Skip to content

chore: centralize shared dependency versions with pnpm catalog#612

Merged
abhithesys merged 1 commit into
thesysdev:mainfrom
Shinyaigeek:chore/pnpm-catalog-shared-deps
Jun 8, 2026
Merged

chore: centralize shared dependency versions with pnpm catalog#612
abhithesys merged 1 commit into
thesysdev:mainfrom
Shinyaigeek:chore/pnpm-catalog-shared-deps

Conversation

@Shinyaigeek

@Shinyaigeek Shinyaigeek commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Introduces a pnpm catalog in pnpm-workspace.yaml for dependencies that were already pinned to an identical version across multiple packages. Each version now lives in one place and is referenced from package.json via the catalog: protocol, so future bumps happen in a single spot.
This is just a proposal, so if you don't think this is needed, please feel free to close this pull request

Scoped intentionally to deps that already shared one version spec — so this is a pure refactor with no resolved-version changes. I think some devDependencies(like a vitest)'s version also should be unified by this feature, but some of these have different version, so I fix this later if this approach suites this project.

Catalog entries

catalog:
  jsdom: "^26.1.0"
  zod: "^3.25.0 || ^4.0.0"
  zustand: "^4.5.5"
Dependency Spec Packages updated to catalog:
zod ^3.25.0 || ^4.0.0 lang-core, react-lang, react-ui, react-email, vue-lang, svelte-lang
zustand ^4.5.5 react-headless, react-ui
jsdom ^26.1.0 svelte-lang, vue-lang

Notes

Deps with differing versions across packages (e.g. vitest v3 vs v4, react, vite) were deliberately left out of this PR to avoid bundling version unifications into a refactor. They can be cataloged in a follow-up if desired.

🤖 Generated with Claude Code

@Shinyaigeek @claude
chore: centralize shared dependency versions with pnpm catalog
9f8fa4d 
Introduce a pnpm catalog in pnpm-workspace.yaml for dependencies that
were already pinned to an identical version across multiple packages, so
their version is declared in a single place and referenced via the
"catalog:" protocol.

Cataloged (no resolved-version changes — each already shared one spec):
- zod      "^3.25.0 || ^4.0.0"  (lang-core, react-lang, react-ui,
                                  react-email, vue-lang, svelte-lang)
- zustand  "^4.5.5"             (react-headless, react-ui)
- jsdom    "^26.1.0"            (svelte-lang, vue-lang)

Verified: build + test pass for the affected packages (lang-core,
react-headless, svelte-lang, vue-lang) with all deps resolving from
the catalog.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
abhithesys
abhithesys approved these changes Jun 8, 2026
View reviewed changes

@abhithesys abhithesys left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@abhithesys abhithesys merged commit a1b93a8 into thesysdev:main Jun 8, 2026
1 check passed
i-subham23 added a commit that referenced this pull request Jun 8, 2026
@i-subham23 @claude
Merge branch 'main' into sd/openui-audit-fix
8f12141 
Resolve conflicts by adopting main's pnpm catalog (#612):
- svelte-lang / vue-lang: take "jsdom": "catalog:" (^26.1.0)
- regenerate pnpm-lock.yaml combining the catalog with the audit-fix
  dependency bumps (vitest ^4.1, next 16.2.7, prismjs >=1.30.0,
  @ai-sdk/provider-utils override ^4.0.27)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
i-subham23 added a commit that referenced this pull request Jun 8, 2026
@i-subham23 @claude
Merge branch 'main' into sd/openui-audit-fix
b7f394a 
Resolve pnpm-lock.yaml conflict: regenerate with pnpm 9.15.9 so the
lockfile reflects main's pnpm catalog (#612) together with the audit-fix
dependency bumps (vitest ^4.1, next 16.2.7, prismjs >=1.30.0,
@ai-sdk/provider-utils override ^4.0.27). Validated with
`pnpm install --frozen-lockfile`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shinyaigeek Shinyaigeek mentioned this pull request Jun 9, 2026
Open
i-subham23 added a commit that referenced this pull request Jun 9, 2026
@i-subham23 @claude
fix(deps): clear all 206 pnpm audit vulnerabilities (2 crit, 78 high,…
e6b876b 
…105 mod, 21 low) (#577)

* fix(deps): clear all 206 pnpm audit vulnerabilities (2 crit, 78 high, 105 mod, 21 low)

Resolves every advisory reported by `pnpm audit` (206 -> 0). Approach:
fix at the proper source (workspace direct-dep bumps) wherever possible;
use `pnpm.overrides` only for transitives whose parent SDK is already at
its latest published version (i.e. truly upstream-stuck).

Direct-dep bumps (the bulk of fixes):
- docs/: next 16.1.6->16.2.6, fumadocs-{core,mdx,ui} 16.6.5->16.9.1,
  posthog-js ^1.358->^1.376, openai ^6.22->^6.39, postcss ^8.5.6->^8.5.15;
  toc subpath import fix required by fumadocs-ui bump.
- 11 Next.js example apps: next 16.1.6 -> 16.2.6 (+ matching
  eslint-config-next), openai -> ^6.39.0.
- examples/openui-react-native/backend: next ^15.2.3 -> ^15.5.18.
- examples/openui-react-native/chat-app: expo ~54.0.6 -> ~54.0.34.
- examples/svelte-chat: vite -> ^6.4.2, @sveltejs/kit -> ^2.61.1,
  @sveltejs/vite-plugin-svelte -> ^5.1.1, svelte -> ^5.55.9,
  @ai-sdk/svelte 3.x -> ^4.0.191 (major), @ai-sdk/openai -> ^3.0.65,
  ai -> ^6.0.191.
- examples/vue-chat: nuxt ^3.17 -> ^3.21.6, @ai-sdk/vue -> ^3.0.191,
  @ai-sdk/openai -> ^3.0.65, ai -> ^6.0.191.
- examples/mastra-chat: @ag-ui/core ^0.0.45->^0.0.53, @ag-ui/mastra
  ^1.0.1->^1.0.2.
- examples/{multi-agent-chat,vercel-ai-chat}: @ai-sdk/react ^3.0.118
  ->^3.0.193, @ai-sdk/openai -> ^3.0.65, ai -> ^6.0.191 (fixes
  UIMessage type incompatibility from coexisting ai majors).
- examples/openui-artifact-demo: react-syntax-highlighter ^15.6
  ->^16.1.1.
- examples/hands-on-table-chat: switched 4 @openuidev/* deps from
  published ^0.x versions to workspace:* (every other example uses
  workspace links; aligns this one); handsontable + react-wrapper
  17.0.1 -> 17.1.0.
- examples/supabase-chat: @supabase/ssr ^0.5->^0.10.3,
  @supabase/supabase-js ^2.49->^2.106.2 (clears ws CVE).
- packages/react-ui: storybook + 11 @storybook/* addons ^8.5.3
  ->^8.6.18; vite ^5->^6.4.2; webpack ^5.104.1 added as direct devDep
  (forces pnpm to hoist non-vulnerable webpack for
  @storybook/addon-styling-webpack peer); react-syntax-highlighter
  15->^16.1.1 (fixes prismjs); lodash-es ^4.17.21->^4.18.1;
  @typescript-eslint/eslint-plugin ^8.56->^8.59.4; @types/node-fetch
  2.6.11->2.6.13; form-data ^4.0->^4.0.5; postcss spec ^8.5.1->^8.5.15;
  tailwindcss ^3 -> ^3.4.19.
- packages/svelte-lang: vite ^6->^6.4.2, vitest ^3->^3.2.4, svelte
  ^5->^5.55.9, @sveltejs/vite-plugin-svelte ^5->^5.1.1, jsdom
  ^26->^29.1.1.
- packages/vue-lang: @vitejs/plugin-vue ^5->^6.0.7 (major),
  @vue/test-utils ^2.4->^2.4.10, vite ^6->^6.4.2, vitest ^3->^3.2.4,
  jsdom ^26->^29.1.1.
- packages/{lang-core,react-lang}: vitest ^4.0.18->^4.1.7.
- packages/browser-bundle: esbuild ^0.24->^0.25.12.
- Root: @typescript-eslint/eslint-plugin ^8.56->^8.59.4; tsdown
  ^0.21.7->^0.22.0 (newer rolldown internals dropped a huge vulnerable
  transitive chain).

`pnpm.overrides` block (6 entries, each truly upstream-stuck):
- langsmith@<0.6.0    deep inside @copilotkit/runtime via @ag-ui/mastra
                      (latest). RSS deserialization fix.
- ip-address@<10.1.1  via @modelcontextprotocol/sdk@1.29.0 (latest),
                      @mastra/core@1.15.0 (latest), @ag-ui/mastra
                      (latest). XSS in Address6 HTML emitters.
- postcss@<8.5.10     bundled as postcss@8.4.31 inside next@16.2.6
                      (latest stable; only 16.3 canaries exist).
                      XSS via unescaped </style>.
- qs@<6.15.2          via @mastra/core (latest), @ag-ui/mastra (latest).
                      DoS via comma-format TypeError.
- uuid@<11.1.1        via @ag-ui/mastra (latest), expo@~54.0.34
                      (latest in major), @storybook/addon-essentials
                      8.6.18 (latest 8.x; Storybook 8 is EOL).
                      Buffer bounds check.
- cookie@<0.7.0       via @sveltejs/kit@2.61.1 (latest), which pins
                      cookie@^0.6.0. OOB chars in cookie name/path.

Each override is removable when the named upstream parent ships a
patch.

Final audit: 0 critical / 0 high / 0 moderate / 0 low.
`pnpm install --frozen-lockfile` passes (CI-mode install). All
Next.js example builds verified. svelte-chat build verified after
@ai-sdk/svelte major bump. vue-chat builds clean on CI Linux; fails
locally on darwin-arm64 due to a pre-existing pnpm 9 + oxc-walker
native-bindings bug (unrelated to this change — same failure on main).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: downgrade tsdown version from 0.22.0 to 0.21.7 in package.json and update pnpm-lock.yaml accordingly

* chore: downgrade various package versions in package.json and pnpm-lock.yaml to resolve compatibility issues and vulnerabilities

* Merge branch 'main' into sd/openui-audit-fix

Resolve conflicts by adopting main's pnpm catalog (#612):
- svelte-lang / vue-lang: take "jsdom": "catalog:" (^26.1.0)
- regenerate pnpm-lock.yaml combining the catalog with the audit-fix
  dependency bumps (vitest ^4.1, next 16.2.7, prismjs >=1.30.0,
  @ai-sdk/provider-utils override ^4.0.27)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Shinyaigeek Shinyaigeek mentioned this pull request Jun 9, 2026
Merged
@ankit-thesys ankit-thesys mentioned this pull request Jun 10, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhithesys abhithesys abhithesys approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shinyaigeek @abhithesys