Skip to content

fix: refresh stale internal dependency pins (process, watch)#220

Merged
taras merged 1 commit into
mainfrom
fix/refresh-stale-internal-pins
Jun 15, 2026
Merged

fix: refresh stale internal dependency pins (process, watch)#220
taras merged 1 commit into
mainfrom
fix/refresh-stale-internal-pins

Conversation

@taras

@taras taras commented Jun 15, 2026

Copy link
Copy Markdown
Member

Problem

A consumer reported getting two copies of @effectionx/context-api in their dependency tree when using @effectionx/process alongside a direct, up-to-date context-api dependency.

Root cause

Source packages declare internal deps as workspace:*. When pnpm publish runs, it rewrites workspace:* to the exact dependency version at publish time. Because these packages are pre-1.0 (0.x), semver treats every minor bump (0.50.6) as breaking — so a published exact pin like context-api: "0.5.3" will never dedupe against a newer 0.6.0 a consumer pulls in directly. Result: duplicate copies in the tree.

The latest published packages had these stale pins:

Package pinned latest
process@0.8.0 context-api: 0.5.3 0.6.0
watch@0.4.4 process: 0.7.4 0.8.0
watch@0.4.4 fs: 0.2.3 0.3.0

Fix

Patch-bump the affected packages so the publish workflow (.internal/publish-matrix.ts republishes any version not yet on npm) re-releases them, capturing fresh pins:

  • @effectionx/process 0.8.00.8.1 (will pin context-api@0.6.0)
  • @effectionx/watch 0.4.40.4.5 (will pin process@0.8.1, fs@0.3.0)

Since both are published from the same commit, watch picks up the new process@0.8.1, so the whole watch → process → context-api chain resolves to a single context-api@0.6.0.

Follow-up (not in this PR)

This will recur whenever an internal dep gets a minor bump and its dependents aren't re-released. Worth considering changesets (auto-bumps dependents and rewrites pins) or widening pre-1.0 ranges so cross-minor dedupe works. Happy to open a separate issue.

Summary by CodeRabbit

  • Chores
    • Updated package versions: @effectionx/process to 0.8.1 and @effectionx/watch to 0.4.5.

When pnpm publishes, it rewrites workspace:* to the exact dependency
version at publish time. Because these are 0.x packages (semver treats
minor bumps as breaking), published pins do not pick up newer minors of
their internal deps, so consumers end up with duplicate copies in their
tree.

Latest published packages had stale pins:
- process@0.8.0 pinned context-api@0.5.3 (latest 0.6.0)
- watch@0.4.4   pinned process@0.7.4 (latest 0.8.0) and fs@0.2.3 (latest 0.3.0)

Patch-bump process (0.8.0 -> 0.8.1) and watch (0.4.4 -> 0.4.5) so the
publish workflow republishes them with fresh pins (context-api@0.6.0,
process@0.8.1, fs@0.3.0), eliminating the duplicate @effectionx/context-api
reported by consumers.
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two package manifests receive patch version bumps: @effectionx/process from 0.8.0 to 0.8.1 and @effectionx/watch from 0.4.4 to 0.4.5. No other fields, dependencies, or exports are modified.

Changes

Package Version Bumps

Layer / File(s) Summary
Patch version increments
process/package.json, watch/package.json
@effectionx/process bumped 0.8.00.8.1; @effectionx/watch bumped 0.4.40.4.5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: refreshing stale internal dependency pins in process and watch packages to fix duplicate dependencies.
Description check ✅ Passed The description includes all required sections (Problem/Motivation and detailed Approach), with clear explanations of the root cause, affected packages, and the solution implemented.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Policy Compliance ✅ Passed All Strict policies pass: no AI agent marketing in commit or PR description; both package.json files have compliant description (<120 chars) and approved keywords. Recommended version bump policy s...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/refresh-stale-internal-pins

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new

pkg-pr-new Bot commented Jun 15, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@effectionx/process@220
npm i https://pkg.pr.new/@effectionx/watch@220

commit: f51e793

@taras taras requested a review from jbolda June 15, 2026 20:11

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
watch/package.json (1)

1-51: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing 'files' field in package.json.

The package.json does not include a 'files' field. According to coding guidelines, every published package must declare a 'files' field that includes 'dist', 'mod.ts', and relevant source files. This controls which files are packaged in the published tarball.

✏️ Suggested fix: add 'files' field
  "sideEffects": false,
+ "files": ["dist", "main.ts", "mod.ts"],
  "dependencies": {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@watch/package.json` around lines 1 - 51, The package.json file for the watch
package is missing a 'files' field, which controls which files are included in
the published tarball. Add a 'files' field to the package.json (at the root
level alongside other metadata fields like "license", "author", etc.) that
explicitly declares which files and directories should be included when
publishing. The field should include at least 'dist' (the compiled output
directory) and 'mod.ts' (the TypeScript source file), as referenced in the
exports configuration. This ensures only necessary files are packaged and
published with the module.

Source: Coding guidelines

process/package.json (1)

1-44: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing 'files' field in package.json.

The package.json does not include a 'files' field. According to coding guidelines, every published package must declare a 'files' field that includes 'dist', 'mod.ts', and relevant source files. This controls which files are packaged in the published tarball.

✏️ Suggested fix: add 'files' field
  "sideEffects": false,
+ "files": ["dist", "mod.ts"],
  "dependencies": {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@process/package.json` around lines 1 - 44, The package.json is missing a
required 'files' field that controls which files are included in the published
package tarball. Add a 'files' field as a top-level property in the package.json
object that includes an array with the entries 'dist', 'mod.ts', and any other
relevant source files that should be distributed. This field should be added
alongside other metadata fields like 'license', 'author', and 'repository'.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@process/package.json`:
- Line 1: Add the required 'files' field to both package.json files to control
which files are included in the published package. In process/package.json, add
"files": ["dist", "mod.ts"] before the 'dependencies' field. In
watch/package.json, add "files": ["dist", "main.ts", "mod.ts"] before the
'dependencies' field, since watch exports both main.ts and mod.ts as entry
points. This ensures only the dist directory and specified source entry-point
files are published, preventing unwanted files from being included in the
tarball.

---

Outside diff comments:
In `@process/package.json`:
- Around line 1-44: The package.json is missing a required 'files' field that
controls which files are included in the published package tarball. Add a
'files' field as a top-level property in the package.json object that includes
an array with the entries 'dist', 'mod.ts', and any other relevant source files
that should be distributed. This field should be added alongside other metadata
fields like 'license', 'author', and 'repository'.

In `@watch/package.json`:
- Around line 1-51: The package.json file for the watch package is missing a
'files' field, which controls which files are included in the published tarball.
Add a 'files' field to the package.json (at the root level alongside other
metadata fields like "license", "author", etc.) that explicitly declares which
files and directories should be included when publishing. The field should
include at least 'dist' (the compiled output directory) and 'mod.ts' (the
TypeScript source file), as referenced in the exports configuration. This
ensures only necessary files are packaged and published with the module.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9b38b0d5-a209-4b47-ab5f-a9ba2bd039ee

📥 Commits

Reviewing files that changed from the base of the PR and between 2449c08 and f51e793.

📒 Files selected for processing (2)
  • process/package.json
  • watch/package.json

Comment thread process/package.json
@taras taras merged commit 5c28704 into main Jun 15, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants