[DX] Loose dependency version ranges may cause non-deterministic installs

[udaycodespace]

Describe the issue

While reviewing backend package configuration files, I noticed that several dependencies currently use loose semver ranges such as ^ and ~ instead of exact pinned versions.

Where I found this

Files:

package.json
apps/public-api/package.json
apps/dashboard-api/package.json
packages/common/package.json

To Reproduce

1. Open the repository package.json files

2. Review dependency version declarations

3. Observe that multiple dependencies use loose semver ranges such as:

   • ^
   • ~

Expected behavior

Critical dependencies should ideally use deterministic versioning where appropriate to reduce inconsistent installs across environments.

Impact

Loose dependency ranges may:

• introduce unexpected dependency updates
• create install inconsistencies between environments
• make debugging dependency-related issues harder over time

Proposed solution

I plan to:

• review currently used dependency ranges
• evaluate which backend dependencies should be pinned more strictly
• keep compatibility and existing lockfile behavior in mind
• avoid unnecessary package churn

ETA

I’ll investigate this further and try to raise a PR by tonight.

[yash-pouranik]

please validate against main @coderabbitai

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch issue `#210` details
gh issue view 210 --repo geturbackend/urBackend --json title,body,state,labels,assignees,comments

echo "---MAIN BRANCH FILES---"
git log --oneline -10 origin/main 2>/dev/null || git log --oneline -10 main 2>/dev/null || echo "Cannot access main branch log"

echo "---CURRENT BRANCH---"
git branch --show-current

echo "---DIFF vs MAIN---"
git diff origin/main --name-only 2>/dev/null || git diff main --name-only 2>/dev/null || echo "Cannot diff against main"

Length of output: 3179

---

🏁 Script executed:

#!/bin/bash
# Check all relevant package.json files on main branch
echo "=== Root package.json ==="
git show origin/main:package.json 2>/dev/null | python3 -c "
import sys, json
data = json.load(sys.stdin)
deps = {**data.get('dependencies', {}), **data.get('devDependencies', {})}
loose = {k: v for k, v in deps.items() if v.startswith('^') or v.startswith('~')}
pinned = {k: v for k, v in deps.items() if not v.startswith('^') and not v.startswith('~')}
print(f'Total deps: {len(deps)}')
print(f'Loose (^ or ~): {len(loose)}')
print(f'Pinned: {len(pinned)}')
print('Loose entries:')
for k, v in loose.items():
    print(f'  {k}: {v}')
" 2>/dev/null || echo "File not found or parse error"

echo ""
echo "=== apps/public-api/package.json ==="
git show origin/main:apps/public-api/package.json 2>/dev/null | python3 -c "
import sys, json
data = json.load(sys.stdin)
deps = {**data.get('dependencies', {}), **data.get('devDependencies', {})}
loose = {k: v for k, v in deps.items() if v.startswith('^') or v.startswith('~')}
pinned = {k: v for k, v in deps.items() if not v.startswith('^') and not v.startswith('~')}
print(f'Total deps: {len(deps)}')
print(f'Loose (^ or ~): {len(loose)}')
print(f'Pinned: {len(pinned)}')
print('Loose entries:')
for k, v in loose.items():
    print(f'  {k}: {v}')
" 2>/dev/null || echo "File not found or parse error"

echo ""
echo "=== apps/dashboard-api/package.json ==="
git show origin/main:apps/dashboard-api/package.json 2>/dev/null | python3 -c "
import sys, json
data = json.load(sys.stdin)
deps = {**data.get('dependencies', {}), **data.get('devDependencies', {})}
loose = {k: v for k, v in deps.items() if v.startswith('^') or v.startswith('~')}
pinned = {k: v for k, v in deps.items() if not v.startswith('^') and not v.startswith('~')}
print(f'Total deps: {len(deps)}')
print(f'Loose (^ or ~): {len(loose)}')
print(f'Pinned: {len(pinned)}')
print('Loose entries:')
for k, v in loose.items():
    print(f'  {k}: {v}')
" 2>/dev/null || echo "File not found or parse error"

echo ""
echo "=== packages/common/package.json ==="
git show origin/main:packages/common/package.json 2>/dev/null | python3 -c "
import sys, json
data = json.load(sys.stdin)
deps = {**data.get('dependencies', {}), **data.get('devDependencies', {})}
loose = {k: v for k, v in deps.items() if v.startswith('^') or v.startswith('~')}
pinned = {k: v for k, v in deps.items() if not v.startswith('^') and not v.startswith('~')}
print(f'Total deps: {len(deps)}')
print(f'Loose (^ or ~): {len(loose)}')
print(f'Pinned: {len(pinned)}')
print('Loose entries:')
for k, v in loose.items():
    print(f'  {k}: {v}')
" 2>/dev/null || echo "File not found or parse error"

echo ""
echo "=== Checking for any other package.json files ==="
git ls-tree -r --name-only origin/main | grep "package.json" | grep -v "node_modules"

Length of output: 4860

---

---

@yash-pouranik — I've validated issue #210 against the current main branch (latest commit 507b61a). The issue is confirmed valid — no fixes have been applied yet. Here's the breakdown:

File	Total Deps	Loose (^/~)	Pinned
package.json	4	4	0
apps/public-api/package.json	20	19	1
apps/dashboard-api/package.json	21	20	1
packages/common/package.json	18	18	0

All four files mentioned in the issue still use predominantly ^-prefixed (loose) semver ranges.

Additionally, there are more package.json files in the repo not covered by the issue that may warrant the same treatment:

• apps/web-dashboard/package.json
• sdks/urbackend-sdk/package.json
• examples/sdk-kanban/client/package.json
• examples/sdk-kanban/server/package.json
• examples/social-demo/client/package.json
• examples/social-demo/server/package.json

You may want to consider scoping those in your PR as well. Let me know if you'd like a deeper analysis of any specific file!

[yash-pouranik]

u can work @udaycodespace