fix(release): stop node-workspace from clobbering manual dependency ranges#5740
Conversation
…anges release-please's node-workspace plugin defaults to always-link-local: true, which force-rewrites every workspace-internal dependency's semver range on every regeneration of a release branch -- even when the current range already satisfies the sibling's version. This has repeatedly clobbered deliberate, manually-set constraints on @loopover/miner's and @loopover/mcp's @loopover/engine dependency back to a bare "*" (most recently caught by the repo's security scanner on #5730, PR #5729 before that), and separately generated a string of "empty" release PRs (mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively cross-bump a dependency range ahead of the sibling's actual publish, with no real content of their own. Setting always-link-local: false (a documented top-level manifest option, confirmed against release-please's own JSON schema) makes the plugin only touch a workspace dependency when the CURRENT range no longer covers the sibling's version -- i.e. only for a genuine breaking change, which is exactly when a deliberate, manually-verified bump is warranted anyway (the judgment call this session has been making by hand every time this came up). Also fixes apps/gittensory-ui/src/lib/mcp-package.ts's MCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published 0.9.0 (unrelated to the config change, but blocking this branch's own gate via ui:version-audit).
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
loopover-ui | f868ce1 | Jul 14 2026, 10:23 AM |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 LoopOver review result - fixes requiredReview updated: 2026-07-14 10:27:28 UTC
🛑 Suggested Action - Manual Review Review summary Nits — 6 non-blocking
Why this is blocked
📋 Copy for AI agents — paste into your coding agentCI checks failing
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands Visual preview
Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
Summary
Root cause of a recurring bug this session: release-please's
node-workspaceplugin defaults toalways-link-local: true, which force-rewrites every workspace-internal dependency's semver range on every regeneration of a release branch — even when the current range already satisfies the sibling's version.This has repeatedly clobbered deliberate, manually-set constraints on
@loopover/miner's and@loopover/mcp's@loopover/enginedependency back to a bare"*"(most recently caught by the repo's own security scanner on #5730; #5729 before that fixed the same thing once already). It has also separately generated a string of "empty" release PRs (mcp-v0.8.1, mcp-v1.0.1, miner-v2.0.1) that exist purely to speculatively cross-bump a dependency range ahead of the sibling's actual npm publish, with no real content of their own.Fix
always-link-local: false— a documented top-level manifest option (confirmed against release-please's own JSON schema atraw.githubusercontent.com/googleapis/release-please/main/schemas/config.json). With this set, the plugin only touches a workspace dependency's range when the current range no longer covers the sibling's version — i.e. only for a genuine breaking change, which is exactly when a deliberate, manually-verified bump is warranted (the judgment call this session has been making by hand every single time this came up).Also fixes
apps/gittensory-ui/src/lib/mcp-package.ts'sMCP_PACKAGE_KNOWN_LATEST_VERSION, stale against mcp's real just-published 0.9.0 — unrelated to the config change, but blocking this branch's own gate viaui:version-audit.Test plan
always-link-localexactly)npm run test:cigreen end-to-endnpm audit --audit-level=moderatecleanpackages/gittensory-miner/package.json/packages/gittensory-mcp/package.json