Skip to content

[failproofai-536] Pin TypeScript to 6.x — Dependabot ignore for the 7.0 native-port major#538

Merged
NiveditJain merged 1 commit into
mainfrom
luv-536
Jul 16, 2026
Merged

[failproofai-536] Pin TypeScript to 6.x — Dependabot ignore for the 7.0 native-port major#538
NiveditJain merged 1 commit into
mainfrom
luv-536

Conversation

@NiveditJain

Copy link
Copy Markdown
Member

What

Tell Dependabot to ignore typescript major-version updates, pinning the repo to the 6.x line.

# .github/dependabot.yml (bun ecosystem)
ignore:
  - dependency-name: "typescript"
    update-types: ["version-update:semver-major"]

Why

Dependabot #499 bumped typescript 6.0.3 → 7.0.2 and turned every CI job red. TypeScript 7.0 is the native (Go) port — its npm package drops the classic compiler API from the main entry (exports["."] → a version stub; the API moves to experimental typescript/unstable/*).

Reproduced on a throwaway branch:

  • next build fails even with type-checking off. Next.js 16.2.x runs a "TypeScript config validation" step that needs the classic API. typescript.ignoreBuildErrors: true skips type-checking but not config validation; under CI=true the build exits 1. Because prepare runs next build on every bun install, this reddens all jobs, not just build.
  • typescript-eslint@8.64.0 (via eslint-config-next) declares peer typescript@">=4.8.4 <6.1.0" — it refuses 7.x outright, so bun run lint breaks too.
  • The native tsc binary works; a real adoption path is @typescript/native-preview (tsgo) as a separate type-check tool while keeping typescript@6.x for the ecosystem.

A port isn't possible until Next.js and typescript-eslint ship native-port support. Full write-up and revisit criteria in #536.

Scope

  • .github/dependabot.yml — the ignore rule (+ explanatory comment).
  • CHANGELOG.md### Dependencies entry.

No source/runtime changes; no docs/README/examples affected. #499 should be closed as un-mergeable. Refs #536.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Cb18kCZoxH6XcW3SDANVDf

… bump

TypeScript 7.0 is the native (Go) port. Its npm package drops the classic
compiler API from the main entry (exports["."] resolves to a version stub;
the API moves to experimental typescript/unstable/*), which Next.js's
build-time TS config validation and typescript-eslint (peer
typescript >=4.8.4 <6.1.0) both require. Bumping typescript to 7.x (PR #499)
therefore reddens every CI job, since the prepare -> next build step runs on
every `bun install`.

Tell Dependabot to ignore typescript major-version updates until the
toolchain (Next.js, typescript-eslint) supports the native port. Tracked
in #536.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Cb18kCZoxH6XcW3SDANVDf
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@hermes-exosphere

Copy link
Copy Markdown
Contributor

Automated code review started - full review. Results will be posted here.

@hermes-exosphere

Copy link
Copy Markdown
Contributor

Phase 3: Build & verify in progress... No Docker compose found — running native Bun build and test suite.

@hermes-exosphere

Copy link
Copy Markdown
Contributor

Build & test complete. Results:

  • Build: pass — bun install, build:cli, Next.js (Turbopack) all compile successfully with TypeScript 6.0.3
  • Tests: 2064 passed / 0 failed — all 121 test files green
  • YAML validation: pass — dependabot.yml is valid YAML
  • No console errors in production build (2 known Turbopack NFT-tracing warnings, pre-existing)

@hermes-exosphere

Copy link
Copy Markdown
Contributor

🔍 Automated Code Review — PR #538

📋 Executive Summary

This is a surgical, well-scoped PR that pins TypeScript to the 6.x line by adding a Dependabot ignore rule. It prevents Dependabot from opening PRs for TypeScript major-version bumps (6.x → 7.x) since the 7.0 native Go port breaks the entire toolchain. The change is 2 files, 12 lines — no source code, no API changes, no risk. Everything builds and all 2064 tests pass.


📊 Change Architecture

graph TD
    A[Dependabot weekly scan<br/>bun ecosystem] -->|"reads new: ignore rule"| B[typescript dep check]
    B -->|"semver-major? YES"| C[🟢 SKIP — no PR opened]
    B -->|"semver-patch/minor? NO"| D[🔵 Open PR as usual]
    A -->|"unchanged"| E[github-actions ecosystem]
    style C fill:#90EE90
    style B fill:#87CEEB
    style A fill:#87CEEB
    style E fill:#87CEEB
Loading

Legend: 🟢 New behavior | 🔵 Unchanged / existing behavior


🔴 Breaking Changes

No breaking changes detected. This is a configuration-only change that:

  • Does not modify any source code, API, or runtime behavior
  • Does not change any database schema
  • Does not add or remove dependencies from package.json
  • Does not alter any build or CI workflow
  • Only affects Dependabot's internal update scheduling

⚠️ Issues Found

None. The change is trivial and correct for the following reasons:

  1. YAML syntax is valid — confirmed with yaml.parse()
  2. ignore with update-types is a supported Dependabot feature since May 2021 — works for all ecosystems including bun
  3. Only blocks semver-major — patch and minor updates (e.g., 6.0.3 → 6.1.0) still flow through
  4. Targets the right dependencydependency-name: "typescript" matches the exact npm/bun package
  5. Comment is accurate and informative — explains why (Go port + ecosystem incompatibility), references the blocking PR (build(deps-dev): Bump typescript from 6.0.3 to 7.0.2 #499) and the tracking issue (Pin TypeScript to 6.x: the 7.0 native port breaks Next.js build & typescript-eslint (blocks #499) #536)

🔬 Logical / Bug Analysis

Dependabot schema verification:

  • ignore is a top-level key under updates[] entries
  • Each entry requires dependency-name (required) and optional update-types or versions
  • "version-update:semver-major" is the canonical string for major bumps
  • No versions array needed when using update-types

Ecosystem compatibility:

  • Dependabot's bun ecosystem reads package.json just like npm
  • typescript is listed in devDependencies at version 6.0.3
  • The ignore rule will prevent 6.0.3 → 7.0.x bump PRs

Edge case: What if TypeScript releases a 7.1.0 that restores backward compatibility?

  • The ignore rule blocks all semver-major bumps, not specific versions
  • To allow a future compatible 7.x, just remove the ignore entry when the ecosystem is ready
  • The comment already documents the revisit criteria

🧪 Evidence — Build & Test Results

Build Output
bun install v1.3.14
  postinstall + prepare (bun run build)
  Next.js 16.2.10 (Turbopack)
  ✓ Compiled successfully in 31.0s
  ✓ TypeScript check passed
  ✓ 558 packages installed
Test Results
✓ Test Files  121 passed (121)
✓ Tests      2064 passed (2064)
  Duration    84.69s

All test suites pass — policy evaluator (69), builtin policies (424), manager (50), handler (58), integrations (170), projects (28), and all component/e2e/api tests.


🔗 Issue Linkage

This PR addresses #536 (tracking issue) and blocks #499 (the failing TypeScript 7.x bump PR).

The PR description accurately describes the problem: TypeScript 7.0's Go port drops the classic compiler API from exports["."], breaking Next.js's build-time config validation and typescript-eslint's peer dependency constraint. The ignore rule is the correct mitigation.


👥 Human Review Feedback

✅ No human review feedback exists yet on this PR. This is the first detailed review.


💡 Suggestions

  1. Consider adding an allow rule for visibility: For clarity, you could add an explicit allow alongside the ignore to make the intent even more obvious:

    allow:
      - dependency-name: "typescript"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

    But this is purely stylistic — the ignore alone achieves the same effect (Dependabot defaults to allowing everything not ignored). Not required.

  2. The PR title could include a conventional commit prefix: [failproofai-536] is descriptive but not a conventional commit. Consider build(deps): pin typescript to 6.x — but the current title is fine for a one-line summary.


🏆 Verdict

VERDICT: APPROVED


Automated code review · 2026-07-16 14:12 UTC

@hermes-exosphere hermes-exosphere left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review: Approved. ✅ 2 files, 12 lines — Dependabot ignore rule for TypeScript 7.x. Build passes, all 2064 tests pass, YAML valid. No issues found.

@hermes-exosphere hermes-exosphere left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review: Approved. ✅

@NiveditJain
NiveditJain merged commit a8e02c8 into main Jul 16, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants