fix(deps): downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range#155
Merged
Merged
Conversation
… node range
write-file-atomic@8.0.0 requires node ^22.22.2 || ^24.15.0 || >=26.0.0, which
excludes node 20 and node 22.0-22.22.1 — contradicting the repo's declared
engines (root >=22.0.0, cli >=20.0.0) and the Verify Global Install matrix
(node 20/22/24). With engineStrict: true this surfaces as EBADENGINE on
npm install -g and a hard failure on the node-20 leg.
7.0.1 supports ^20.17.0 || >=22.9.0, covering the full matrix. API usage
(wfa(path, content), {raw:true}) is unchanged since v4; @types/write-file-atomic@4.0.3
still applies. write-file-atomic became 8.0.0 via Dependabot consolidation #91,
not a deliberate security bump; no advisories on the package.
Pinned in cli, analysis, ingestion, wiki.
Merged
3 tasks
theagenticguy
added a commit
that referenced
this pull request
May 29, 2026
…157) ## Summary `@opencodehub/ingestion` → `@graphty/algorithms@1.7.1` → `pupt` → `@homebridge/node-pty-prebuilt-multiarch`, whose `install` script runs `prebuild-install` (a `github.com/.../releases` fetch). That tripped **Verify Global Install gate 2** (no GHCR/postinstall fetches) on the macOS legs, and dragged node-pty's `prebuild-install`/`glob` deprecation warnings into `npm install -g @opencodehub/cli`. This is the gate-2 failure that's been keeping macOS red even after the nvm fix (#152). ## Why vendoring (and not an override) - `@graphty/algorithms` is genuinely used — `communities.ts` runs Leiden community detection. Can't drop it outright. - But its compiled `dist` has **zero references to `pupt`** — `pupt` is an interactive CLI tool sitting unused in graphty's dependency list, dragging in node-pty. - **npm `overrides` in a published package are honored only when it's the install ROOT.** Under `npm install -g <tarball>` the tarball is a *dependency* of npm's synthetic root, so its overrides are ignored (verified empirically). The only lever that works at the published boundary is removing `@graphty/algorithms` from the tree. graphty is MIT (© 2024 Adam Powers). Vendored its Leiden closure (`Graph`, `graphToMap`, `SeededRandom`, `leiden`) into `src/pipeline/phases/vendor/graphty-leiden.ts` with the full license header. ## Changes - New `vendor/graphty-leiden.ts` (faithful TS port, MIT header) - `communities.ts`: import swapped to the vendored module (call sites unchanged) - Removed `@graphty/algorithms` from ingestion deps; deleted dead `graphty.d.ts` - Removed the now-dead `@homebridge/node-pty-prebuilt-multiarch` `allowBuilds` entry in `pnpm-workspace.yaml` - Lockfile prunes the graphty → pupt → node-pty subtree (~114 packages) ## Verification - **Determinism preserved (proven):** parity harness compared the vendored module vs upstream `@graphty/algorithms@1.7.1` across **1750/1750 cases** (25 graph seeds × 14 shapes × 5 leiden seeds) — identical community assignments, modularity, iteration count. - **Gate 2 passes:** `npm install -g` of all 17 publishable tarballs → zero `github.com/.../releases` / `prebuild-install` lines (was a hard fail before). - ingestion **602/602**; full recursive pre-push gate (test + typecheck + verdict) green. - Rebased cleanly over #155 (write-file-atomic): lockfile carries both changes coherently — wfa@7.0.1 present, graphty/pupt/node-pty fully gone. ## Follow-up (not in this PR) Worth filing upstream: graphty declares `pupt` as a hard `dependency` though its runtime never imports it — should be a devDependency. That would fix this for all graphty consumers. ## Test plan - [x] 1750/1750 Leiden parity vs upstream - [x] Gate 2 clean on global install - [x] ingestion 602/602, recursive suite green
theagenticguy
pushed a commit
that referenced
this pull request
May 29, 2026
🤖 Automated release via release-please --- <details><summary>analysis: 0.3.2</summary> ## [0.3.2](analysis-v0.3.1...analysis-v0.3.2) (2026-05-29) ### Bug Fixes * **deps:** downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range ([#155](#155)) ([a723e53](a723e53)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.2 * @opencodehub/wiki bumped to 0.2.2 </details> <details><summary>cli: 0.5.4</summary> ## [0.5.4](cli-v0.5.3...cli-v0.5.4) (2026-05-29) ### Features * **cli:** doctor checks vendored wasm grammars + scip indexers (--strict) ([#159](#159)) ([36a241e](36a241e)) ### Bug Fixes * **deps:** downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range ([#155](#155)) ([a723e53](a723e53)) * **scanners:** correct scanner exit-code handling and stop duplicate skip logs ([#156](#156)) ([5d30eb4](5d30eb4)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.2 * @opencodehub/ingestion bumped to 0.4.4 * @opencodehub/mcp bumped to 0.4.3 * @opencodehub/pack bumped to 0.2.3 * @opencodehub/scanners bumped to 0.2.1 * @opencodehub/search bumped to 0.2.2 * @opencodehub/storage bumped to 0.2.2 * @opencodehub/wiki bumped to 0.2.2 </details> <details><summary>cobol-proleap: 0.1.8</summary> ## [0.1.8](cobol-proleap-v0.1.7...cobol-proleap-v0.1.8) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/ingestion bumped to 0.4.4 </details> <details><summary>ingestion: 0.4.4</summary> ## [0.4.4](ingestion-v0.4.3...ingestion-v0.4.4) (2026-05-29) ### Bug Fixes * **deps:** downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range ([#155](#155)) ([a723e53](a723e53)) * **ingestion:** vendor graphty Leiden to drop node-pty install fetch ([#157](#157)) ([790ca4e](790ca4e)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.2 * @opencodehub/scip-ingest bumped to 0.2.4 * @opencodehub/storage bumped to 0.2.2 </details> <details><summary>mcp: 0.4.3</summary> ## [0.4.3](mcp-v0.4.2...mcp-v0.4.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.2 * @opencodehub/pack bumped to 0.2.3 * @opencodehub/scanners bumped to 0.2.1 * @opencodehub/search bumped to 0.2.2 * @opencodehub/storage bumped to 0.2.2 </details> <details><summary>pack: 0.2.3</summary> ## [0.2.3](pack-v0.2.2...pack-v0.2.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.2 * @opencodehub/ingestion bumped to 0.4.4 * @opencodehub/storage bumped to 0.2.2 </details> <details><summary>scanners: 0.2.1</summary> ## [0.2.1](scanners-v0.2.0...scanners-v0.2.1) (2026-05-29) ### Bug Fixes * **scanners:** correct scanner exit-code handling and stop duplicate skip logs ([#156](#156)) ([5d30eb4](5d30eb4)) </details> <details><summary>scip-ingest: 0.2.4</summary> ## [0.2.4](scip-ingest-v0.2.3...scip-ingest-v0.2.4) (2026-05-29) ### Bug Fixes * **scanners:** correct scanner exit-code handling and stop duplicate skip logs ([#156](#156)) ([5d30eb4](5d30eb4)) * **scip-ingest:** prepend ~/.codehub/bin to indexer spawn PATH ([#160](#160)) ([4418db9](4418db9)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.2 </details> <details><summary>search: 0.2.2</summary> ## [0.2.2](search-v0.2.1...search-v0.2.2) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.2 </details> <details><summary>storage: 0.2.2</summary> ## [0.2.2](storage-v0.2.1...storage-v0.2.2) (2026-05-29) ### Bug Fixes * **storage:** retry transient lbug WAL→checkpoint race in bulkLoad ([#161](#161)) ([450714c](450714c)) </details> <details><summary>wiki: 0.2.2</summary> ## [0.2.2](wiki-v0.2.1...wiki-v0.2.2) (2026-05-29) ### Bug Fixes * **deps:** downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range ([#155](#155)) ([a723e53](a723e53)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.2 </details> <details><summary>root: 0.6.5</summary> ## [0.6.5](root-v0.6.4...root-v0.6.5) (2026-05-29) ### Features * **cli:** doctor checks vendored wasm grammars + scip indexers (--strict) ([#159](#159)) ([36a241e](36a241e)) ### Bug Fixes * **ci:** isolate verify-global-install into a per-run npm prefix ([#162](#162)) ([3b59373](3b59373)) * **deps:** bump qs 6.15.1→6.15.2 and tmp 0.2.4→0.2.6 to clear osv findings ([#151](#151)) ([2f798ec](2f798ec)) * **deps:** downgrade write-file-atomic 8.0.0→7.0.1 to match supported node range ([#155](#155)) ([a723e53](a723e53)) * **ingestion:** vendor graphty Leiden to drop node-pty install fetch ([#157](#157)) ([790ca4e](790ca4e)) * **scanners:** correct scanner exit-code handling and stop duplicate skip logs ([#156](#156)) ([5d30eb4](5d30eb4)) * **scip-ingest:** prepend ~/.codehub/bin to indexer spawn PATH ([#160](#160)) ([4418db9](4418db9)) * **storage:** retry transient lbug WAL→checkpoint race in bulkLoad ([#161](#161)) ([450714c](450714c)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
write-file-atomic@8.0.0declaresengines: { node: "^22.22.2 || ^24.15.0 || >=26.0.0" }— which excludes node 20 entirely, and node 22.0–22.22.1. That contradicts this repo's own supported-node matrix and producesEBADENGINEonnpm install -g @opencodehub/cli@latest(reported on node 22.22.0), plus a hard failure on the node-20 leg of Verify Global Install (we setengineStrict: true).engines(root)>=22.0.0cliengines>=20.0.0write-file-atomic@8.0.0requires^22.22.2 || ^24.15.0 || >=26.0.0❌write-file-atomic@7.0.1requires^20.17.0 || >=22.9.0✅ covers the whole matrixChanges
Pin
write-file-atomic8.0.0 → 7.0.1in the 4 packages that depend on it:cli,analysis,ingestion,wiki. Lockfile regenerated — 26 lines, only write-file-atomic (4 importer specifiers + package def + snapshot + time entry), same single transitive (signal-exit@4.1.0), no unrelated churn.Why this is safe
write-file-atomic@8.0.0arrived via a Dependabot consolidation (build(deps): consolidate 8 dependabot bumps post history-rewrite #91), not a deliberate security bump. The package has no advisories (clean on osv).wfa(path, content)andwfa(path, content, { raw: true })— is unchanged since v4.@types/write-file-atomic@4.0.3(already a devDep) still applies; left untouched.Verification
pnpm --filter @opencodehub/analysis --filter @opencodehub/cli build(tsc -b) — cleanpnpm --filter @opencodehub/analysis test— 143/143pnpm -r test+ typecheck + verdict) — greenTest plan