Skip to content

fix(release): stop node-workspace from clobbering manual dependency ranges#5740

Merged
JSONbored merged 1 commit into
mainfrom
fix/release-please-always-link-local
Jul 14, 2026
Merged

fix(release): stop node-workspace from clobbering manual dependency ranges#5740
JSONbored merged 1 commit into
mainfrom
fix/release-please-always-link-local

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

Root cause of a recurring bug this session: release-please's node-workspace plugin defaults to always-link-local: true, which force-rewrites every workspace-internal dependency's semver range on every regeneration of a release branch — even when the current range already satisfies the sibling's version.

This has repeatedly clobbered deliberate, manually-set constraints on @loopover/miner's and @loopover/mcp's @loopover/engine dependency back to a bare "*" (most recently caught by the repo's own security scanner on #5730; #5729 before that fixed the same thing once already). It has also separately generated a string of "empty" release PRs (mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively cross-bump a dependency range ahead of the sibling's actual npm publish, with no real content of their own.

Fix

always-link-local: false — a documented top-level manifest option (confirmed against release-please's own JSON schema at raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json). With this set, the plugin only touches a workspace dependency's range when the current range no longer covers the sibling's version — i.e. only for a genuine breaking change, which is exactly when a deliberate, manually-verified bump is warranted (the judgment call this session has been making by hand every single time this came up).

Also fixes apps/gittensory-ui/src/lib/mcp-package.ts's MCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published 0.9.0 — unrelated to the config change, but blocking this branch's own gate via ui:version-audit.

Test plan

  • Validated the JSON key against release-please's official schema (top-level, boolean, matches always-link-local exactly)
  • npm run test:ci green end-to-end
  • npm audit --audit-level=moderate clean
  • Effect will be directly observable on the next release-please run: no more speculative cross-bumps or clobbered manual ranges on packages/gittensory-miner/package.json / packages/gittensory-mcp/package.json

…anges

release-please's node-workspace plugin defaults to always-link-local: true,
which force-rewrites every workspace-internal dependency's semver range on
every regeneration of a release branch -- even when the current range
already satisfies the sibling's version. This has repeatedly clobbered
deliberate, manually-set constraints on @loopover/miner's and
@loopover/mcp's @loopover/engine dependency back to a bare "*" (most
recently caught by the repo's security scanner on #5730, PR #5729 before
that), and separately generated a string of "empty" release PRs
(mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively
cross-bump a dependency range ahead of the sibling's actual publish, with
no real content of their own.

Setting always-link-local: false (a documented top-level manifest option,
confirmed against release-please's own JSON schema) makes the plugin only
touch a workspace dependency when the CURRENT range no longer covers the
sibling's version -- i.e. only for a genuine breaking change, which is
exactly when a deliberate, manually-verified bump is warranted anyway
(the judgment call this session has been making by hand every time this
came up).

Also fixes apps/gittensory-ui/src/lib/mcp-package.ts's
MCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published
0.9.0 (unrelated to the config change, but blocking this branch's own
gate via ui:version-audit).
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
loopover-ui f868ce1 Jul 14 2026, 10:23 AM

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 14, 2026
@loopover-orb

loopover-orb Bot commented Jul 14, 2026

Copy link
Copy Markdown

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 LoopOver review result - fixes required

Review updated: 2026-07-14 10:27:28 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI failing · unstable

🛑 Suggested Action - Manual Review

Review summary
This is a two-line, well-targeted fix: it sets release-please's documented `always-link-local: false` top-level key to stop the node-workspace plugin from force-rewriting manually-set workspace dependency ranges on every release-branch regeneration, and separately bumps a stale UI constant (`MCP_PACKAGE_KNOWN_LATEST_VERSION`) needed only to unblock this branch's own `ui:version-audit` gate. Both changes are narrow, config-level, and match their stated intent; the mcp-package.ts change is a pure constant swap with no logic touched. The main open question is process, not code: the description cites prior incidents (#5730, #5729) but does not explicitly close/link a tracked issue for this fix.

Nits — 6 non-blocking
  • The PR description references chore(release): cut miner v2.0.0 #5730 and fix(miner): tighten the @loopover/engine dependency to ^2.0.0 #5729 as prior incidents but doesn't explicitly state 'Fixes #' or 'Closes #' for an eligible open issue — confirm this is tied to a maintainer-authorized issue before merging per repo convention.
  • No test-path changes accompany this PR; that's expected for a config-only + constant change, but worth noting explicitly in the PR body since apps/gittensory-ui/src/lib/mcp-package.ts has zero test coverage evidence.
  • The `MCP_PACKAGE_KNOWN_LATEST_VERSION` bump to 0.9.0 is asserted as matching mcp's 'real just-published' version — worth a one-line confirmation link (e.g. npm dist-tag) in the PR body rather than just prose, since this constant directly gates `ui:version-audit`.
  • Add an explicit 'Fixes #NNNN' line to the PR description to satisfy issue-scope enforcement, even though the root-cause narrative is solid.
  • Consider a short code comment in release-please-config.json next to `always-link-local: false` explaining why (mirrors the existing inline comments in mcp-package.ts and the mcp-release-please.yml workflow, which document non-obvious decisions well).
  • Code changes lack test evidence — Add focused regression tests or explain why existing coverage is sufficient.

Why this is blocked

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
📋 Copy for AI agents — paste into your coding agent
Fix the following blocker(s) from this PR review:

1. No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

2. Maintainer requires a linked issue — Link the relevant issue (for example `Closes #123`) before opening the PR.

CI checks failing

  • Workers Builds: loopover-ui — Workers Builds: loopover-ui
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 310 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 310 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ⚠️ ℹ️ None detected risk: low · value: none — No structural-improvement signals were detected for this PR. LLM value judgment: moderate — A single documented config flag directly addresses a recurring, previously hand-patched release-please bug (clobbered manual dependency ranges, spurious empty release PRs), which is a real and narrowly-scoped operational improvement.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 45 PR(s), 310 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask <question> answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat <question> answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

Visual preview
Route Viewport Before (production) After (this PR's preview) Diff
/ desktop before / after /
/ mobile before / (mobile) after / (mobile)

Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.

  • Re-run LoopOver review

@loopover-orb loopover-orb Bot added the manual-review Gittensor contributor context label Jul 14, 2026
@JSONbored JSONbored merged commit bd5dde2 into main Jul 14, 2026
11 of 12 checks passed
@JSONbored JSONbored deleted the fix/release-please-always-link-local branch July 14, 2026 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant