Skip to content

Improvements#478

Merged
TriPSs merged 2 commits into
masterfrom
improvements
Jun 21, 2026
Merged

Improvements#478
TriPSs merged 2 commits into
masterfrom
improvements

Conversation

@TriPSs

@TriPSs TriPSs commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • Updated dependencies across the project to latest compatible versions, including build tools and libraries
    • Upgraded package manager to a newer release
    • Adjusted project configuration settings for improved package management and script handling

TriPSs added 2 commits June 21, 2026 16:33
- Bumped `@pulumi/gcp` to `9.27.0` in `packages/pulumi`.
- Upgraded `@formatjs/cli` to `6.16.11` in `packages/translations`.
- Updated `@google-cloud/storage` to `7.21.0`.
- Upgraded `@jscutlery/semver` to `6.1.2` and `@nestjs` packages to `11.1.27`.
- Updated `axios` to `1.18.0` and `@typescript-eslint` to `8.61.1`.
- Synced `yarn.lock` reflecting latest changes from dependency upgrades.
- Introduced `cooldown` property with a value of `3` to `.ncurc.json`.
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Yarn is upgraded from 4.12.0 to 4.17.0 with new policy settings (approvedGitRepositories, enableScripts: false, npmMinimalAgeGate: 2d) added to .yarnrc.yml. A cooldown: 3 option is added to .ncurc.json. Multiple dependency versions are bumped across the root and sub-package manifests.

Changes

Tooling Config and Dependency Bumps

Layer / File(s) Summary
Yarn and ncu tooling config
.yarnrc.yml, .ncurc.json
.yarnrc.yml adds approvedGitRepositories: ["**"], enableScripts: false, npmMinimalAgeGate: 2d, and upgrades yarnPath to Yarn 4.17.0. .ncurc.json adds cooldown: 3.
Dependency version bumps across monorepo
package.json, packages/gcp-task-runner/package.json, packages/pulumi/package.json, packages/shadcn-ui/package.json, packages/translations/package.json
Root package.json bumps axios to ^1.18.0, packageManager to yarn@4.17.0, and devDependencies including jest, prettier, @nestjs/*, @pulumi/*, @typescript-eslint/*, and others. Sub-packages bump @google-cloud/storage, @pulumi/gcp, lucide-react, tailwind-merge, and @formatjs/cli.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

  • TriPSs/nx-extend#392: Overlapping dependency bumps in the same package manifests (package.json, packages/gcp-task-runner, packages/pulumi, packages/translations).
  • TriPSs/nx-extend#456: Touches the same dependency entries — axios, @pulumi/gcp, @formatjs/cli — as part of a similar dependency-upgrade effort.
  • TriPSs/nx-extend#466: Modifies the same axios bump in root package.json and @pulumi/gcp in packages/pulumi/package.json.

Poem

🐇 Hop, hop, upgrade the stack,
Yarn jumps to four-seventeen, no looking back!
Scripts disabled, cooldown set to three,
New versions flourish like leaves on a tree.
The monorepo blooms fresh as spring dew — 🌿
Just a rabbit bumping deps, nothing new!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The pull request title 'Improvements' is too vague and generic, providing no meaningful information about the specific changes made in the changeset. Replace the generic title with a specific, descriptive title that summarizes the main changes, such as 'Update dependencies and configuration' or 'Bump package versions and Yarn configuration'.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch improvements

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.yarnrc.yml:
- Around line 1-3: The approvedGitRepositories configuration in .yarnrc.yml uses
a global wildcard "**" which disables repository allowlisting and creates a
security risk. Replace this wildcard entry with the specific trusted git
repository URL for the internal nx-extend dependency
(git+https://github.com/tripss/nx-extend) instead of allowing all git
repositories. This restricts git-based dependencies to only the verified
internal source.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9732744b-621d-4622-bf17-ee7a10f87c47

📥 Commits

Reviewing files that changed from the base of the PR and between 57cf302 and 29f12b9.

⛔ Files ignored due to path filters (3)
  • .yarn/releases/yarn-4.12.0.cjs is excluded by !**/.yarn/**
  • .yarn/releases/yarn-4.17.0.cjs is excluded by !**/.yarn/**
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (7)
  • .ncurc.json
  • .yarnrc.yml
  • package.json
  • packages/gcp-task-runner/package.json
  • packages/pulumi/package.json
  • packages/shadcn-ui/package.json
  • packages/translations/package.json

Comment thread .yarnrc.yml
Comment on lines +1 to +3
approvedGitRepositories:
- "**"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Declared git-based deps in package manifests:"
rg -n --glob '**/package.json' '"[^"]+":\s*"(git\+|github:|git:|https://github\.com|ssh://git@)' || true

echo
echo "Resolved git-based deps in yarn.lock:"
LOCKFILE="$(fd -a '^yarn.lock$' | head -n1 || true)"
if [ -n "${LOCKFILE:-}" ]; then
  rg -n 'resolution:.*(github\.com|git\+|git@|git:)' "$LOCKFILE" || true
else
  echo "yarn.lock not found"
fi

Repository: TriPSs/nx-extend

Length of output: 6467


🏁 Script executed:

cat -n .yarnrc.yml

Repository: TriPSs/nx-extend

Length of output: 356


🏁 Script executed:

# Check if nrwl/nx is actually a git-based dependency or a regular npm package
rg -A 2 '"nx"' package.json | head -20

Repository: TriPSs/nx-extend

Length of output: 134


Restrict approvedGitRepositories to trusted sources.

The approvedGitRepositories setting uses a global wildcard ("**"), which disables repository allowlisting and weakens supply-chain security controls. The only git-based dependency in use is the internal git+https://github.com/tripss/nx-extend.

Suggested adjustment
 approvedGitRepositories:
-  - "**"
+  - "https://github.com/TriPSs/*"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
approvedGitRepositories:
- "**"
approvedGitRepositories:
- "https://github.com/TriPSs/*"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.yarnrc.yml around lines 1 - 3, The approvedGitRepositories configuration in
.yarnrc.yml uses a global wildcard "**" which disables repository allowlisting
and creates a security risk. Replace this wildcard entry with the specific
trusted git repository URL for the internal nx-extend dependency
(git+https://github.com/tripss/nx-extend) instead of allowing all git
repositories. This restricts git-based dependencies to only the verified
internal source.

@TriPSs TriPSs merged commit 7fcaf03 into master Jun 21, 2026
6 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant