chore(dependabot): hold ESLint at 8.x — resolves #304 (un-mergeable)#308
Merged
Merged
Conversation
ESLint 10 (PR #304) is not installable for this repo: eslint-config-next has no release supporting ESLint 10 (peer caps at ^9, only from v15) and is used by 55+ Next.js apps via 'next lint'; @typescript-eslint@6 caps at ESLint 8. Bumping would break 'next lint' fleet-wide with no upstream fix. Adds an ignore rule for ESLint semver-major bumps so Dependabot stops re-proposing it (and auto-closes #304). Revisit once Next.js is upgraded and eslint-config-next ships ESLint 10 support. EPICON-INTENT: prevent an un-mergeable, CI-breaking dependency bump from recurring; record the toolchain constraint that blocks it. Co-authored-by: Michael Judan <kaizencycle@users.noreply.github.com>
Contributor
|
✅ Drift Compliance: All test vectors passed GI threshold validation |
kaizencycle
added a commit
that referenced
this pull request
Jun 11, 2026
… drift (#309) <!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Fixes the **recurring** `Check Catalog Freshness` failure at its root cause, instead of re-syncing the catalog by hand every few hours. ## Root cause `catalog/mobius_catalog.json` stores a `content_hash` per doc under `docs/`. Two docs are machine-generated and committed with `[skip ci]` (which deliberately skips the catalog regen): | File | Writer | Cadence | |---|---|---| | `docs/divergence/dashboard.md` | `mobius-divergence-dashboard.yml` | every 6h | | `docs/divergence/WEEKLY_DIGEST.md` | `mobius-pulse-unified.yml` | weekly | Each regeneration changes their content, but `[skip ci]` means the catalog's stored hash is never updated — so the catalog drifts and **every subsequent PR fails freshness through no fault of its own** (this is the loop that hit #300– #308, including this very session's PRs). Hand re-syncing the catalog only holds until the next 6-hourly dashboard commit. ## Fix `scripts/exportCatalog.ts` now skips those two generated files (`IGNORE_DOC_PATHS`). They're machine output, not catalogued documentation, so their churn can no longer drift the catalog. Regenerated catalog: `docCount` 961 → 959 — **only** the two generated files removed; `OVERVIEW.md` and every real doc are retained. ## Why this is safe / verified - Deterministic: CI runs the same `npm run export:catalog`, now producing the same 959-doc set → freshness passes and *stays* passing across dashboard updates. - Verified locally with the same normalized comparison the `catalog-check` workflow uses: the only delta is the two removed generated files. - The `echo-bot` (which regenerates + commits the catalog itself) is unaffected and remains in sync. --- *"We heal as we walk." — Mobius Systems* <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-3a6802eb-2d2c-4043-97df-1be3b0246011"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-3a6802eb-2d2c-4043-97df-1be3b0246011"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div>
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div){kind=link}
kaizencycle
added a commit
that referenced
this pull request
Jun 11, 2026
… taken, 1 corrected, 3 held) (#315) ## EPICON Intent Block - **Intent:** Consolidate the five open Dependabot PRs (#310–#314) into one reviewable change with per-dependency judgment, per operator request ("check if they are safe to merge, if not, unify them to one big PR for safety"). - **Scope:** `package-lock.json`, three workspace `package.json` files, `.github/dependabot.yml` ignore rules. No workflow, canon, or attested content touched. - **Actor:** Claude Code under operator identity, C-339. - **Consequence class:** Dependency hygiene — net reduction of unreviewed major-version churn. ## Safety verdict per PR | PR | Bump | Verdict | Disposition | |---|---|---|---| | #310 | `@vercel/node` 5.8.16→5.8.17 | ✅ Safe (patch, in-range of `^5.5.15`) | **Taken** — lockfile updated | | #312 | `@types/node` 18→**25** |⚠️ Wrong target — repo runtime is **Node 20** | **Taken as 18→20**: `^18.0.0`→`^20.0.0` in `packages/atlas-sentinel`, `sentinels/atlas`, `sentinels/uriel`; lockfile dedupes to one 20.x. Ignore rule for `@types/node >=21` | | #311 | `hardhat-chai-matchers` 2→3 | ❌ Incompatible — requires hardhat 3; `gic-registry-contracts` pins `hardhat 2.22.5` | **Held** via ignore rule; bump belongs in a hardhat-3 migration | | #313 | `http-proxy-middleware` 2→4 | ❌ Two majors; v3 rewrote the `createProxyMiddleware` API that `apps/api-gateway` uses | **Held** via ignore rule | | #314 | `tailwindcss` 3→4 | ❌ v4 is a CSS-first config rewrite; **8 apps** pin `^3.4.x` with `tailwind.config.js` | **Held** via ignore rule; migrate deliberately, not via dep bump | The ignore rules follow the repo's own precedent (#308, ESLint held at 8.x), each with a comment stating the unblock condition so they're revisitable, not permanent. ## Lockfile diff verification Verified the lock diff contains **only**: `@vercel/node` 5.8.16→5.8.17, removal of nested `@types/node` 18.19.130 copies (dedupe to root 20.19.43), in-range nested 22.19.1→22.19.21 refreshes, and the `undici-types` transitive. No major versions moved. ## After merge Dependabot auto-closes #310–#314 on its next run: #310/#312 because the dependencies moved, #311/#313/#314 because of the ignore rules. No manual closing needed. **Residual risk:** the three packages whose types moved 18→20 are type-checked in CI, not locally (worktree had no `node_modules`) — if CI's type-check flags anything, I'll fix on this branch. https://claude.ai/code/session_014WMkjWLnt4ezGEHujmukLk --- _Generated by [Claude Code](https://claude.ai/code/session_014WMkjWLnt4ezGEHujmukLk)_
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
#304 (ESLint 8 → 10) cannot be merged and should be closed. This adds a
Dependabot
ignorerule for ESLint semver-major bumps so it stops beingre-proposed (Dependabot auto-closes #304 once this lands).
Why #304 is un-mergeable (not just hard — blocked upstream)
ESLint 9/10 requires flat config and downstream support that does not exist
for this repo's toolchain:
eslint-config-next@14.2.35peereslint: ^7.23.0 || ^8.0.0next lintnext lintfleet-wideeslint-config-next@15.xpeer caps at^9.0.0npm vieweslint-config-nextrelease supports ESLint 10, at any Next version@typescript-eslint@6peereslint: ^7 || ^8So there is no configuration — not even upgrading Next.js to 15 — that makes
ESLint 10 work today. CI already proves it: #304's
Core Build & TestandPortal Validationare red.What this PR does
Adds to
.github/dependabot.yml(npm ecosystem):with a comment recording the constraint. ESLint stays at 8.x (where it's been
verified green, including in #307). Revisit when Next.js is upgraded and
eslint-config-nextships ESLint 10 support.Follow-ups (not in this PR)
dependencies(andci) labels referenced independabot.yml— Dependabot warns it can't apply them. Worth creating them(I can't create labels from here).
@typescript-eslint@8+ flat config), that's a separate, scoped initiative —happy to plan it.
"We heal as we walk." — Mobius Systems