Pin dependencies in package.json files #22

New issue

Open

opened 2026-04-19 07:23:33 +00:00 by forgejo-lila · 0 comments

forgejo-lila commented

2026-04-19 07:23:33 +00:00

Owner

Context

Dependencies use caret ranges (e.g. ^4.3.6) which allow minor and patch updates. This can cause builds to break when a dependency publishes a bad update.

What to do

Pin all dependencies to exact versions in all package.json files.

Files to change

package.json (root)
apps/api/package.json
apps/web/package.json
packages/shared/package.json
packages/db/package.json

Acceptance criteria

All dependency versions are exact (e.g. 4.3.6 not ^4.3.6)
pnpm install --frozen-lockfile still works
Consider adding .npmrc with save-exact=true to enforce this going forward

Notes

The lockfile (pnpm-lock.yaml) already pins exact versions for installs, but the package.json ranges still matter for what pnpm update will do.

## Context Dependencies use caret ranges (e.g. `^4.3.6`) which allow minor and patch updates. This can cause builds to break when a dependency publishes a bad update. ## What to do Pin all dependencies to exact versions in all package.json files. ## Files to change - `package.json` (root) - `apps/api/package.json` - `apps/web/package.json` - `packages/shared/package.json` - `packages/db/package.json` ## Acceptance criteria - All dependency versions are exact (e.g. `4.3.6` not `^4.3.6`) - `pnpm install --frozen-lockfile` still works - Consider adding `.npmrc` with `save-exact=true` to enforce this going forward ## Notes The lockfile (`pnpm-lock.yaml`) already pins exact versions for installs, but the package.json ranges still matter for what `pnpm update` will do.