chore: dep-refresh release-prep (pnpm 11.5 migration + trustPolicyExclude sync + quarantined dep bumps)#28
Merged
Merged
Conversation
…typescript@3.10.1) Config-only. pnpm-workspace.yaml is not published, so this affects only this repo's own dev/CI installs; no version bump and no changeset. Mirrors the exclude GAIA added when it bumped to @gaia-react/lint 1.5.1: re-resolving this config's subtree trips trustPolicy: no-downgrade on eslint-import-resolver-typescript@3.10.1 (final 3.x, required by eslint-plugin-canonical ^3.7.0; no provenance attestation while the 4.x line has it). Same benign pattern as semver@6.3.1. Only bites this repo when a maintainer next re-resolves canonical's subtree. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Watch for more trust excludes. Adding those deps re-resolves lint's subtree again, which can surface more latent pre-provenance transitives (the same way 1.5.1 surfaced this one). Add any to both lint and gaia. |
- bump packageManager to pnpm@11.5.2 (CI's pnpm/action-setup reads it) - relocate settings pnpm 11 no longer reads from package.json/.npmrc into pnpm-workspace.yaml: save-exact -> savePrefix '', and build approval -> allowBuilds map (esbuild, unrs-resolver; onlyBuiltDependencies is removed in v11 and strictDepBuilds fails the install if either is unlisted) - add chokidar@4.0.3 to trustPolicyExclude: v11 enforces trustPolicy against the whole lockfile on every install, and this benign pre-provenance final-4.x release (via tsup, build-only) trips no-downgrade Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
stevensacks
changed the title
…ionist/better-tailwindcss) Bump dependencies that have cleared the 7-day release-age quarantine to their newest aged-out versions. unicorn is held at 65 because 66 requires ESLint 10.4 and the config stays on ESLint 9 until that migration is coordinated with the consuming app. Disable unicorn/prefer-includes-over-repeated-comparisons: Array#includes returns a plain boolean, not a type predicate, so it cannot narrow a union the way an === comparison chain does. In a typed codebase the chain is the type-safe idiom, so this joins the config's existing disabled unicorn opinions. Dev-only @types/node and typescript-eslint bumped alongside (not consumer facing, no changeset). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
stevensacks
changed the title
This was referenced Jun 25, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release-prep branch: pnpm 11.5 migration + quarantined dependency refresh
Ready to merge. Adds one changeset, cutting a minor (1.6.0).
Config-only (not published, no changeset)
trustPolicyExcludesync:eslint-import-resolver-typescript@3.10.1(config's published subtree, kept in sync with GAIA) andchokidar@4.0.3(build-only viatsup, lint's alone). Both are benign pre-provenance releases that triptrustPolicy: no-downgrade.packageManagerbumped (pnpm/action-setupreads it); resolution/supply-chain settings relocated frompackage.json/.npmrcintopnpm-workspace.yaml(savePrefix: '', theallowBuildsmap foresbuild/unrs-resolver, since v11 removedonlyBuiltDependenciesandstrictDepBuildsfails an unlisted build).Dependency refresh (published → changeset: minor)
Each bumped to the newest version that has cleared the 7-day
minimumReleaseAgewindow. Install is clean undertrustPolicy: no-downgradewith no newtrustPolicyExcludeentries.eslint-plugin-unicorneslint-plugin-storybook@vitest/eslint-plugineslint-plugin-better-tailwindcsseslint-plugin-perfectionist@types/nodetypescript-eslintHeld back by design:
eslint/@eslint/js(ESLint 10 is a separate coordinated migration with the consuming app);eslint-plugin-sonarjs4.1.0 (published within the 7-day window at prep time).unicorn 64 → 65 consumer check
Dogfooded unicorn 65's
recommendedpreset + this config's overrides against the GAIA app through an isolatedLinter(only unicorn registered, so every hit is a real unicorn finding). Two new-in-65 rules fire on real GAIA source:unicorn/prefer-string-replace-all(1 site) — auto-fixable; consumer--fixresolves it on adoption. No config change.unicorn/prefer-includes-over-repeated-comparisons(1 site) — not auto-fixable and a poor fit for typed React:Array#includesreturns a plain boolean, not a type predicate, so it cannot narrow a union the way an===comparison chain does. Disabled instyle-hygiene.ts, joining the existing set of disabled unicorn opinions.Verify
pnpm install/typecheck/lint/buildall green under pnpm 11.5.2 with unicorn 65.🤖 Generated with Claude Code