Skip to content

chore: standardize tooling versions and lock critical dependencies#1440

Merged
rohilsurana merged 16 commits intomainfrom
tooling-fixes
Mar 11, 2026
Merged

chore: standardize tooling versions and lock critical dependencies#1440
rohilsurana merged 16 commits intomainfrom
tooling-fixes

Conversation

@rohilsurana
Copy link
Member

@rohilsurana rohilsurana commented Mar 5, 2026
edited
Loading

Summary

Standardize tooling versions across the codebase and upgrade key dependencies to ensure consistency between local development, CI environments, and production builds.

Tooling Version Upgrades

pnpm: 9.3.0 → 10.19.0

  • Updated packageManager field in web/package.json and web/apps/client-demo/package.json
  • Updated engines.pnpm to >=10.19.0 in web/package.json and docs/package.json
  • Updated all CI workflows to use pnpm/action-setup@v2 with version 10.19.0:
    • .github/workflows/web-sdk.yml
    • .github/workflows/lint.yml
    • .github/workflows/release.yml (2 jobs - replaced manual npm install with action)
  • Updated Dockerfile.dev to use pnpm 10.19.0

Node: >=20.6.1 → >=22

  • Updated engines.node to >=22 in web/package.json (workspace root)
  • docs/package.json already had >=22
  • Updated all CI workflows to use Node 22.x/22
  • Updated Dockerfile.dev to use node:22-alpine
  • Upgraded actions/setup-node to v4 across all workflows for consistency
  • Upgraded @types/node to ^22.10.0 in SDK, admin, and client-demo to match Node 22
  • Important: web/sdk/package.json (published to npm) does NOT have engines to avoid breaking downstream consumers on Node 20

Dependency Upgrades

@raystack/proton: unified to 0.1.0-d8accdc231fe7e3b23b38c0535b2aa92da42cf24

  • SDK: upgraded from 0.1.0-330c7558f34570056814d418f99730fb45cfe80f
  • Admin: upgraded from 0.1.0-b1687af73f994fa9612a023c850aa97c35735af8
  • Both packages now use the same version

@connectrpc packages: upgraded to 2.1.1 (locked)

  • @connectrpc/connect: 2.1.1 (locked - was ^2.0.2 in SDK, ^2.1.0 in admin)
  • @connectrpc/connect-web: 2.1.1 (locked - was ^2.0.2 in SDK, ^2.1.0 in admin)
  • @connectrpc/connect-query: 2.1.1 (already locked, unchanged)

@tanstack/react-query: ^5.83.0 → ^5.90.2

  • Upgraded in both SDK and admin app
  • Resolves to 5.91.3 in lockfile
  • Admin's @tanstack/react-query-devtools upgraded to ^5.90.2

@types/node: ^20.19.0 → ^22.10.0

  • Updated in SDK, admin app, and client-demo to match Node 22
  • Resolves to 22.19.15 in lockfile

Development Experience Improvements

  • Added preview script to root package.json
  • Added preview task to turbo.json (depends on build, runs production build locally)
  • Removed unnecessary pnpm overrides (proper dependency versions make them redundant)
  • Standardized all workflows to use pnpm/action-setup@v2 action instead of manual npm install

Important Design Decisions

  • SDK package (web/sdk/package.json) does not have engines field - this package is published to npm and should not restrict consumer's Node version since compiled artifacts target ES2015
  • Engine constraints are enforced at workspace level (web/package.json), CI workflows, and Dockerfile.dev
  • This ensures CI/Docker builds with Node 22 + pnpm 10.19.0 while allowing npm consumers to use older Node versions
  • Only @connectrpc packages are locked (no caret) in dependencies - devDependencies maintain version ranges for flexibility
  • All CI workflows now use consistent GitHub Actions versions (setup-node@v4, pnpm/action-setup@v2)

Testing

  • ✅ All packages build successfully with node 23.3.0 (>=22) and pnpm 10.19.0
  • ✅ SDK builds with react-query 5.91.3, connectrpc 2.1.1, proton d8accdc, and @types/node 22.19.15
  • ✅ Admin app builds with Vite 4.5.14, react-query 5.91.3, connectrpc 2.1.1, proton d8accdc, and @types/node 22.19.15
  • ✅ Client demo builds with Vite 7.0.6 and @types/node 22.19.15
  • ✅ No peer dependency conflicts

@vercel
Copy link

vercel bot commented Mar 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Mar 11, 2026 8:26am

@coderabbitai
Copy link

coderabbitai bot commented Mar 5, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Tooling and metadata updates: Node bumped to 22 and pnpm to 10.19.0 across CI, Docker, and package files; added a preview npm script and Turbo task; and bumped several package dependency versions in web apps and SDK packages.

Changes

Cohort / File(s) Summary
CI workflows
\.github/workflows/lint.yml, \.github/workflows/release.yml, \.github/workflows/web-sdk.yml		 Upgrade Actions setup: actions/setup-node → v4 with Node 22.x, and pnpm pinned to 10.19.0 via pnpm setup action; no control-flow changes.
Package manager & engines
docs/package.json, web/apps/client-demo/package.json, web/package.json		 Bumped packageManager to pnpm@10.19.0; added/updated engines to require node >=22 and pnpm >=10.19.0; removed prior pnpm overrides from web/package.json.
Preview script & Turbo task
web/package.json, web/turbo.json		 Added preview npm script and a corresponding Turbo task (dependsOn: ["build"], cache: false, persistent: true).
Dependency bumps
web/apps/admin/package.json, web/sdk/package.json		 Updated @connectrpc/* to 2.1.1, bumped @tanstack/react-query, updated @raystack/proton refs, and raised @types/node devDependency (admin).
Docker
Dockerfile.dev		 Base image updated from node:20-alpine to node:22-alpine and pnpm version aligned to 10.19.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • rsbh

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coveralls
Copy link

coveralls commented Mar 5, 2026
edited
Loading

Pull Request Test Coverage Report for Build 22943471118

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 40.425%
Totals Coverage Status
Change from base Build 22888126369: 0.0%
Covered Lines: 13968
Relevant Lines: 34553
💛 - Coveralls

@rohilsurana rohilsurana changed the title Standardize tooling versions and lock critical dependencies chore: standardize tooling versions and lock critical dependencies Mar 9, 2026
@rohilsurana rohilsurana requested a review from Copilot March 9, 2026 06:57
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Standardizes the web workspace’s tooling/runtime expectations (pnpm + Node engines) and reduces dependency drift by pinning “critical” packages, while adding a Turbo-driven preview workflow for production-like local testing.

Changes:

  • Pin pnpm to 10.19.0 via packageManager fields and update the web-sdk GitHub Actions workflow to use pnpm 10.
  • Add/extend engines constraints for Node and pnpm across key packages.
  • Lock select dependencies to exact versions and add pnpm overrides to prevent TanStack Query version conflicts; add turbo run preview pipeline/task.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
web/turbo.json Adds a preview Turbo task that depends on build and runs persistently without cache.
web/sdk/package.json Pins several tooling/runtime dependencies; locks React Query to 5.83.0; adds Node/pnpm engine constraints.
web/package.json Pins pnpm version, adds preview script, adds pnpm engine constraint, and overrides @tanstack/query-core.
web/apps/client-demo/package.json Updates packageManager to pnpm 10.19.0.
web/apps/admin/package.json Locks @tanstack/react-query and devtools to 5.83.0; updates @types/node.
docs/package.json Adds pnpm engine constraint alongside existing Node engine constraint.
.github/workflows/web-sdk.yml Updates workflow to install pnpm 10.19.0.
Comments suppressed due to low confidence (1)

.github/workflows/web-sdk.yml:33

  • This workflow updates pnpm to 10.19.0, but other CI workflows in this repo still install pnpm 9.3.0 (e.g. .github/workflows/lint.yml and release.yml). With packageManager: pnpm@10.19.0 / engines.pnpm >=10.19.0 now set in web/package.json, those workflows are likely to become inconsistent or fail when running pnpm i. Please update the remaining workflows to pnpm 10.19.0 as well (or drop/relax the pnpm engine constraint if CI must stay on pnpm 9).
      - name: Setup pnpm 10
        uses: pnpm/action-setup@v2
        with:
          version: 10.19.0

      - name: Setup Node.js 20.x
        uses: actions/setup-node@v2
        with:
          node-version: 20.x

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rohilsurana rohilsurana marked this pull request as ready for review March 9, 2026 11:22
coderabbitai[bot]
coderabbitai bot reviewed Mar 9, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
web/sdk/package.json (1)

107-108: Verify the Proton upgrade against the SDK's exported surface.

web/sdk/src/index.ts re-exports @raystack/proton/frontier, and SDK hooks like web/sdk/react/hooks/useOrganizationMembers.ts and web/sdk/react/hooks/useOrganizationProjects.ts consume generated FrontierServiceQueries and request schemas directly. Swapping to a commit-based Proton build can therefore change both the SDK internals and its public API without any local TypeScript diff here. Please gate this with a type-level smoke test, or treat it as a breaking release if any exported message/service symbols changed.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 603390d9-7c79-4ba6-875e-e8986824f27e

📥 Commits

Reviewing files that changed from the base of the PR and between 92cc59b and 6ab33bf.

⛔ Files ignored due to path filters (1)
  • web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (9)
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .github/workflows/web-sdk.yml
  • docs/package.json
  • web/apps/admin/package.json
  • web/apps/client-demo/package.json
  • web/package.json
  • web/sdk/package.json
  • web/turbo.json

coderabbitai[bot]
coderabbitai bot reviewed Mar 10, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (2)
.github/workflows/web-sdk.yml (1)

30-33: ⚠️ Potential issue | 🟡 Minor

Update actions/setup-node to v4.

The workflow uses actions/setup-node@v2, which is outdated and flagged by actionlint as incompatible with current GitHub Actions runners. The release.yml workflow already uses @v4.

🔧 Proposed fix 
       - name: Setup Node.js 22.x
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: 22.x
.github/workflows/lint.yml (1)

40-43: ⚠️ Potential issue | 🟡 Minor

Update actions/setup-node to v4.

Same issue as in web-sdk.yml — this workflow uses actions/setup-node@v2, which is outdated and incompatible with current GitHub Actions runners per actionlint. The release.yml workflow already uses @v4.

🔧 Proposed fix 
       - name: Setup Node.js 22.x
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
           node-version: 22.x
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)

48-53: LGTM - Node 22 and pnpm 10.19.0 updates are consistent with PR objectives.

The tooling version upgrades align with the standardization effort. One optional improvement: consider using the pnpm/action-setup action instead of npm install -g, which provides better caching and is more idiomatic for GitHub Actions workflows.

,

♻️ Optional: Use pnpm/action-setup action 
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
           node-version: "22"
-      - name: Install pnpm
-        run: npm install -g pnpm@10.19.0
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.19.0
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c5b115fc-f2f9-48cf-a54a-7e2fe5d805fe

📥 Commits

Reviewing files that changed from the base of the PR and between 92cc59b and 0c59165.

⛔ Files ignored due to path filters (1)
  • web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (9)
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .github/workflows/web-sdk.yml
  • docs/package.json
  • web/apps/admin/package.json
  • web/apps/client-demo/package.json
  • web/package.json
  • web/sdk/package.json
  • web/turbo.json

coderabbitai[bot]
coderabbitai bot reviewed Mar 10, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a8794f91-5cb0-45b6-95f5-b59e400e32f0

📥 Commits

Reviewing files that changed from the base of the PR and between 0c59165 and 633c559.

📒 Files selected for processing (2)
  • web/package.json
  • web/sdk/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • web/sdk/package.json

coderabbitai[bot]
coderabbitai bot reviewed Mar 10, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/web-sdk.yml (1)

35-36: Use --frozen-lockfile for deterministic release builds.

This is a release workflow that publishes to npm. Using pnpm i --frozen-lockfile ensures that package installations remain deterministic across CI runs and prevents accidental dependency version changes during releases, which is a best practice for release workflows.

🔧 Proposed fix 
      - name: Install Dependencies 🔧
-       run: pnpm i
+       run: pnpm i --frozen-lockfile
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 49d625d9-28e3-4b59-9d24-34a4fb230511

📥 Commits

Reviewing files that changed from the base of the PR and between 633c559 and 4d794c5.

⛔ Files ignored due to path filters (1)
  • web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • .github/workflows/lint.yml
  • .github/workflows/web-sdk.yml
  • Dockerfile.dev
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/lint.yml

coderabbitai[bot]
coderabbitai bot reviewed Mar 11, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a34a883d-4c7e-4aaa-8244-99e3666bb322

📥 Commits

Reviewing files that changed from the base of the PR and between 4d794c5 and 2138ba2.

⛔ Files ignored due to path filters (1)
  • web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (10)
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .github/workflows/web-sdk.yml
  • Dockerfile.dev
  • docs/package.json
  • web/apps/admin/package.json
  • web/apps/client-demo/package.json
  • web/package.json
  • web/sdk/package.json
  • web/turbo.json
🚧 Files skipped from review as they are similar to previous changes (7)
  • docs/package.json
  • web/sdk/package.json
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • web/apps/client-demo/package.json
  • Dockerfile.dev
  • web/turbo.json

@rohilsurana rohilsurana merged commit 01aab59 into main Mar 11, 2026
8 checks passed
@rohilsurana rohilsurana deleted the tooling-fixes branch March 11, 2026 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@paanSinghCoder paanSinghCoder paanSinghCoder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rohilsurana @coveralls @paanSinghCoder