Skip to content

chore: update SDK dependencies#825

Closed
prd-carapulse[bot] wants to merge 1 commit into
mainfrom
hermes/sdks-deps-2026-06-29
Closed

chore: update SDK dependencies#825
prd-carapulse[bot] wants to merge 1 commit into
mainfrom
hermes/sdks-deps-2026-06-29

Conversation

@prd-carapulse

@prd-carapulse prd-carapulse Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Updated dependencies and devDependencies across the root package and non-deprecated workspaces.
  • Skipped frozen deprecated packages and verified no file diffs under the existing frozen deprecated package paths.
  • Restored internal workspace:^ devDependency protocol entries that the recursive update rewrote to published semver ranges.
  • Kept graphql on latest compatible v16 in @morpho-org/liquidity-sdk-viem instead of graphql@17, because the current GraphQL Codegen / graphql-request peer set still rejects v17.
  • Updated Biome schema URLs to match the refreshed @biomejs/biome version.
  • Regenerated pnpm-lock.yaml.

peerDependencies widened only when required: yes

Changesets markdown: .changeset/weekly-sdk-deps-2026-06-29.md
Changesets release scope matches direct/peer/source-only criteria: yes

Dependency policy notes

  • Deprecated package skip/freeze policy: @morpho-org/liquidation-sdk-viem, @morpho-org/bundler-sdk-viem, @morpho-org/migration-sdk-viem, @morpho-org/simulation-sdk, @morpho-org/blue-sdk-wagmi, @morpho-org/simulation-sdk-wagmi, and @morpho-org/test-wagmi were excluded; existing frozen package paths have no file diffs.
  • Peer widening: none needed; all updated same-package devDependency versions remain accepted after the GraphQL v16 compatibility pin.
  • Root pnpm.overrides synchronized for direct dependencies: none present.
  • Changeset scope: patch release only for @morpho-org/wdk-protocol-lending-morpho-evm, because its direct runtime dependencies changed. DevDependency-only package updates were intentionally not included in the changeset.

Compatibility fixes

  • Restored 11 internal workspace devDependency entries back to workspace:^.
  • Pinned @morpho-org/liquidity-sdk-viem dev graphql to ^16.14.2 after the updater selected ^17.0.1, preserving current peer/tooling compatibility.
  • Updated biome.json and biome.ci.json schema URLs from 2.5.0 to 2.5.1.

Verification

  • HUSKY=0 npx --yes pnpm@10.27.0 install --frozen-lockfile --ignore-scripts: passed
  • HUSKY=0 npx --yes pnpm@10.27.0 run build:ci: passed
  • HUSKY=0 npx --yes pnpm@10.27.0 run lint:ci: passed
  • HUSKY=0 npx --yes pnpm@10.27.0 run test:ci: local environment blocker; failed in fork/RPC-backed suites with zero-data/storage-slot/RPC reset errors. A focused replay on unchanged origin/main reproduced the same class of failures (packages/liquidity-sdk-viem/test/loader.test.ts zero-data reads and packages/test/test/utils.test.ts viem-deal storage-slot lookup), so no dependency-induced test code fix was applied.
  • HUSKY=0 npx --yes pnpm@10.27.0 exec changeset status --since=origin/main: passed; reports patch bump for @morpho-org/wdk-protocol-lending-morpho-evm.
  • git diff --check: passed

Request Context

  • Initiator: Romain (Rubilmax) / GitHub: @Rubilmax
  • Original Slack DM thread_ts: 1778485891.710059
  • Additional context: scheduled weekly dependency-update automation for morpho-org/sdks
  • Rationale: Update all non-deprecated direct/runtime dependencies and devDependencies weekly while preserving frozen deprecated packages, widening peers only when needed, applying compatibility fixes, regenerating the lockfile, and adding a Changesets changelog only when public package release criteria are met.

Open in Devin Review

Weekly dependency refresh for morpho-org/sdks.

- Update root and non-deprecated workspace dependencies/devDependencies.
- Preserve frozen deprecated package paths.
- Keep peerDependency ranges unchanged unless devDependency compatibility requires widening.
- Add changeset for the WDK runtime dependency update.
@prd-carapulse prd-carapulse Bot requested a review from a team as a code owner June 29, 2026 06:19

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

Open in Devin Review

Comment on lines +42 to +43
"viem": "2.53.1",
"vitest": "^4.1.9"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Viem dev-dependency version specifier changed inconsistently across packages

The viem dev-dependency version specifier is updated to an exact pin ("2.53.1") in two packages (package.json:60, packages/blue-sdk/package.json:42) but to a caret range ("^2.53.1") in all eight other packages, breaking the previously uniform exact-pin pattern ("2.52.2").

Impact: Future dependency resolution or pnpm update runs may drift viem versions across packages that were previously locked in sync.

Mechanical inconsistency in the version-bump transformation

Before this PR, every workspace package pinned viem to the same exact version "2.52.2" in devDependencies. This PR bumps to 2.53.1, but the specifier format diverges:

  • package.json:60 and packages/blue-sdk/package.json:42"2.53.1" (exact)
  • All other 8 packages (blue-sdk-viem, evm-simulation, liquidity-sdk-viem, midnight-sdk, morpho-sdk, morpho-test, test, wdk-protocol-lending-morpho-evm) → "^2.53.1" (caret range)

While the pnpm lockfile and prefer-workspace-packages=true in .npmrc currently keep versions aligned, the inconsistency breaks the established convention and will cause divergent behavior on future pnpm update operations.

Prompt for agents
The viem dev-dependency version specifier was changed inconsistently. Before this PR, all packages used exact pins (2.52.2). After the PR, root package.json and packages/blue-sdk/package.json kept exact pins (2.53.1) while all 8 other packages switched to caret ranges (^2.53.1). Pick one convention and apply it uniformly. If the intent is to move to caret ranges (matching how most other devDependencies like vitest are specified), update root package.json line 60 and packages/blue-sdk/package.json line 42 to use ^2.53.1. If the intent is to keep exact pins for viem specifically, update the other 8 packages to use 2.53.1 without the caret.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8db2522850

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread pnpm-lock.yaml
@@ -168,7 +168,7 @@ importers:
version: 2.52.2(typescript@6.0.3)(zod@4.4.3)
vitest:
specifier: ^4.1.7
version: 4.1.7(@types/node@25.9.3)(@vitest/coverage-v8@4.1.8(vitest@4.1.8))(@vitest/ui@4.1.8(vitest@4.1.8))(happy-dom@20.10.3)(vite@8.0.16(@types/node@25.9.3)(jiti@2.7.0)(yaml@2.9.0))
version: 4.1.7(@types/node@26.0.1)(@vitest/coverage-v8@4.1.9(vitest@4.1.9))(@vitest/ui@4.1.9(vitest@4.1.9))(happy-dom@20.10.6)(vite@8.1.0(@types/node@26.0.1)(jiti@2.7.0)(yaml@2.9.0))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore the frozen workspace lock entries

The root /workspace/sdks/AGENTS.md §2 rule 11 forbids dependency updates to frozen deprecated packages such as @morpho-org/blue-sdk-wagmi unless the PR is scoped to deprecation metadata or source deletion. This lockfile change still updates that package's resolved Vitest/tooling peer graph, and the same pattern appears for the other frozen workspaces, so local installs/tests no longer preserve the frozen dependency set even though their package.json files were skipped. Please regenerate or revert the lockfile entries for frozen workspaces as part of excluding them from the dependency refresh.

Useful? React with 👍 / 👎.

@Rubilmax Rubilmax closed this Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant