feat: pin all versions and harden build

[Danziger]

Summary

• Pin all versions.
• Enforce using PNPM v10.
• Prevent deps from running build scripts.

To Test

Probably nothing. If the builds are passiing, this should not change anything functionality-wise.

Summary by CodeRabbit

• Chores
  • Updated dependencies across the application to newer versions for improved stability and performance.
  • Pinned dependency versions to ensure consistent builds and deployments.
  • Updated tooling requirements (Node.js and package manager versions).

[coderabbitai]

Warning

Rate limit exceeded

@Danziger has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 40 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f14b922d-9c86-4f46-b7db-970d99fc590a

📥 Commits

Reviewing files that changed from the base of the PR and between 333a46b and 1b94d1a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/cow-fi/package.json
• apps/cowswap-frontend/package.json
• libs/core/package.json
• package.json

Walkthrough

This pull request updates dependency versions across the entire monorepo by pinning most packages to exact versions (removing semver ranges), upgrading numerous libraries to newer releases, converting tarball URLs to registry versions, and adjusting Node.js/pnpm engine constraints and pnpm configuration settings.

Changes

Dependency Pinning and Version Upgrade

Layer / File(s)	Summary
Monorepo Configuration package.json, pnpm-workspace.yaml	Root package.json sets Node >=20 <23, pnpm >=10 <11 with engineStrict: true; updates @babel/traverse resolution; configures pnpm strict build modes and nx allowlist; pins versions across root dependencies and devDependencies with many exact versions. Release age policy removed from pnpm-workspace.yaml.
Library Dependencies libs/*/package.json	All library packages (analytics, assets, balances-and-allowances, common-const, common-hooks, common-utils, core, currency, ens, iframe-transport, multicall, permit-utils, snackbars, tokens, types, ui-utils, ui, wallet-provider, wallet) have dependency versions pinned to exact entries; shared versions updated (e.g., viem → 2.47.1, wagmi → 3.4.2, @lingui/* → 5.5.1, ms.macro → 2.0.0, @types/ms.macro → 2.0.3); tarball URLs converted to registry versions where applicable.
Application Dependencies apps/*/package.json	Application packages (cow-fi, cowswap-frontend-e2e, cowswap-frontend, explorer, sdk-tools, widget-configurator) have dependency versions pinned to exact entries; multiple production and dev dependencies updated; @cowprotocol/cms and @cowprotocol/cow-runner-game converted from tarball URLs to registry semver.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A hop through the versions so fine,
Each package now pinned to a line,
No caret ranges to roam,
The monorepo's now home,
To viems, wagmis, and deps that align! 🪙✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a clear summary of changes but lacks testing steps, expected behavior details, and background information required by the template.	Expand the 'To Test' section with specific verification steps and consider adding 'Background' section explaining the benefits of version pinning and build hardening.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective: pinning all dependency versions and hardening the build configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pin-versions-n-harden-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Danziger]

This one I might have to revert.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cowfi	Ready	Preview	May 8, 2026 3:17pm
explorer-dev	Ready	Preview	May 8, 2026 3:17pm
storybook	Error		May 8, 2026 3:17pm
swap-dev	Ready	Preview	May 8, 2026 3:17pm
widget-configurator	Ready	Preview	May 8, 2026 3:17pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cosmos	Ignored		May 8, 2026 3:17pm
sdk-tools	Ignored	Preview	May 8, 2026 3:17pm

[cloudflare-workers-and-pages]

Deploying swap-dev with    Cloudflare Pages

Latest commit:	1b94d1a
Status:	🚫  Build failed.

View logs

[Danziger]

This one I might have to revert.

[Danziger]

These were already defined in .npmrc which is not specific to PNPM, so I prefer to have it there.

[Danziger]

This is for PNPM < 10. For PNPM >= 10 (as defined in the project), strictDepBuilds + allowBuilds take care of this.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

libs/analytics/package.json (1)

35-35: 💤 Low value

LGTM — pinning; consider upgrading web-vitals to v4.x

Pinning web-vitals to the already-resolved 2.1.4 is safe. As an optional follow-up, web-vitals is now at v4.x, which adds support for Core Web Vitals INP and attribution data. Staying on v2.1.4 is fine for this PR but worth a separate tracking issue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/analytics/package.json` at line 35, Package.json currently pins the
dependency "web-vitals": "2.1.4"; update the dependency entry in libs/analytics
package.json to a v4.x release (e.g., "web-vitals": "^4.0.0") if you want
INP/attribution support, or leave as-is and create a tracking issue; modify the
"web-vitals" value and run yarn/npm install to regenerate lockfile and ensure
tests/build pass.

libs/tokens/package.json (1)

38-38: 💤 Low value

@uniswap/token-lists pinned to an outdated beta

The latest dist-tag on npm is now 1.0.0-beta.35, and the package has always shipped only pre-release versions (starting from 1.0.0-beta.0). Pinning to 1.0.0-beta.33 freezes two patch-level beta updates. Since no stable release exists for this package, this is perfectly acceptable, but consider bumping to 1.0.0-beta.35 to pick up any fixes landed since beta.33.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/tokens/package.json` at line 38, Update the pinned dependency
"@uniswap/token-lists" from "1.0.0-beta.33" to "1.0.0-beta.35" in package.json
so the project picks up the latest beta fixes; locate the dependency entry for
"@uniswap/token-lists" and change its version string accordingly, then run your
package manager install (npm/yarn/pnpm) and lockfile update to ensure the new
version is recorded.

libs/common-utils/package.json (1)

40-40: ⚡ Quick win

jotai@2.2.0 here diverges significantly from 2.16.2 used everywhere else in the monorepo.

libs/core, apps/cowswap-frontend, apps/explorer, and libs/wallet all declare jotai@2.16.2, while libs/common-utils stays at 2.2.0. Pinning to 2.2.0 (removing the caret) makes this divergence permanent. In a pnpm monorepo these cannot be deduped — both versions end up in the bundle — and any jotai atoms created in common-utils and read in a package running 2.16.2 may fail silently due to incompatible internal store structures.

Consider aligning this to 2.16.2 to prevent bundle duplication and potential atom incompatibility.

🔧 Align jotai version

-    "jotai": "2.2.0",
+    "jotai": "2.16.2",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/common-utils/package.json` at line 40, The dependency entry "jotai":
"2.2.0" in libs/common-utils/package.json diverges from the rest of the monorepo
and will produce multiple bundled versions; update that dependency to match the
repo standard (e.g. "jotai": "^2.16.2") so it can be deduped, then run the
workspace package manager (pnpm install) to refresh the lockfile; locate the
"jotai" entry in libs/common-utils/package.json to make this change.

package.json (1)

88-117: ⚡ Quick win

Remove onlyBuiltDependencies — it duplicates allowBuilds and contains 6 copies of "nx"

allowBuilds replaces onlyBuiltDependencies and ignoredBuiltDependencies (both deprecated), providing a single source of truth. Having both settings simultaneously is redundant and the onlyBuiltDependencies array is also clearly a copy-paste artifact — "nx" appears six times (lines 111–116).

Drop onlyBuiltDependencies entirely; allowBuilds: { "nx": true } already covers the intent.

🔧 Proposed fix

     "pnpm": {
       "strictDepBuilds": true,
       "allowBuilds": {
         "nx": true
       },
       "overrides": { ... },
-      "onlyBuiltDependencies": [
-        "nx",
-        "nx",
-        "nx",
-        "nx",
-        "nx",
-        "nx"
-      ]
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 88 - 117, Remove the redundant
onlyBuiltDependencies setting from package.json: delete the entire
onlyBuiltDependencies array (which currently contains repeated "nx" entries)
because allowBuilds already expresses the intended configuration (allowBuilds: {
"nx": true }); ensure no other references to onlyBuiltDependencies remain in the
file so configuration relies solely on allowBuilds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@libs/snackbars/package.json`:
- Line 29: Update the `@react-spring/web` dependency to ^10.0.3 in
libs/snackbars/package.json (and apps/cowswap-frontend/package.json) and then
migrate code that uses react-spring APIs: replace any use of SpringContext with
SpringContextProvider, update imports/usages of animated, useSpring,
useSpringValue, and useTransition in components like SnackbarPopup and Modal
according to the v10 migration guide, and run thorough animation tests to
address React 19-related bugs reported in issues `#2376` and `#2404`; fix any API
signature/prop changes exposed by the upgrade.

---

Nitpick comments:
In `@libs/analytics/package.json`:
- Line 35: Package.json currently pins the dependency "web-vitals": "2.1.4";
update the dependency entry in libs/analytics package.json to a v4.x release
(e.g., "web-vitals": "^4.0.0") if you want INP/attribution support, or leave
as-is and create a tracking issue; modify the "web-vitals" value and run
yarn/npm install to regenerate lockfile and ensure tests/build pass.

In `@libs/common-utils/package.json`:
- Line 40: The dependency entry "jotai": "2.2.0" in
libs/common-utils/package.json diverges from the rest of the monorepo and will
produce multiple bundled versions; update that dependency to match the repo
standard (e.g. "jotai": "^2.16.2") so it can be deduped, then run the workspace
package manager (pnpm install) to refresh the lockfile; locate the "jotai" entry
in libs/common-utils/package.json to make this change.

In `@libs/tokens/package.json`:
- Line 38: Update the pinned dependency "@uniswap/token-lists" from
"1.0.0-beta.33" to "1.0.0-beta.35" in package.json so the project picks up the
latest beta fixes; locate the dependency entry for "@uniswap/token-lists" and
change its version string accordingly, then run your package manager install
(npm/yarn/pnpm) and lockfile update to ensure the new version is recorded.

In `@package.json`:
- Around line 88-117: Remove the redundant onlyBuiltDependencies setting from
package.json: delete the entire onlyBuiltDependencies array (which currently
contains repeated "nx" entries) because allowBuilds already expresses the
intended configuration (allowBuilds: { "nx": true }); ensure no other references
to onlyBuiltDependencies remain in the file so configuration relies solely on
allowBuilds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 10d2d2bd-3995-4e79-a6d5-a2eab092c546

📥 Commits

Reviewing files that changed from the base of the PR and between 74d8348 and 333a46b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• apps/cow-fi/package.json
• apps/cowswap-frontend-e2e/package.json
• apps/cowswap-frontend/package.json
• apps/explorer/package.json
• apps/sdk-tools/package.json
• apps/widget-configurator/package.json
• libs/analytics/package.json
• libs/assets/package.json
• libs/balances-and-allowances/package.json
• libs/common-const/package.json
• libs/common-hooks/package.json
• libs/common-utils/package.json
• libs/core/package.json
• libs/currency/package.json
• libs/ens/package.json
• libs/iframe-transport/package.json
• libs/multicall/package.json
• libs/permit-utils/package.json
• libs/snackbars/package.json
• libs/tokens/package.json
• libs/types/package.json
• libs/ui-utils/package.json
• libs/ui/package.json
• libs/wallet-provider/package.json
• libs/wallet/package.json
• package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

@react-spring/web v10 breaking changes from v9 migration guide

💡 Result:

The main breaking change for @react-spring/web v10 from v9 is the SpringContext API update for React 19 support. Use SpringContextProvider instead of SpringContext. Before (v9): import { SpringContext } from 'react-spring' <SpringContext ...> ... After (v10): import { SpringContextProvider } from 'react-spring' <SpringContextProvider ...> ... v10 adds React 19 peer dependency support (^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0). Internal changes in useSprings for React 19 compatibility may affect some animations (e.g., scale or imperative API issues reported in bugs #2376, #2404), potentially requiring code adjustments like API usage changes. Event callbacks (onStart, onChange, etc.) unified to (animationResult, controller, item), with item only for useTransition. No comprehensive migration guide found beyond official docs' breaking changes section. Test animations thoroughly, especially with React 19.

Citations:

• 1: https://www.react-spring.dev/docs
• 2: feat!: react 19 support pmndrs/react-spring#2368
• 3: https://github.com/pmndrs/react-spring/releases/tag/v10.0.0
• 4: [bug]: animation broken on v10 pmndrs/react-spring#2376
• 5: [bug]: Version 10.0.1 broke useSpring animation pmndrs/react-spring#2404
• 6: fix(deps): update dependency @react-spring/web to v10 pmndrs/react-spring#2391

---

🏁 Script executed:

# Find all files that import from `@react-spring`
rg "from\s+['\"]@react-spring" --type ts --type tsx --type js --type jsx -A 2

Repository: cowprotocol/cowswap

Length of output: 91

---

🏁 Script executed:

# Check libs/snackbars/package.json for full context
cat -n libs/snackbars/package.json | grep -A 5 -B 5 "@react-spring"

Repository: cowprotocol/cowswap

Length of output: 427

---

🏁 Script executed:

# Search for SpringContext usage specifically
rg "SpringContext" --type ts --type tsx --type js --type jsx -A 2

Repository: cowprotocol/cowswap

Length of output: 91

---

🏁 Script executed:

# Find package.json files to understand scope
fd package.json | head -20

Repository: cowprotocol/cowswap

Length of output: 658

---

🏁 Script executed:

# Search for `@react-spring` imports across all files
rg "@react-spring" --include="*.ts" --include="*.js" -A 2

Repository: cowprotocol/cowswap

Length of output: 505

---

🏁 Script executed:

# Search for SpringContext
rg "SpringContext" --include="*.ts" --include="*.js" -A 2

Repository: cowprotocol/cowswap

Length of output: 505

---

🏁 Script executed:

# Find source files in libs/snackbars
find libs/snackbars/src -type f 2>/dev/null | head -20

Repository: cowprotocol/cowswap

Length of output: 372

---

🏁 Script executed:

# Check what's imported from react-spring in the snackbars lib
ls -la libs/snackbars/

Repository: cowprotocol/cowswap

Length of output: 878

---

🏁 Script executed:

# Search for react-spring in libs/snackbars source
rg "react-spring" libs/snackbars/src/

Repository: cowprotocol/cowswap

Length of output: 167

---

🏁 Script executed:

# Check the main container component
cat -n libs/snackbars/src/containers/SnackbarsWidget/index.tsx

Repository: cowprotocol/cowswap

Length of output: 4975

---

🏁 Script executed:

# Check if react-spring is used anywhere in the codebase
rg "react-spring" --max-count 20

Repository: cowprotocol/cowswap

Length of output: 1632

---

@react-spring/web 9.x officially does not support React 19 — upgrade to v10 requires testing for breaking changes

@react-spring/web@9.7.3 declares peer dependency react@"^16.8.0 || ^17.0.0 || ^18.0.0" — React 19 is explicitly outside this range. The react-spring project released v10.0.0+ to address this, with the latest version being 10.0.3.

However, upgrading to v10 introduces breaking changes that affect the codebase:

• API change: SpringContext → SpringContextProvider
• Affected code: This library imports animated and useSpring (SnackbarPopup), and the Modal component imports useSpringValue and useTransition. These core APIs may be impacted by React 19 compatibility changes.
• Known issues: react-spring has reported animation bugs with React 19 (#2376, #2404) that may require code adjustments.

Consider upgrading to @react-spring/web@^10.0.3, but plan for thorough testing of animations and review breaking changes in the react-spring migration guide. The upgrade also applies to apps/cowswap-frontend/package.json, which has the same dependency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/snackbars/package.json` at line 29, Update the `@react-spring/web`
dependency to ^10.0.3 in libs/snackbars/package.json (and
apps/cowswap-frontend/package.json) and then migrate code that uses react-spring
APIs: replace any use of SpringContext with SpringContextProvider, update
imports/usages of animated, useSpring, useSpringValue, and useTransition in
components like SnackbarPopup and Modal according to the v10 migration guide,
and run thorough animation tests to address React 19-related bugs reported in
issues `#2376` and `#2404`; fix any API signature/prop changes exposed by the
upgrade.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[Danziger]

Some builds are using PNPM v9, so those are failing due to the engine mismatch. We either upgrade to v10 or change the allowed version to 9 or 9-10. I suggest the former.

[limitofzero]

build is failed as serve(locally) too

[Danziger]

This one I might have to revert.

[Danziger]

We should also add the following .npmrc to the repo:

# Deterministic installs
frozen-lockfile=true
# engine-strict=true # disabled because it's already defined in package.json

# Registry control (prevent dependency confusion)
registry=https://registry.npmjs.org/

# Optional (performance/noise)
prefer-offline=true

# Delay newly published versions
minimum-release-age=10080
minimum-release-age-exclude[]=react
minimum-release-age-exclude[]=next
minimum-release-age-exclude[]=typescript
minimum-release-age-exclude[]=@types/*
minimum-release-age-exclude[]=@cowprotocol/*

# PNPM <= 9
# Enabling this is a double-edged sword, as preinstall/postinstall scripts defined
# in the current project will not be run either. When using strictDepBuilds=true
# and allowBuilds={...} in package.json, builds will not be run either.
# ignore-scripts=true

# Keep newly added dependencies pinned to exact versions.
save-exact=true

# Reject unusual transitive dependency sources/specifiers (e.g. git/tarball)
block-exotic-subdeps=true

# Prevent trusted package versions from being silently downgraded.
trust-policy=no-downgrade

In order to do that, it needs to be removed from .gitignore, so we should all re-align on how to add a GitHub authToken moving forward. I would probably add a commented out line like this to this .npmrc:

# To install packags from GitHub, you can either:
# - Uncomment the line below and define GITHUB_PACKAGES_TOKEN as an ENV variable when calling `pnpm install` or adding it to your `.bashrc` or similar.
# - Leave the line below commented out and copy it to a global `.npmrc`, and add your authToken there.
# //npm.pkg.github.com/:_authToken=${GITHUB_PACKAGES_TOKEN}

And then also add gitleaks as a pre-commit hook, to prevent accidental leaks of authToken or any other secret.

Slack discussion: https://nomevlabs.slack.com/archives/C0361CDG8GP/p1777911281769109

[Danziger]

This one as well.

[Danziger]

@alfetopito It looks like the builds that are failing do so because Vercel auto-resolves PNPM to v9 instead of v10. In the logs they say we can select 10 using Corepack, but that's what the updates in the package.json files should already do.

However, it looks like it needs to be enabled with an ENV variable: https://vercel.com/docs/builds/configure-a-build#corepack

Could you add that pls?

[Danziger]

build is failed as serve(locally) too

@limitofzero What did you try exacly? pnpm install, pnpm start and pnpm build all work for me locally

[alfetopito]

@alfetopito It looks like the builds that are failing do so because Vercel auto-resolves PNPM to v9 instead of v10. In the logs they say we can select 10 using Corepack, but that's what the updates in the package.json files should already do.

However, it looks like it needs to be enabled with an ENV variable: https://vercel.com/docs/builds/configure-a-build#corepack

Could you add that pls?

ENABLE_EXPERIMENTAL_COREPACK is already set for swap-dev.
The others didn't have and have been created now.

[kernelwhisperer]

We're missing .npmrc and its list of minimumReleaseAgeExclude packages