolves to patched 6.15.2)
via npm audit fix, lockfile-only, restoring `npm audit` = 0 vulnerabilities.
No package.json change.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Goosterhof
added
the
Agent Review Requested
jasperboerhof
left a comment
Supersedes Dependabot #81
Dependabot PR #81 (
bump vue 3.5.33 → 3.5.35) is RED on CI:npm run test:coveragefails inpackages/toast/tests/toast.spec.tswith "expected Mock to be called 1 times, but got 0 times" — components render empty. This PR supersedes #81 with a clean lockfile regeneration.Root cause — Vue-family version split
Dependabot did a surgical lockfile edit: per-package
vuebumped to 3.5.35 with a second@vue/compiler-*family nested at 3.5.35 under sub-packages, while the hoisted rootvue/@vue/server-renderer/@vue/runtime-corestayed at 3.5.33. Two copies ofvuein one tree → severed reactivity → the test renderer mounts a component wired to a different reactivity runtime than the test's reactive state → updates never propagate → empty renders →Mock called 0 times.npm dedupedoes not fix it; only a clean lockfile regeneration does.Fix — clean lockfile regen (lockfile-only)
No
package.jsonrange edits — the^3.5.33carets already permit 3.5.35. Single hoisted vue@3.5.35 across the whole npm-workspaces monorepo. Diff ispackage-lock.jsononly.Lockfile grep proof (single hoisted family)
grep -nE '"(node_modules|packages/[^/]+/node_modules)/(vue|@vue/(server-renderer|runtime-core|compiler-core))"' package-lock.jsonBefore (main): split — hoisted root 3.5.33 + nested
packages/routerfamily 3.5.35:After (this PR): single hoisted family, zero nested copies:
grep -cE '"packages/[^/]+/node_modules/' package-lock.json→ 0 (whole workspace fully hoisted).Audit-gate preservation (transitive regression the regen exposed)
A naive clean regen floated Stryker's transitive
typed-rest-client2.3.0 → 2.3.1 (both within~2.3.0).2.3.1exact-pins the vulnerableqs@6.15.1(GHSA-q8mj-m7cp-5q26), clobbering the curation PR #100 landed onmain(which holdstyped-rest-client@2.3.0→qs@^6.14.1→ patched 6.15.2) and turning thenpm auditCI gate RED.Held
typed-rest-client@2.3.0vianpm audit fix(lockfile-only, no package.json change), restoringqs@6.15.2andnpm audit= 0 vulnerabilities. The vue bump and #100's qs curation now coexist. (npm ciinstalls strictly from the lockfile, so CI cannot re-float the pin.)Gate matrix
npm auditformat:checklintbuildtypechecktest:coveragetoast.spec.ts27/27lint:pkgmain's lockfile (verified via stash); decoupled from the lockfile (driven byscripts/lint-pkg.mjstext gate, not dependency versions). Documented standing item (queue #63 / #70).test:coveragetoast.spec.ts: RED on #81 (Mock called 0 times) → GREEN here (27/27).Stryker mutation skipped per Medic SOP — a lockfile-only dev-dep bump does not move the mutation surface.
🤖 Generated with Claude Code