Skip to content

Chore: version bumps removed unused dependency risk, pinning, and package age #24

Merged
jessehanley merged 4 commits into
bentonow:mainfrom
ziptied:main
Jun 9, 2026
Merged

Chore: version bumps removed unused dependency risk, pinning, and package age #24
jessehanley merged 4 commits into
bentonow:mainfrom
ziptied:main

Conversation

@ziptied

@ziptied ziptied commented May 22, 2026

Copy link
Copy Markdown
Contributor

Bump package version from 1.0.5 to 1.0.9. Pin all
development dependencies to exact versions instead of
using caret ranges for improved stability and
reproducibility. Remove Jest configuration and
ts-jest dependency in favor of Bun's native test
runner. Remove unused @types/jest dependency. Update
documentation to clarify that npm installs use Bun
for tests and builds, and add section on dependency
hygiene policies including 7-day minimum release age
gate via bunfig.toml and .npmrc.

ziptied added 3 commits May 22, 2026 11:44
Bump package version from 1.0.5 to 1.0.9. Pin all
development dependencies to exact versions instead of
using caret ranges for improved stability and
reproducibility. Remove Jest configuration and
ts-jest dependency in favor of Bun's native test
runner. Remove unused @types/jest dependency. Update
documentation to clarify that npm installs use Bun
for tests and builds, and add section on dependency
hygiene policies including 7-day minimum release age
gate via bunfig.toml and .npmrc.
chore: bump version to 1.0.9 and update deps

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94e5a3bf5b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .npmrc
@@ -0,0 +1,2 @@
save-exact=true
min-release-age=7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Replace unsupported npm release-age config

The new .npmrc key min-release-age is not a valid npm project config, so npm installs will not enforce the intended 7-day package-age gate. In this repo I verified with npm 11.4.2 (npm config ls -l) that npm emits Unknown project config "min-release-age", which means the security/hygiene policy described in README is silently ineffective for anyone using npm install.

Useful? React with 👍 / 👎.

@greptile-apps

greptile-apps Bot commented May 22, 2026

Copy link
Copy Markdown

Confidence Score: 5/5

Safe to merge — only dev toolchain and lockfile changes with no modifications to runtime code or public API.

All changes are confined to devDependencies, CI workflows, config files, and documentation. The npm-install CI job correctly sets up Bun before invoking npm test, so the delegated bun test call works. No runtime source was modified.

CHANGELOG.md — the jump from 1.0.5 directly to 1.0.9 leaves versions 1.0.6–1.0.8 undocumented (the outgoing package-lock was at 1.0.8).

Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
CHANGELOG.md:107
**CHANGELOG skips versions 1.0.6–1.0.8**

The outgoing `package-lock.json` had `"version": "1.0.8"`, meaning three versions were released to npm (1.0.6, 1.0.7, 1.0.8) without corresponding CHANGELOG entries. The log jumps directly from 1.0.5 to 1.0.9, so there is no record of what changed in those intermediate releases.

Reviews (2): Last reviewed commit: "chore: document dependency gate requirem..." | Re-trigger Greptile

Comment thread .npmrc
@@ -0,0 +1,2 @@
save-exact=true
min-release-age=7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 min-release-age requires npm ≥ 11.10.0

min-release-age was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the engines field in package.json documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.

Prompt To Fix With AI
This is a comment left during a code review.
Path: .npmrc
Line: 2

Comment:
**`min-release-age` requires npm ≥ 11.10.0**

`min-release-age` was introduced in npm v11.10.0. On older npm versions this key is silently ignored, meaning the 7-day gate won't be enforced. Neither the README nor the `engines` field in `package.json` documents this minimum npm version requirement, so contributors or CI pipelines running older npm will unknowingly get no protection.

How can I resolve this? If you propose a fix, please make it concise.

Co-authored-by: Cursor <cursoragent@cursor.com>
@jessehanley jessehanley merged commit 9dd6d1a into bentonow:main Jun 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants