Skip to content

chore(deps): pin dependencies #449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-bot-cbcoutinho wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): pin dependencies #449

renovate-bot-cbcoutinho wants to merge 1 commit into from

Conversation

@renovate-bot-cbcoutinho
Copy link
Contributor

@renovate-bot-cbcoutinho renovate-bot-cbcoutinho bot commented Dec 27, 2025

This PR contains the following updates:

Package Type Update Change
@vitejs/plugin-vue (source) devDependencies pin ^6.0.36.0.3
sass-embedded devDependencies pin ^1.97.11.97.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@claude
Copy link

claude bot commented Dec 27, 2025

Code Review - PR #449: Pin devDependencies

Summary

This PR pins two devDependencies in the Astrolabe Nextcloud app from semver ranges to exact versions:

  • @vitejs/plugin-vue: ^6.0.36.0.3
  • sass-embedded: ^1.97.11.97.1

Analysis

Code Quality

  • Changes are minimal and focused
  • Both dependencies are actively used in the codebase:
    • @vitejs/plugin-vue: Used in vite.config.js:2 for Vue compilation
    • sass-embedded: Used by Vue SFCs with <style lang="scss"> blocks (found in App.vue, PDFViewer.vue, MarkdownViewer.vue, AdminSettings.vue)
  • Lock file properly updated to reflect the pinned versions

⚠️ Potential Concerns

1. Deviation from Repository Convention
The repository's renovate.json extends config:best-practices, which typically recommends semver ranges for better compatibility. Pinning devDependencies means:

  • Pros: Deterministic builds, no unexpected breaking changes
  • Cons: Requires manual updates for patch/minor fixes, potential security patches delayed

2. Inconsistency with Other Dependencies
Other devDependencies in the same file are NOT pinned:

  • terser: 5.44.1 (pinned)
  • vite: 7.2.7 (pinned)

But all runtime dependencies use semver ranges (^3.0.0, ^2.5.1, etc.). This creates an inconsistent dependency management strategy.

3. Renovate Configuration Mismatch
The PR description mentions:

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

This suggests pinning may not be the intended behavior. Consider adding to renovate.json:

{
  "packageRules": [
    {
      "matchFileNames": ["third_party/astrolabe/package.json"],
      "matchDepTypes": ["devDependencies"],
      "rangeStrategy": "replace"
    }
  ]
}

Or to preserve semver ranges:

{
  "extends": [
    "config:best-practices",
    ":preserveSemverRanges"
  ]
}

🔒 Security Considerations

  • No security concerns with the changes themselves
  • However, pinning versions means security patches in minor/patch versions won't be automatically available via npm update
  • Recommend enabling Renovate's security update automation to ensure timely updates

🧪 Testing Recommendations

Before merging:

  1. Verify the build still works: cd third_party/astrolabe && npm run build
  2. Run linting: npm run lint && npm run stylelint
  3. Check that the Astrolabe CI workflow passes (.github/workflows/astroglobe-ci.yml)

📊 Performance

No performance impact - these are build-time dependencies only.

Recommendation

Option A (Accept as-is): If the team wants fully reproducible builds with no surprises, merge this PR but:

  1. Document the pinning strategy in the repository
  2. Ensure Renovate is configured to auto-update these pinned versions
  3. Apply the same strategy consistently to all devDependencies

Option B (Preserve semver ranges): Add :preserveSemverRanges to renovate.json to maintain the current semver-based approach for better compatibility and automatic patch updates.

My suggestion: Option B with selective pinning for critical dependencies that require stability (e.g., vite, build tools) while allowing patch updates for less critical devDependencies.

Files verified:

  • third_party/astrolabe/vite.config.js:2 (uses @vitejs/plugin-vue)
  • third_party/astrolabe/src/**/*.vue (uses sass-embedded for SCSS compilation)
  • renovate.json (current configuration)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant