fix(release): override read-yaml-file to 2.x so changeset version works with js-yaml 4#46
Merged
Merged
Conversation
…ks with js-yaml 4 The js-yaml >=4.2.0 override (added to clear an audit advisory) broke the release workflow's `changeset version` step: Changesets pulls read-yaml-file@1.1.0 (via @manypkg/get-packages@1.1.3), which calls the js-yaml 3 API `yaml.safeLoad` — removed in js-yaml 4. CI never caught this because ci.yml doesn't run `changeset version`; only release.yml does. read-yaml-file@2.x depends on js-yaml ^4 and uses `yaml.load`, and 2.1.0 is still CommonJS (3.x is ESM-only, which would break the CJS @manypkg caller). Overriding read-yaml-file to ^2.1.0 makes the Changesets tooling compatible with the patched js-yaml. Verified: `pnpm run version` (changeset version) succeeds; `pnpm audit` (moderate and high) reports no known vulnerabilities; frozen-lockfile install, build, typecheck, and tests all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A299AvEPRfoWPP3Hq5NJGa
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What broke
The release workflow (
release.yml) failed onpnpm run version→changeset version:The
js-yaml >=4.2.0override (added in #45 to clear an audit advisory) forced js-yaml 4 underneathread-yaml-file@1.1.0, which Changesets pulls in via@manypkg/get-packages@1.1.3. That oldread-yaml-filecalls the js-yaml 3 APIyaml.safeLoad, removed in v4 — so versioning crashed.ci.ymlnever caught this because it doesn't runchangeset version; onlyrelease.ymldoes. As a result the merges of #44/#45 produced no published release — both changesets are still pending onmain.Fix
Override
read-yaml-fileto^2.1.0. The 2.x line depends onjs-yaml: ^4.0.0and usesyaml.load, so it's compatible with the patched js-yaml. I pinned to^2.1.0(not 3.x) deliberately: read-yaml-file@3.0.0 is ESM-only ("type": "module"), which would break the CommonJS@manypkg/get-packagesthatrequire()s it; 2.1.0 is still CJS.@changesets/cliis already at the latest (2.31.0) and still transitively pins@manypkg/get-packages@1.1.3→read-yaml-file@1.1.0, so bumping Changesets doesn't help — the override is the targeted fix. Thejs-yaml >=4.2.0override is kept (still needed to guarantee the patched js-yaml across the tree).No changeset here: this only touches release/build tooling, not any published package's contents. The two existing pending changesets (
blocked-message-status,audit-advisory-bumps) will be consumed once the release runs.Verification
pnpm run version(changeset version) → succeeds ("All files have been updated").pnpm audit --audit-level=moderateand--audit-level=high→ no known vulnerabilities.pnpm install --frozen-lockfile,pnpm build,pnpm typecheckpass.pnpm testgreen — sdk 58, cli 80, react-email 29.read-yaml-file@2.1.0remains in the tree (the stale 1.1.0 is gone).🤖 Generated with Claude Code
Generated by Claude Code