Skip to content

fix(miner): tighten the @loopover/engine dependency to ^2.0.0#5729

Merged
JSONbored merged 1 commit into
mainfrom
fix/miner-engine-dependency-pin
Jul 14, 2026
Merged

fix(miner): tighten the @loopover/engine dependency to ^2.0.0#5729
JSONbored merged 1 commit into
mainfrom
fix/miner-engine-dependency-pin

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

Miner's already-merged v1.0.0 release (#5712) declared \"@loopover/engine\": \"*\" — too loose. lib/deny-hooks.js imports DEFAULT_DENY_RULES from @loopover/engine, an export that only exists starting in engine 2.0.0. The miner-v1.0.0 publish pipeline's own packed-tarball smoke test (a real standalone npm install, outside the monorepo workspace) caught it: with *, a fresh install resolved the then-current published engine 1.0.0 and crashed with SyntaxError: The requested module '@loopover/engine' does not provide an export named 'DEFAULT_DENY_RULES'.

The loose pin traced back to an earlier fix reverting a release-please speculative cross-bump — engine 2.0.0 wasn't published yet at the time, so a tight ^2.0.0 pin would have failed npm ci with ETARGET. Engine 2.0.0 is published now, so ^2.0.0 is both installable and correctly expresses miner's real requirement.

Test plan

  • Replicated the exact failing smoke test (npm run test:miner-pack) locally — now passes cleanly against the corrected pin
  • npm run test:ci green end-to-end
  • npm audit --audit-level=moderate clean
  • Updated test/unit/miner-status.test.ts's hardcoded "*" fallback-value assertions to "^2.0.0", matching the corrected declaration

lib/deny-hooks.js imports DEFAULT_DENY_RULES from @loopover/engine -- an
export that only exists starting in engine 2.0.0. The miner-v1.0.0 release's
own packed-tarball smoke test (a real standalone `npm install`, outside the
monorepo workspace) caught this: with the dependency declared as "*", a
fresh install resolved the currently-published engine 1.0.0 and crashed with
SyntaxError: The requested module '@loopover/engine' does not provide an
export named 'DEFAULT_DENY_RULES'.

The "*" pin traced back to an earlier fix reverting a release-please
speculative cross-bump (engine 2.0.0 wasn't published yet at the time, so a
tight ^2.0.0 pin would have failed npm ci with ETARGET). Now that engine
2.0.0 is actually published, ^2.0.0 is both installable and correctly
expresses miner's real requirement.
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.06%. Comparing base (433e3ab) to head (8db7f31).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5729   +/-   ##
=======================================
  Coverage   95.06%   95.06%           
=======================================
  Files         581      581           
  Lines       46179    46179           
  Branches    14811    14811           
=======================================
  Hits        43901    43901           
  Misses       1517     1517           
  Partials      761      761           
Flag Coverage Δ
shard-1 43.96% <ø> (ø)
shard-2 35.71% <ø> (ø)
shard-3 32.27% <ø> (ø)
shard-4 33.01% <ø> (+<0.01%) ⬆️
shard-5 31.75% <ø> (ø)
shard-6 44.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored JSONbored self-assigned this Jul 14, 2026
@JSONbored JSONbored merged commit 634e121 into main Jul 14, 2026
18 checks passed
@JSONbored JSONbored deleted the fix/miner-engine-dependency-pin branch July 14, 2026 09:32
@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 14, 2026
JSONbored added a commit that referenced this pull request Jul 14, 2026
release-please's regeneration of this branch (cutting v2.0.0 for the CLI
binary rename) silently reverted the @loopover/engine dependency from the
^2.0.0 constraint landed in #5729 back to "*", removing semver protection --
flagged by the repo's security scanner on this PR. "*" would silently accept
any future engine version, including a compromised publish or a major
version that removes DEFAULT_DENY_RULES again (the export miner's own
lib/deny-hooks.js genuinely requires as of engine 2.0.0).

Also fixes test/unit/miner-cli.test.ts's two hardcoded version assertions
("1.0.0"), stale against this cut's real 2.0.0 (a genuine breaking change:
the CLI binary rename).
JSONbored added a commit that referenced this pull request Jul 14, 2026
* chore(release): cut miner v2.0.0

* chore(release): sync package-lock.json

* fix(miner): restore the ^2.0.0 engine dependency constraint

release-please's regeneration of this branch (cutting v2.0.0 for the CLI
binary rename) silently reverted the @loopover/engine dependency from the
^2.0.0 constraint landed in #5729 back to "*", removing semver protection --
flagged by the repo's security scanner on this PR. "*" would silently accept
any future engine version, including a compromised publish or a major
version that removes DEFAULT_DENY_RULES again (the export miner's own
lib/deny-hooks.js genuinely requires as of engine 2.0.0).

Also fixes test/unit/miner-cli.test.ts's two hardcoded version assertions
("1.0.0"), stale against this cut's real 2.0.0 (a genuine breaking change:
the CLI binary rename).

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: JSONbored <49853598+JSONbored@users.noreply.github.com>
JSONbored added a commit that referenced this pull request Jul 14, 2026
…anges (#5740)

release-please's node-workspace plugin defaults to always-link-local: true,
which force-rewrites every workspace-internal dependency's semver range on
every regeneration of a release branch -- even when the current range
already satisfies the sibling's version. This has repeatedly clobbered
deliberate, manually-set constraints on @loopover/miner's and
@loopover/mcp's @loopover/engine dependency back to a bare "*" (most
recently caught by the repo's security scanner on #5730, PR #5729 before
that), and separately generated a string of "empty" release PRs
(mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively
cross-bump a dependency range ahead of the sibling's actual publish, with
no real content of their own.

Setting always-link-local: false (a documented top-level manifest option,
confirmed against release-please's own JSON schema) makes the plugin only
touch a workspace dependency when the CURRENT range no longer covers the
sibling's version -- i.e. only for a genuine breaking change, which is
exactly when a deliberate, manually-verified bump is warranted anyway
(the judgment call this session has been making by hand every time this
came up).

Also fixes apps/gittensory-ui/src/lib/mcp-package.ts's
MCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published
0.9.0 (unrelated to the config change, but blocking this branch's own
gate via ui:version-audit).
JSONbored added a commit that referenced this pull request Jul 14, 2026
…3.0.0 cut

- packages/loopover-miner/expected-engine.version: same recurring drift as the
  v2.0.0/v2.0.1 cuts, bumped to 3.0.0.
- packages/loopover-miner/docs/env-reference.md: the Phase 5 directory-rename
  commit (#5743) missed regenerating this one doc's title.
- test/unit/routes-focus-manifest.test.ts: hardcoded the pre-rename
  apps/gittensory-ui/ path in two wantedPaths assertions; the real
  .loopover.yml already correctly says apps/loopover-ui/.
- packages/loopover-miner/package.json: tightened @loopover/engine from
  ^2.0.0 to ^3.0.0. On this branch specifically, engine's own package.json is
  already 3.0.0 but miner's declared range isn't (that update rides on
  miner's own release), so npm resolves a stale published 2.0.0 as a
  non-hoisted nested copy for miner -- which the doctor engine-version-skew
  check (and 3 real test files depending on it) correctly flags as broken.
  Same judgment call as #5729: miner's own source doesn't touch anything
  engine 3.0.0 removed (the Phase 4/5 breaking changes are CLI binary/tool
  names and directory paths, not engine's exported JS API), so tightening the
  range here is safe. Also updates the 2 tests that assert the literal
  fallback range string.
- apps/loopover-ui/src/routeTree.gen.ts: TanStack Router's own regeneration,
  unrelated to the above -- included as-is since it's a generated file now
  back in sync with the real (still-unrenamed) route source file.
JSONbored added a commit that referenced this pull request Jul 14, 2026
* chore(release): cut engine v3.0.0

* chore(release): sync package-lock.json

* fix: sync generated artifacts and cross-package refs for the engine v3.0.0 cut

- packages/loopover-miner/expected-engine.version: same recurring drift as the
  v2.0.0/v2.0.1 cuts, bumped to 3.0.0.
- packages/loopover-miner/docs/env-reference.md: the Phase 5 directory-rename
  commit (#5743) missed regenerating this one doc's title.
- test/unit/routes-focus-manifest.test.ts: hardcoded the pre-rename
  apps/gittensory-ui/ path in two wantedPaths assertions; the real
  .loopover.yml already correctly says apps/loopover-ui/.
- packages/loopover-miner/package.json: tightened @loopover/engine from
  ^2.0.0 to ^3.0.0. On this branch specifically, engine's own package.json is
  already 3.0.0 but miner's declared range isn't (that update rides on
  miner's own release), so npm resolves a stale published 2.0.0 as a
  non-hoisted nested copy for miner -- which the doctor engine-version-skew
  check (and 3 real test files depending on it) correctly flags as broken.
  Same judgment call as #5729: miner's own source doesn't touch anything
  engine 3.0.0 removed (the Phase 4/5 breaking changes are CLI binary/tool
  names and directory paths, not engine's exported JS API), so tightening the
  range here is safe. Also updates the 2 tests that assert the literal
  fallback range string.
- apps/loopover-ui/src/routeTree.gen.ts: TanStack Router's own regeneration,
  unrelated to the above -- included as-is since it's a generated file now
  back in sync with the real (still-unrenamed) route source file.

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: JSONbored <49853598+JSONbored@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant