Pin package versions

[yamcodes]

Updated package.json files across multiple applications and packages to replace caret (^) versioning with exact versions for dependencies and devDependencies, ensuring consistent installations. This includes updates for arktype, tsx, and various other packages.

Closes #306

Summary by CodeRabbit

• Chores
  • Locked dependency and devDependency versions to exact pins across packages and apps for reproducible builds.
  • Removed a TypeScript peer dependency and added a specific TypeScript version to a tooling package to ensure consistent toolchain behavior.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ee4e010

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
arkenv	Ready	Preview	Comment	Nov 9, 2025 7:37pm

[coderabbitai]

Walkthrough

This PR converts caret (^) SemVer ranges to exact version pins across many package.json files in apps, packages, tooling, and the repo root, altering dependency and devDependency entries only (no code or exported API changes).

Changes

Cohort / File(s)	Summary
Playgrounds (node & vite) apps/playgrounds/node/package.json, apps/playgrounds/vite/package.json	Converted caret ranges to exact pins for dependencies/devDependencies (e.g., arktype, tsx, react, react-dom, @julr/vite-plugin-validate-env, @types/*, @vitejs/plugin-react, globals, typescript).
Playgrounds (bun-react) apps/playgrounds/bun-react/package.json	Pinned react, react-dom, @types/react, @types/react-dom, and @types/bun to exact versions.
Website app apps/www/package.json	Mass pinning of dependencies and devDependencies (core libs, UI, tooling, typings, testing) from caret ranges to exact versions across ~20+ packages.
Repo root package.json	Pinned multiple devDependencies (e.g., @changesets/cli, @manypkg/cli, @playwright/test, @vitest/ui, changesets-changelog-clean, rimraf, turbo, typescript, vitest).
Packages packages/arkenv/package.json, packages/vite-plugin/package.json	Pinned devDependencies (e.g., arktype, tsdown, typescript, vite-tsconfig-paths, vitest, @ark/schema, @size-limit/*).
Tooling (playwright) tooling/playwright-www/package.json	Pinned devDependencies: @axe-core/playwright, @playwright/test, typescript; moved TypeScript from peerDependencies to dependencies in .github/actions/size-limit/package.json.
GH Action size-limit .github/actions/size-limit/package.json	Removed TypeScript peerDependency (^5), added TypeScript (5.9.3) to dependencies, and pinned arkregex.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Notes for reviewers:

• Verify package groups where policy differs (libraries vs apps) to ensure intended pinning aligns with repo policy (e.g., packages/vite-plugin may prefer ranges for runtime dependencies).
• Check .github/actions/size-limit/package.json TypeScript peer→dependency change for CI/build implications.
• Confirm no accidental package name/version regressions in apps/www due to large bulk edits.

Possibly related PRs

• Add Bun + React playground and example #285 — Overlaps edits to apps/playgrounds/bun-react/package.json (same file and dependency pins).
• Integration tests #108 — Related changes in packages/vite-plugin/package.json (vitest/typescript/arktype pinning and tooling adjustments).
• Add e2e tests #230 — Related to Playwright/E2E tool pins in tooling/playwright-www/package.json (@axe-core/playwright, @playwright/test).

Suggested labels

example

Poem

🐰 I hopped through package.json files all day,

Pinned each caret so versions won't stray.
No more surprises when builds come to play,
I nibbled ranges and left exact pins in my way.
🌿✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR successfully pins all dependencies in apps (www, playgrounds/node, playgrounds/vite, bun-react) and packages/arkenv as required [#306]. However, packages/vite-plugin pinned both dependencies and devDependencies instead of keeping SemVer ranges for dependencies as specified.	Revert dependency pinning in packages/vite-plugin/package.json to use SemVer ranges (^) for dependencies while keeping exact pins for devDependencies only, per issue #306 requirements.
Out of Scope Changes check	❓ Inconclusive	Most changes align with #306 requirements. However, .github/actions/size-limit/package.json shows a structural change (removing peerDependencies and adding typescript to dependencies) that extends beyond simple version pinning.	Clarify whether the peerDependencies removal and typescript relocation in .github/actions/size-limit/package.json represents intended scope creep or an undocumented requirement adjustment for this change.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pin package versions' accurately describes the main change in the changeset, which involves converting all caret-prefixed version specifiers to exact pinned versions across multiple package.json files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 306-pin-package-versions-for-better-reliability-and-predictability

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85e3b2b and ee4e010.

⛔ Files ignored due to path filters (2)

• apps/playgrounds/bun-react/bun.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• .github/actions/size-limit/package.json (1 hunks)
• apps/playgrounds/bun-react/package.json (1 hunks)
• package.json (1 hunks)
• tooling/playwright-www/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• tooling/playwright-www/package.json
• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-09T17:37:19.650Z

Learnt from: yamcodes
Repo: yamcodes/arkenv PR: 132
File: packages/arkenv/README.md:13-14
Timestamp: 2025-09-09T17:37:19.650Z
Learning: For yamcodes/arkenv project: Runtime support documentation should link to specific examples: Node.js (examples/basic), Bun (examples/with-bun), Vite (examples/with-vite-react-ts).

Applied to files:

• apps/playgrounds/bun-react/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: test-e2e (e2e)
• GitHub Check: test-e2e (a11y)
• GitHub Check: size-limit

🔇 Additional comments (2)

.github/actions/size-limit/package.json (1)

13-16: Structural dependency change beyond version pinning.

The conversion of TypeScript from peerDependencies (^5) to dependencies (5.9.3) goes beyond the PR objective of pinning versions. This structural change alters dependency resolution strategy.

The PR objectives focus on version pinning for reliability; they do not mention converting dependency types. Clarify whether this conversion was intentional and necessary for this action's functionality.

Additionally, verify that:

• TypeScript 5.9.3 is a valid/recent version and not a typo (e.g., should it be 5.9.x or 5.x.x range for the peerDependency?)
• arkregex 0.0.2 is compatible with TypeScript 5.9.3TypeScript 5.9.3 is a valid, recent version, so the version pinning is acceptable.

However, the key concern remains: the PR objectives do not mention changing dependency structure (peerDependency → dependency). This warrants clarification.

apps/playgrounds/bun-react/package.json (1)

12-18: All package versions are stable and correctly pinned; lock file verification needed.

The version verification confirms all dependencies are stable releases (not pre-releases) and exist in their respective registries:

• react@19.2.0, react-dom@19.2.0 ✓
• @types/react@19.2.2, @types/react-dom@19.2.2 ✓ (type versions slightly ahead of runtime is standard and compatible)
• @types/bun@1.3.1 ✓

However, no lock file (package-lock.json, bun.lockb, or yarn.lock) was found in apps/playgrounds/bun-react/. Please verify whether:

1. A lock file should be present and committed with this PR to lock transitive dependencies, or
2. The absence of a lock file is intentional for this playground.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4376e7 and 85e3b2b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• apps/playgrounds/node/package.json (1 hunks)
• apps/playgrounds/vite/package.json (1 hunks)
• apps/www/package.json (1 hunks)
• package.json (1 hunks)
• packages/arkenv/package.json (1 hunks)
• packages/vite-plugin/package.json (1 hunks)
• tooling/playwright-www/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-10T19:35:18.179Z

Learnt from: yamcodes
Repo: yamcodes/arkenv PR: 136
File: .changeset/vast-bananas-win.md:2-3
Timestamp: 2025-09-10T19:35:18.179Z
Learning: The arkenv package is currently in v0.x.x (pre-1.0) development phase, where breaking changes are acceptable in minor version bumps according to semantic versioning conventions.

Applied to files:

• packages/arkenv/package.json

📚 Learning: 2025-09-09T17:37:19.650Z

Learnt from: yamcodes
Repo: yamcodes/arkenv PR: 132
File: packages/arkenv/README.md:13-14
Timestamp: 2025-09-09T17:37:19.650Z
Learning: For yamcodes/arkenv project: Runtime support documentation should link to specific examples: Node.js (examples/basic), Bun (examples/with-bun), Vite (examples/with-vite-react-ts).

Applied to files:

• packages/arkenv/package.json
• apps/playgrounds/vite/package.json

🔇 Additional comments (6)

apps/playgrounds/node/package.json (1)

12-12: Pinning strategy looks correct for this app.

All dependencies and devDependencies are pinned to exact versions, consistent with the PR objectives for apps.

Also applies to: 16-16

packages/arkenv/package.json (1)

43-51: Pinning strategy is correct for a Node.js-only library.

DevDependencies are pinned to exact versions while peerDependencies maintain semver ranges, enabling dev environment consistency without restricting consumers.

package.json (1)

28-38: Partial version pinning at root level—verify intentionality.

The root package.json pins typescript and vitest (lines 36–37) but keeps caret ranges for other devDependencies (lines 29–35). This inconsistency with the PR's stated goal of "pin package versions for better reliability and predictability" warrants verification. If selective pinning is intentional, consider documenting the rationale; otherwise, align with the pinning strategy across the monorepo.

packages/vite-plugin/package.json (1)

14-20: Pinning strategy is correct for a dual browser/node library.

DevDependencies are pinned to exact versions for development consistency, while peerDependencies maintain semantic version ranges for consumer flexibility. No regular dependencies to coordinate.

apps/www/package.json (1)

16-47: Comprehensive pinning is correct for this app.

All dependencies (lines 16–47) and devDependencies (lines 50–70) are pinned to exact versions, providing the "certainty about installed versions" and "reliability and predictability" goals stated in the PR objectives.

Also applies to: 50-70

apps/playgrounds/vite/package.json (1)

27-27: App dependency vite uses unpinned @latest tag—inconsistent with other pinned dependencies.

The observation is factually correct: line 27 specifies vite: "npm:rolldown-vite@latest" while every other dependency in this file is pinned to an exact version (e.g., "5.1.0", "19.2.0"). This is also the only @latest reference across all app playgrounds.

However, without access to the PR description, I cannot confirm whether this violates the stated pinning requirements. Please verify:

1. Whether the PR explicitly mandates pinning all dependencies in apps
2. Whether rolldown-vite's @latest is intentional (e.g., testing upcoming versions) or an oversight

If pinning is required, change to "npm:rolldown-vite@X.Y.Z" with a specific version. If it's intentional, document the exception.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/arkenv@307

npm i https://pkg.pr.new/@arkenv/vite-plugin@307

commit: ee4e010

[arkenv-bot]

📦 Bundle Size Report

> arkenv-monorepo@ size /home/runner/work/arkenv/arkenv
> turbo run size --filter './packages/*'

• Packages in scope: @arkenv/vite-plugin, arkenv
• Running size in 2 packages
• Remote caching enabled
::group::arkenv:build
cache hit, replaying logs 85034f5614c0359e

> arkenv@0.7.3 build /home/runner/work/arkenv/arkenv/packages/arkenv
> tsdown

�[34mℹ�[39m tsdown �[2mv0.15.12�[22m powered by rolldown �[2mv1.0.0-beta.45�[22m
�[34mℹ�[39m Using tsdown config: �[4m/home/runner/work/arkenv/arkenv/packages/arkenv/tsdown.config.ts�[24m
�[34mℹ�[39m entry: �[34msrc/index.ts�[39m
�[34mℹ�[39m tsconfig: �[34mtsconfig.json�[39m
�[34mℹ�[39m Build start
�[34mℹ�[39m �[33m[CJS]�[39m �[2mdist/�[22m�[1mindex.cjs�[22m  �[2m6.16 kB�[22m �[2m│ gzip: 2.43 kB�[22m
�[34mℹ�[39m �[33m[CJS]�[39m 1 files, total: 6.16 kB
�[34mℹ�[39m �[34m[ESM]�[39m �[2mdist/�[22m�[1mindex.js�[22m    �[2m4.98 kB�[22m �[2m│ gzip: 2.00 kB�[22m
�[34mℹ�[39m �[34m[ESM]�[39m �[2mdist/�[22m�[32m�[1mindex.d.ts�[22m�[39m  �[2m7.05 kB�[22m �[2m│ gzip: 1.27 kB�[22m
�[34mℹ�[39m �[34m[ESM]�[39m 2 files, total: 12.03 kB
�[34mℹ�[39m �[33m[CJS]�[39m �[2mdist/�[22m�[32m�[1mindex.d.cts�[22m�[39m  �[2m7.05 kB�[22m �[2m│ gzip: 1.27 kB�[22m
�[34mℹ�[39m �[33m[CJS]�[39m 1 files, total: 7.05 kB
�[32m✔�[39m Build complete in �[32m3335ms�[39m
::endgroup::
::group::@arkenv/vite-plugin:build
cache hit, replaying logs daa924f9150c6a64

> @arkenv/vite-plugin@0.0.14 build /home/runner/work/arkenv/arkenv/packages/vite-plugin
> tsdown

�[34mℹ�[39m tsdown �[2mv0.15.12�[22m powered by rolldown �[2mv1.0.0-beta.45�[22m
�[34mℹ�[39m Using tsdown config: �[4m/home/runner/work/arkenv/arkenv/packages/vite-plugin/tsdown.config.ts�[24m
�[34mℹ�[39m entry: �[34msrc/index.ts�[39m
�[34mℹ�[39m tsconfig: �[34mtsconfig.json�[39m
�[34mℹ�[39m Build start
�[34mℹ�[39m �[33m[CJS]�[39m �[2mdist/�[22m�[1mindex.cjs�[22m  �[2m1.65 kB�[22m �[2m│ gzip: 0.85 kB�[22m
�[34mℹ�[39m �[33m[CJS]�[39m 1 files, total: 1.65 kB
�[34mℹ�[39m �[34m[ESM]�[39m �[2mdist/�[22m�[1mindex.js�[22m    �[2m0.61 kB�[22m �[2m│ gzip: 0.41 kB�[22m
�[34mℹ�[39m �[34m[ESM]�[39m �[2mdist/�[22m�[32m�[1mindex.d.ts�[22m�[39m  �[2m0.40 kB�[22m �[2m│ gzip: 0.27 kB�[22m
�[34mℹ�[39m �[34m[ESM]�[39m 2 files, total: 1.02 kB
�[34mℹ�[39m �[33m[CJS]�[39m �[2mdist/�[22m�[32m�[1mindex.d.cts�[22m�[39m  �[2m0.38 kB�[22m �[2m│ gzip: 0.26 kB�[22m
�[34mℹ�[39m �[33m[CJS]�[39m 1 files, total: 0.38 kB
�[32m✔�[39m Build complete in �[32m3571ms�[39m
::endgroup::
::group::arkenv:size
cache bypass, force executing f7f7124829f248a3

> arkenv@0.7.3 size /home/runner/work/arkenv/arkenv/packages/arkenv
> size-limit

�[33m-�[39m Adding to empty esbuild project
�[32m✔�[39m Adding to empty esbuild project
  
  Size limit: �[32m�[1m2 kB�[22m�[39m
  Size:       �[32m�[1m711 B�[22m�[39m �[90mwith all dependencies, minified and brotlied�[39m
  
::endgroup::

 Tasks:    3 successful, 3 total
Cached:    2 cached, 3 total
  Time:    642ms 


Attention:
Turborepo now collects completely anonymous telemetry regarding usage.
This information is used to shape the Turborepo roadmap and prioritize features.
You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
https://turborepo.com/docs/telemetry

✅ All size limits passed!