Most entries in app/package.json are pinned to the string latest (nearly the whole TanStack suite, plus many others). That means any fresh vp install can silently pull a different dependency tree than the one the code was written against: builds aren't reproducible, bisecting regressions is unreliable (checking out an old commit doesn't restore the deps it shipped with), and an upstream breaking release can break dev/CI with no corresponding change in our history.
What to do
- Replace every
latest in app/package.json with the version currently resolved in app/pnpm-lock.yaml, as a caret range (^x.y.z) or exact pin — pick one convention and apply it across the board.
- Cover
dependencies and devDependencies; the handful of already-ranged entries (e.g. @tanstack/router-plugin) just need to match the chosen convention.
- Verify afterwards that
vp install is a no-op against the existing lockfile and that vp check and vp test still pass.
- Future upgrades then happen deliberately (e.g. a periodic
pnpm up --latest pass reviewed as its own commit) instead of implicitly on every install.
Most entries in
app/package.jsonare pinned to the stringlatest(nearly the whole TanStack suite, plus many others). That means any freshvp installcan silently pull a different dependency tree than the one the code was written against: builds aren't reproducible, bisecting regressions is unreliable (checking out an old commit doesn't restore the deps it shipped with), and an upstream breaking release can break dev/CI with no corresponding change in our history.What to do
latestinapp/package.jsonwith the version currently resolved inapp/pnpm-lock.yaml, as a caret range (^x.y.z) or exact pin — pick one convention and apply it across the board.dependenciesanddevDependencies; the handful of already-ranged entries (e.g.@tanstack/router-plugin) just need to match the chosen convention.vp installis a no-op against the existing lockfile and thatvp checkandvp teststill pass.pnpm up --latestpass reviewed as its own commit) instead of implicitly on every install.