chore(deps): bump 3 low-risk major deps (lucide-react / electron-builder / pptxgenjs)#105
Merged
chore(deps): bump 3 low-risk major deps (lucide-react / electron-builder / pptxgenjs)#105
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Findings
- [Major] Mixed major versions in the Electron packaging chain after lockfile update —
[email protected]is resolved with[email protected], and[email protected]also resolves against that same 25.x Squirrel package. This cross-major pairing can create release-time regressions on Windows installers that unit tests/typecheck won’t catch. Evidence:pnpm-lock.yaml:107,pnpm-lock.yaml:6936,pnpm-lock.yaml:7538.
Suggested fix:Then regenerate lockfile to ensure{ "devDependencies": { "electron-builder": "^26.8.1", "electron-builder-squirrel-windows": "26.8.1" } }[email protected]resolves with[email protected].
Summary
- Review mode: initial
- 1 issue found in changed lines: lockfile currently resolves a mixed 26.x/25.x electron-builder toolchain.
docs/VISION.mdanddocs/PRINCIPLES.mdwere referenced in instructions but are not present in this checkout (Not found in repo/docs).
Testing
- Not run (automation)
open-codesign Bot
| specifier: ^25.1.8 | ||
| version: 25.1.8([email protected]) | ||
| specifier: ^26.8.1 | ||
| version: 26.8.1([email protected]) |
Contributor
There was a problem hiding this comment.
[email protected] is currently locked with [email protected] here. Please re-resolve lockfile so the Squirrel package matches 26.x to avoid Windows installer regressions.
Suggested fix:
{
"devDependencies": {
"electron-builder-squirrel-windows": "26.8.1"
}
}
…der / pptxgenjs) - lucide-react: 0.460.0 -> 1.8.0 (apps/desktop). v1 removes brand icons (Github, Slack, Figma, etc.) and renames a few — none used in this codebase, so no import changes required. - electron-builder: 25.1.8 -> 26.8.1 (apps/desktop, dev). Build/release-only. Our electron-builder.yml uses no advanced features that v26 changed (no flatpak, no custom collectors, no plist tweaks). - pptxgenjs: 3.12.0 -> 4.0.1 (packages/exporters). Lazy-loaded via dynamic import in pptx.ts. Our usage (addSlide / slide.addText / writeFile) is unchanged in v4 — v4 breakers are around chart props, defineSlideMaster reuse, and SchemeColor->ThemeColor, none of which we touch. PRINCIPLES checks: - Compatibility: green — typecheck, all 366 tests, lint, boot smoke all green. - Upgradeability: green — moves us off three pre-1.0 / EOL majors. - No bloat: green — net replacements, install size unchanged within rounding. - Elegance: green — pure dep bumps, no code churn.
…lectron-builder major
hqhq1025
force-pushed
the
wt/sec-deps-low-risk-bump
branch
from
0b0358f to
4e4c92b
Compare
Collaborator
Author
|
Addressed Codex [Major]: cross-major Windows installer toolchain. Pinned Verified: Commit: 4e4c92b |
Contributor
There was a problem hiding this comment.
Findings
- No high-confidence issues found in added/modified lines.
Summary
- Review mode: follow-up after new commits
- Prior mixed-major packaging-chain issue is resolved in this head (evidence:
pnpm-lock.yaml:107,pnpm-lock.yaml:7050). - Constraint checks from this diff: no direct provider SDK imports, no silent-fallback pattern, and no UI hardcoded token violations in touched files.
docs/VISION.mdanddocs/PRINCIPLES.md: Not found in repo/docs.
Testing
- Not run (automation)
open-codesign Bot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three pre-coordinated low-risk major bumps in one PR. None are security-driven (no matching dependabot alerts) — these are maintenance jumps to get off pre-1.0 / EOL majors before the next release.
lucide-react^0.460.0^1.8.0apps/desktopelectron-builder^25.1.8^26.8.1apps/desktop(build/release only)pptxgenjs^3.12.0^4.0.1packages/exporters(lazy-loaded)Breaking-change audit (per-dep)
lucide-react 1.0
from 'lucide-react'import (19 files inapps/desktop); none of the removed/renamed icons are used. No code changes required.electron-builder 26
executableArgs, the dmgbuild python bundle, the pnpm node_modules collector, and a CI/CD multi-branch deploy flow.apps/desktop/electron-builder.ymlonly sets basic targets (dmg / nsis / AppImage) and notarize/hardenedRuntime flags. No config tweaks required.pptxgenjs 4.0
defineSlideMaster()reuse,SchemeColor→ThemeColor, and a newexportsfield.packages/exporters/src/pptx.tsonly usesaddSlide,slide.background,slide.addText,pres.layout,pres.title, andwriteFile. None of those changed. The newexportsfield actually fixes the Vite/Web Worker import paths. No code changes required.Verification
pnpm typecheck: greenpnpm test: 366 tests across all packages green (incl.pptx.test.tswhich exercises real PPTX writing)pnpm lint: 0 errors (11 unrelated pre-existing warnings)pnpm --filter @open-codesign/desktop devboots cleanly, no new deprecations vs. baseline (electron 33.4.11, node 20.18.3 — clean[boot] open-codesign startinglog)apps/desktop/package.json,packages/exporters/package.json,pnpm-lock.yaml) — well under the 50-file scope-creep limit.Dependabot alerts resolved
None — checked
repos/OpenCoworkAI/open-codesign/dependabot/alertsand none of the 3 packages appear. Pure maintenance bump.PRINCIPLES checks
package.json+ lockfileDrops
None — all 3 bumps were safe in this codebase. If any were unsafe, the plan was to drop just that one and ship the other two; that wasn't needed.