Chore: version bumps removed unused dependency risk, pinning, and package age #24
Conversation
Bump package version from 1.0.5 to 1.0.9. Pin all development dependencies to exact versions instead of using caret ranges for improved stability and reproducibility. Remove Jest configuration and ts-jest dependency in favor of Bun's native test runner. Remove unused @types/jest dependency. Update documentation to clarify that npm installs use Bun for tests and builds, and add section on dependency hygiene policies including 7-day minimum release age gate via bunfig.toml and .npmrc.
chore: bump version to 1.0.9 and update deps
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 94e5a3bf5b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1,2 @@ | |||
| save-exact=true | |||
| min-release-age=7 | |||
There was a problem hiding this comment.
Replace unsupported npm release-age config
The new .npmrc key min-release-age is not a valid npm project config, so npm installs will not enforce the intended 7-day package-age gate. In this repo I verified with npm 11.4.2 (npm config ls -l) that npm emits Unknown project config "min-release-age", which means the security/hygiene policy described in README is silently ineffective for anyone using npm install.
Useful? React with 👍 / 👎.
Confidence Score: 5/5Safe to merge — only dev toolchain and lockfile changes with no modifications to runtime code or public API. All changes are confined to devDependencies, CI workflows, config files, and documentation. The npm-install CI job correctly sets up Bun before invoking npm test, so the delegated bun test call works. No runtime source was modified. CHANGELOG.md — the jump from 1.0.5 directly to 1.0.9 leaves versions 1.0.6–1.0.8 undocumented (the outgoing package-lock was at 1.0.8). Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
CHANGELOG.md:107
**CHANGELOG skips versions 1.0.6–1.0.8**
The outgoing `package-lock.json` had `"version": "1.0.8"`, meaning three versions were released to npm (1.0.6, 1.0.7, 1.0.8) without corresponding CHANGELOG entries. The log jumps directly from 1.0.5 to 1.0.9, so there is no record of what changed in those intermediate releases.
Reviews (2): Last reviewed commit: "chore: document dependency gate requirem..." | Re-trigger Greptile |
| @@ -0,0 +1,2 @@ | |||
| save-exact=true | |||
| min-release-age=7 | |||
There was a problem hiding this comment.
min-release-age requires npm ≥ 11.10.0
min-release-age was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the engines field in package.json documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .npmrc
Line: 2
Comment:
**`min-release-age` requires npm ≥ 11.10.0**
`min-release-age` was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the `engines` field in `package.json` documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.
How can I resolve this? If you propose a fix, please make it concise.Co-authored-by: Cursor <cursoragent@cursor.com>
Bump package version from 1.0.5 to 1.0.9. Pin all
development dependencies to exact versions instead of
using caret ranges for improved stability and
reproducibility. Remove Jest configuration and
ts-jest dependency in favor of Bun's native test
runner. Remove unused @types/jest dependency. Update
documentation to clarify that npm installs use Bun
for tests and builds, and add section on dependency
hygiene policies including 7-day minimum release age
gate via bunfig.toml and .npmrc.