Skip to content

Lock NPM Packages #2598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mattheworris merged 12 commits into from
Sep 16, 2025
Merged

Lock NPM Packages #2598

mattheworris merged 12 commits into from
Sep 16, 2025

Conversation

@mattheworris
Copy link
Collaborator

@mattheworris mattheworris commented Sep 10, 2025
edited
Loading

Goal

The goal of this PR is update npm package dependencies.

Closes #2595

Discussion

  • I have confirmed the changed versions match the previous resolved versions from the lock file.

Checklist

  • Updated Pallet Readme?
  • Updated js/api-augment for Custom RPC APIs?
  • Design doc(s) updated?
  • Unit Tests added?
  • e2e Tests added?
  • Benchmarks added?
  • Spec version incremented?

@mattheworris mattheworris self-assigned this Sep 10, 2025
@mattheworris mattheworris added the chore No feature changes label Sep 10, 2025
@mattheworris mattheworris linked an issue Sep 10, 2025 that may be closed by this pull request
Lock NPM Packages #2595
Closed
@mattheworris mattheworris changed the title chore: update package versions for consistency across projects Lock NPM Packages Sep 10, 2025
@mattheworris mattheworris requested review from a team, JoeCap08055, aramikm, claireclark1, Copilot, enddynayn, saraswatpuneet, shannonwells and wilwade and removed request for a team September 10, 2025 21:02
Copilot AI reviewed Sep 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes semver caret (^) and tilde (~) prefixes from NPM package dependencies to lock them to exact versions, preventing automatic minor and patch version updates during installation.

Key changes:

  • Remove caret prefixes from package dependencies to enforce exact version pinning
  • Update some packages to newer exact versions (e.g., @polkadot/api from 16.4.3 to 16.4.6 in api-augment)
  • Apply version locking consistently across all JavaScript packages in the repository

Reviewed Changes

Copilot reviewed 10 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tools/state-copy/package.json Lock @polkadot/api and @polkadot/keyring to exact versions
tools/genesis-data/package.json Lock @polkadot/api to exact version
tools/eth-migration/package.json Lock @polkadot/api and pg to exact versions
scripts/js/onboard/package.json Lock @PolkaDot packages to exact versions
js/schemas/scripts/package.json Lock @polkadot/api to exact version
js/schemas/package.json Lock all dev dependencies to exact versions
js/recovery-sdk/package.json Lock all dev and runtime dependencies to exact versions
js/ethereum-utils/package.json Lock all dependencies and dev dependencies to exact versions
js/api-augment/package.json Lock dependencies to exact versions and update some to newer versions
e2e/package.json Lock all dependencies and dev dependencies to exact versions
Files not reviewed (3)
  • js/ethereum-utils/package-lock.json: Language not supported
  • js/recovery-sdk/package-lock.json: Language not supported
  • js/schemas/package-lock.json: Language not supported

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@mattheworris mattheworris marked this pull request as ready for review September 11, 2025 00:07
shannonwells
shannonwells approved these changes Sep 11, 2025
View reviewed changes
Copy link
Collaborator

@shannonwells shannonwells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I read more carefully through the shorter package-lock.json files, & skimmed the one for api-augment. Noting that we can't control the failure of dependencies to omit ^ and ~ in their package.json, so there are some upgrades in the package-lock file for api-augment. You said that you'd run the check for the other package.json, so I'm approving, assuming the other package-locks have no changes.

@mattheworris
Copy link
Collaborator Author

mattheworris commented Sep 11, 2025

I read more carefully through the shorter package-lock.json files, & skimmed the one for api-augment. Noting that we can't control the failure of dependencies to omit ^ and ~ in their package.json, so there are some upgrades in the package-lock file for api-augment. You said that you'd run the check for the other package.json, so I'm approving, assuming the other package-locks have no changes.

Those indirect dependencies are frustrating. I worked mostly on api-augment and tried to keep everything as same as possible, but npm just doesn't have that much control so the api augment lock file has significant differences. None of them seemed material to a vulnerability. The other package dependencies were not as extensive and did not have as many changes.

@enddynayn
Copy link
Collaborator

enddynayn commented Sep 11, 2025
edited
Loading

Can you please explain why we are pinning these for the test? For tests, it may actually be more useful not to pin them, since allowing updates can give us early warning signs.

JoeCap08055
JoeCap08055 reviewed Sep 11, 2025
View reviewed changes
Copy link
Collaborator

@JoeCap08055 JoeCap08055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we compared the newly-pinned versions with what was previously in the lockfile to make sure there are no reversions in dependencies?

I don't think it's an important issue for some of our other repos that are actual apps, but since the packages under the js/* directories are packages that have been previously published, I don't think we want to publish a new package that reverts some dependencies to older versions than what we previously published.

Not as important an issue for the e2e tests, other scripts, etc, I think. Just our published packages.

@mattheworris
Copy link
Collaborator Author

mattheworris commented Sep 11, 2025

Have we compared the newly-pinned versions with what was previously in the lockfile to make sure there are no reversions in dependencies?

I don't think it's an important issue for some of our other repos that are actual apps, but since the packages under the js/* directories are packages that have been previously published, I don't think we want to publish a new package that reverts some dependencies to older versions than what we previously published.

Not as important an issue for the e2e tests, other scripts, etc, I think. Just our published packages.

Yes, I confirmed that all pinned packages were the same as the last lock file. The indirect dependencies picked up a patch here and there. (Besides api-augment and ethereum-utils, the other lock file diffs are small).

JoeCap08055
JoeCap08055 approved these changes Sep 11, 2025
View reviewed changes
Copy link
Collaborator

@JoeCap08055 JoeCap08055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒

aramikm
aramikm approved these changes Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@aramikm aramikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. We have to also check our github ci scripts to ensure we are usjng the same lock files maybe in another PR

@enddynayn
Copy link
Collaborator

enddynayn commented Sep 12, 2025

Should we update the CI to use npm ci if not there already?

@mattheworris mattheworris mentioned this pull request Sep 16, 2025
Open
3 tasks
@mattheworris
Copy link
Collaborator Author

mattheworris commented Sep 16, 2025

Should we update the CI to use npm ci if not there already?

Will address in #2605

@mattheworris
Copy link
Collaborator Author

mattheworris commented Sep 16, 2025

Looks good. We have to also check our github ci scripts to ensure we are usjng the same lock files maybe in another PR

Will address in #2605

@mattheworris mattheworris merged commit 775e5c6 into main Sep 16, 2025
33 checks passed
@mattheworris mattheworris deleted the 2595-lock-npm-packages branch September 16, 2025 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shannonwells shannonwells shannonwells approved these changes

@aramikm aramikm aramikm approved these changes

@JoeCap08055 JoeCap08055 JoeCap08055 approved these changes

@wilwade wilwade Awaiting requested review from wilwade wilwade was automatically assigned from frequency-chain/pr-reviewers

@enddynayn enddynayn Awaiting requested review from enddynayn enddynayn was automatically assigned from frequency-chain/pr-reviewers

@claireclark1 claireclark1 Awaiting requested review from claireclark1 claireclark1 was automatically assigned from frequency-chain/pr-reviewers

@saraswatpuneet saraswatpuneet Awaiting requested review from saraswatpuneet saraswatpuneet was automatically assigned from frequency-chain/pr-reviewers

Assignees

@mattheworris mattheworris

Labels

chore No feature changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Lock NPM Packages

6 participants

@mattheworris @enddynayn @shannonwells @aramikm @JoeCap08055