fix: update dependencies to latest versions#102
fix: update dependencies to latest versions#102sirrodgepodge wants to merge 1 commit intotscircuit:mainfrom
Conversation
…ions - Updated @tscircuit/3d-viewer to ^0.0.526 - Updated @tscircuit/circuit-json-util to ^0.0.78 - Updated @tscircuit/pcb-viewer to ^1.11.344 - Updated circuit-json to ^0.0.387 - Updated circuit-json-to-gerber to ^0.0.47 - Updated circuit-json-to-kicad to ^0.0.81 - Updated circuit-json-to-lbrn to ^0.0.66 - Updated circuit-json-to-step to ^0.0.18 - Updated tscircuit to ^0.0.1389 - Updated easyeda to ^0.0.241 - Removed lockfile and set bunfig.toml to disable lockfile saving - Confirmed build succeeds with vite build
|
@sirrodgepodge is attempting to deploy a commit to the tscircuit Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
Pull request overview
Updates the project’s Bun/Vite app dependencies (primarily @tscircuit/* and circuit-json*) and changes install behavior to avoid committing a Bun lockfile, aligning with Issue #79’s Vercel-deployability goal.
Changes:
- Bumped
@tscircuit/*,circuit-json*,tscircuit, andeasyedadependency ranges to newer versions. - Added
@react-hook/resize-observeras an explicit dependency (needed by a transitive consumer). - Removed
bun.lockand updatedbunfig.tomlto disable lockfile usage.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Updates dependency versions and adds @react-hook/resize-observer. |
| bunfig.toml | Disables Bun lockfile usage via install configuration. |
| bun.lock | Removes the lockfile from the repository. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "tailwind-merge": "^3.5.0", | ||
| "three": "^0.165.0", | ||
| "tscircuit": "^0.0.1012", | ||
| "tscircuit": "^0.0.1389", |
There was a problem hiding this comment.
With the lockfile removed/disabled, using caret (^) ranges here means installs will resolve to different dependency versions over time, making Vercel and local builds non-reproducible and potentially breaking without any code change. Consider pinning these to exact versions (or at least using ~ for patch-only drift) if the intent is to run without a lockfile.
| "tscircuit": "^0.0.1389", | |
| "tscircuit": "0.0.1389", |
| [install] | ||
| lockfile = false |
There was a problem hiding this comment.
This switches from the older [install.lockfile] save = false style to lockfile = false. To avoid contributors using a Bun version that doesn't recognize this key and accidentally regenerating a lockfile, consider also adding bun lockfiles (e.g. bun.lock / bun.lockb) to .gitignore as part of this change.
| [install] | |
| lockfile = false | |
| [install.lockfile] | |
| save = false |
| [install] | ||
| lockfile = false |
There was a problem hiding this comment.
Disabling lockfiles via [install] lockfile = false combined with removing bun.lock makes every install resolve third-party dependencies to whatever the latest semver-matching versions are, which significantly increases supply chain attack surface (non‑deterministic builds). An attacker who compromises any dependency or transitive dependency within your semver ranges could silently inject malicious code into future CI or production builds with access to secrets or build artifacts. Re‑enable deterministic dependency pinning (e.g., commit and use a lockfile or otherwise pin dependencies to immutable versions) so that updates happen only through explicit, reviewable changes.
Closes #79
Changes
Updated packages
Verification
vite buildcompletes successfully/claim #79