Skip to content

Pin app dependency versions (drop "latest") #79

Description

@ApocDev

Most entries in app/package.json are pinned to the string latest (nearly the whole TanStack suite, plus many others). That means any fresh vp install can silently pull a different dependency tree than the one the code was written against: builds aren't reproducible, bisecting regressions is unreliable (checking out an old commit doesn't restore the deps it shipped with), and an upstream breaking release can break dev/CI with no corresponding change in our history.

What to do

  • Replace every latest in app/package.json with the version currently resolved in app/pnpm-lock.yaml, as a caret range (^x.y.z) or exact pin — pick one convention and apply it across the board.
  • Cover dependencies and devDependencies; the handful of already-ranged entries (e.g. @tanstack/router-plugin) just need to match the chosen convention.
  • Verify afterwards that vp install is a no-op against the existing lockfile and that vp check and vp test still pass.
  • Future upgrades then happen deliberately (e.g. a periodic pnpm up --latest pass reviewed as its own commit) instead of implicitly on every install.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: webWeb UI (React/TanStack/vite-plus)

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions