Skip to content

chore(deps): big-bang bump (consolidates dependabot PRs)#1083

Merged
mistercrunch merged 2 commits into
mainfrom
big-bang-dep-bumps
May 3, 2026
Merged

chore(deps): big-bang bump (consolidates dependabot PRs)#1083
mistercrunch merged 2 commits into
mainfrom
big-bang-dep-bumps

Conversation

@mistercrunch
Copy link
Copy Markdown
Member

@mistercrunch mistercrunch commented May 3, 2026

Summary

Single consolidated dependency bump replacing many open dependabot PRs. Only patches and minors — every genuine major is deferred to a follow-up so this PR stays low-risk.

Bucket Count
Trivial (patch / well-known minor) 11
Minor-with-care 4
Major 0 (all deferred)
Deferred dependabot PRs 18

Bumps included

Package Old New Where Bucket
@biomejs/biome ^2.4.4 2.4.4 (pinned) root deferred-via-pin — see notes below
lint-staged ^16.3.1 ^16.4.0 root trivial
prettier ^3.8.1 ^3.8.3 root trivial
turbo ^2.9.6 ^2.9.7 root trivial
oclif ^4.22.81 ^4.23.0 apps/agor-cli minor-with-care
vitest ^4.0.18 ^4.1.5 agor-cli, agor-daemon, agor-ui, core, executor minor-with-care
@vitest/coverage-v8 ^4.0.18 ^4.1.5 packages/core minor-with-care
@oclif/core ^4.8.2 ^4.8.3 apps/agor-cli, agor-live trivial
swagger-ui-dist ^5.32.0 ^5.32.1 apps/agor-daemon, agor-live trivial
katex ^0.16.33 ^0.16.39 apps/agor-docs trivial
@types/multer ^1.4.12 ^2.1.0 apps/agor-daemon minor-with-care (multer is already v2)
@types/node ^22.10.2 / ^20.0.0 ^24.6.0 agor-cli, agor-daemon, agor-docs, client, core, executor trivial (Node 24 LTS, matches what agor-ui already had after #1076)
@opencode-ai/sdk ^1.2.15 ^1.2.20 packages/core, packages/executor, agor-live trivial (1.2.x patch)
docker/build-push-action @v5 @v7 .github/workflows/build-devcontainer.yml trivial
actions/cache @v4 @v5 .github/workflows/ci.yml trivial

Notes on the biome pin

Dependabot PR #1079 wanted to bump @biomejs/biome to ^2.4.13. Newer 2.4.x versions promoted noArrayIndexKey and assist/source/organizeImports from warn → error, which surfaces 6 errors in unchanged code (InputRequestBlock.tsx, MessageBlock.tsx, packages/client/src/index.ts, packages/core/src/config/agor-yml.ts). Fixing those is a code refactor outside the scope of a dep-bump PR, so this PR pins biome at exactly 2.4.4 to keep ^2.4.4 from silently resolving forward. A separate PR can take the biome bump together with the rule fixes.

Major bumps deep-dive

None. Every major was deferred (see below) so no migration code was needed in this PR.

Deferred dependabot PRs

Each one needs its own focused PR with a migration; bundling any of them would have ballooned this consolidation.

PR Bump Why deferred
#1020 next 14 → 16 (root) Two majors of breaking changes (App Router defaults, caching, runtime). Needs a dedicated migration.
#959 next 14 → 15 (root) Subsumed by #1020.
#799 next 14 → 16 (apps/agor-docs) Same as #1020; coupled with #704 (nextra).
#704 nextra 3 → 4 (apps/agor-docs) Couples to Next 15+; needs Next bump first.
#977 vite 7 → 8 Root pnpm.overrides explicitly pins vite: ">=7.3.2 <8". Lifting that pin and validating Vite 8 (esbuild/rollup peer chain, vite-plugin-compression compat) is its own task.
#976 @storybook/react-vite 9 → 10 Storybook 10 is locked out by pnpm.overrides (storybook: ">=9.1.19 <10").
#975 @storybook/react 9 → 10 Same as above.
#710 storybook 9 → 10 (apps/agor-ui) Same as above.
#705 @storybook/react 9 → 10 (apps/agor-ui) Same as above.
#694 @chromatic-com/storybook 4 → 5 Couples to Storybook 10 (peer dep).
#833 typescript 5.9.3 → 6.0.2 TS 6 just shipped; needs a focused review of new strictness defaults across all workspaces.
#703 glob 11 → 13 (apps/agor-daemon) Root pnpm.overrides pins glob: "^11.1.0".
#697 glob 11 → 13 (apps/agor-cli) Same as above.
#700 react-dom 18 → 19 (apps/agor-ui) React 19 migration (transitions, ref-as-prop, removed APIs) — needs antd-x / reactflow / panels compat check.
#747 react 18 → 19 (root) Same as above.
#699 react 18 → 19 (apps/agor-docs) Same as above.
#691 streamdown 1 → 2 (apps/agor-ui) Used in chat rendering — UI-critical. Wants its own visual smoke.
#695 inquirer 12 → 13 (apps/agor-cli) Major; CLI prompts surface — defer for focused review.
#947 @opencode-ai/sdk 1.2.15 → 1.4.3 (packages/executor) This PR moves the floor to ^1.2.20 across core+executor; the larger 1.4.x bump should be reviewed against opencode-ai's changelog separately.

Already-satisfied dependabot PRs (safe to close manually)

These were obsoleted before this PR; the listed version is already present on main or via this PR's range:

Validation

  • pnpm install (fresh resolution) — clean, no new peer-dep warnings vs. main.
  • pnpm typecheck — 9/9 tasks green.
  • pnpm lint — 5 pre-existing warnings, no errors.
  • pnpm check (typecheck + lint + build) — all 6 build tasks green.
  • pnpm test — 8/8 task groups green; 2028 tests passing in @agor/core alone.
  • Manual smoke: started apps/agor-ui dev server (vite 7.3.2), bound to localhost, fetched / → HTTP 200, <title>Agor</title>. Did not boot the daemon end-to-end in this run (sandbox-limited), but daemon tsup build is green via the check step.

Lockfile churn

pnpm-lock.yaml shows ~2.5k lines of churn — that's pnpm install re-resolving the transitive trees behind vitest 4.0→4.1, @types/node 20/22→24, and @opencode-ai/sdk 1.2.15→1.2.20. No silent transitive bumps to anything still version-pinned via pnpm.overrides (those overrides were left untouched on purpose).

Closes

Closes #1079
Closes #1019
Closes #1017
Closes #831
Closes #800
Closes #745
Closes #738
Closes #743
Closes #741
Closes #690
Closes #949
Closes #834
Closes #950
Closes #948
Closes #776
Closes #775
Closes #736
Closes #742
Closes #777
Closes #733

🤖 Generated with Claude Code

mistercrunch and others added 2 commits May 3, 2026 19:04
@mistercrunch @claude
chore(deps): big-bang bump (consolidates dependabot PRs)
1e1e74b 
Single consolidated bump replacing many open dependabot PRs. Only
patch/minor bumps included — every major (next, vite, storybook,
react, typescript, glob, nextra, react chromatic, streamdown,
inquirer) is deferred to its own review.

Validated with pnpm typecheck + lint + build (all green) and a UI
dev-server smoke (vite 7.3.2, HTTP 200, title="Agor").

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mistercrunch @claude
chore: tweak .agor.yml variants
856afc4 
- sqlite/postgres: add `--build` to start so first-boot rebuilds the image
- sqlite: switch app URL to use {{host.ip_address}} (reachable off-host, matches docs variant)
- collapse multi-line docker compose commands to single-line form

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mistercrunch mistercrunch merged commit bf94834 into main May 3, 2026
10 checks passed
@mistercrunch mistercrunch deleted the big-bang-dep-bumps branch May 3, 2026 19:21
@mistercrunch mistercrunch mentioned this pull request May 6, 2026
Merged
mistercrunch added a commit that referenced this pull request May 6, 2026
@mistercrunch @claude
chore(deps): bump vite 7.3.2 → 8.0.10 (and plugin-react 5 → 6) (#1105)
04c455d 
Earlier dependabot attempt (#977) bumped vite alone to 8.x but kept
@vitejs/plugin-react at v5, which broke the JSX automatic runtime in
some test files (TaskListItem, EditRenderer, EditFilesRenderer all
threw "ReferenceError: React is not defined"). plugin-react v6 is the
release built for vite 8 and resolves it without code changes.

Also lifts the pnpm override `vite: ">=7.3.2 <8"` to `">=8.0.10 <9"`
so transitive consumers (storybook, vitest, etc.) resolve onto v8.

#1083 ("big-bang dep bumps") explicitly excluded vite to avoid this
cascade — this PR addresses it as a focused follow-up.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
dhavli pushed a commit to Code-Fixxers/agor that referenced this pull request May 12, 2026
@mistercrunch @claude
chore(deps): big-bang bump (consolidates dependabot PRs) (preset-io#1083
3b0311a 
)

* chore(deps): big-bang bump (consolidates dependabot PRs)

Single consolidated bump replacing many open dependabot PRs. Only
patch/minor bumps included — every major (next, vite, storybook,
react, typescript, glob, nextra, react chromatic, streamdown,
inquirer) is deferred to its own review.

Validated with pnpm typecheck + lint + build (all green) and a UI
dev-server smoke (vite 7.3.2, HTTP 200, title="Agor").

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: tweak .agor.yml variants

- sqlite/postgres: add `--build` to start so first-boot rebuilds the image
- sqlite: switch app URL to use {{host.ip_address}} (reachable off-host, matches docs variant)
- collapse multi-line docker compose commands to single-line form

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
dhavli pushed a commit to Code-Fixxers/agor that referenced this pull request May 12, 2026
@mistercrunch @claude
chore(deps): bump vite 7.3.2 → 8.0.10 (and plugin-react 5 → 6) (prese…
d4b2dca 
…t-io#1105)

Earlier dependabot attempt (preset-io#977) bumped vite alone to 8.x but kept
@vitejs/plugin-react at v5, which broke the JSX automatic runtime in
some test files (TaskListItem, EditRenderer, EditFilesRenderer all
threw "ReferenceError: React is not defined"). plugin-react v6 is the
release built for vite 8 and resolves it without code changes.

Also lifts the pnpm override `vite: ">=7.3.2 <8"` to `">=8.0.10 <9"`
so transitive consumers (storybook, vitest, etc.) resolve onto v8.

preset-io#1083 ("big-bang dep bumps") explicitly excluded vite to avoid this
cascade — this PR addresses it as a focused follow-up.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mistercrunch